CN108734007A - A kind of processing method and processing device of monitoring application program - Google Patents
A kind of processing method and processing device of monitoring application program Download PDFInfo
- Publication number
- CN108734007A CN108734007A CN201710240393.7A CN201710240393A CN108734007A CN 108734007 A CN108734007 A CN 108734007A CN 201710240393 A CN201710240393 A CN 201710240393A CN 108734007 A CN108734007 A CN 108734007A
- Authority
- CN
- China
- Prior art keywords
- application program
- behavior
- sensitive behavior
- function parameter
- sensitive
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3003—Monitoring arrangements specially adapted to the computing system or computing system component being monitored
- G06F11/302—Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system component is a software system
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Mathematical Physics (AREA)
- Quality & Reliability (AREA)
- Computer Hardware Design (AREA)
- Debugging And Monitoring (AREA)
Abstract
The embodiment of the present invention provides a kind of processing method and processing device of monitoring application program, the method includes:During the virtual machine after being loaded with modification system source code runs the application program, the function parameter of the application program is called in extraction;According to pre-stored strategy matching file and the function parameter, the operational process of the application program is monitored, to obtain the sensitive behavior when application program is run.Described device executes the above method.The processing method of monitoring application program provided in an embodiment of the present invention, can monitor the operation overall process of application program, and comprehensively obtain the running sensitive operation behavior of application program.
Description
Technical field
The present embodiments relate to virtual machine technique fields, and in particular to a kind of processing method and dress of monitoring application program
It sets.
Background technology
With the development of mobile communication technology, more and more application programs operate in mobile terminal, some virus, wooden horses
Deng the privacy by application program snooping people, the normal life of people is seriously affected, therefore, application program has been supervised
Control, to identify whether mobile terminal has the application program of operation exception, it appears particularly important.
The method of existing monitoring application program has (by taking Android system as an example):To application program (Android Package,
Hereinafter referred to as APK) after decompiling, then for sensitive applications interface (Application Program Interface, with
Lower abbreviation api) calling station increase logcat inputs, then beat again packet, be installed in mobile terminal or virtual machine and run, it is logical
The logcat outputs in monitoring application program operational process are crossed, identify the application program of operation exception.But this method can only
For the application program of early stage, current application program mostly uses greatly shell adding and reinforces or add anti-decompiling, bob-weight baling press
System, causes this method to fail.Existing method also has:By hook (hook, actually one processing message program segment,
Called by system, it be linked into system) mode hook system java interfaces obtain in real time application program operation behavior, but
The operation that hook acts later application program can only be monitored, and ndk (Native Development Kit) layer can not be monitored
Sensitive operation.
Therefore, the operation overall process of application program how is monitored, and comprehensively obtains the running sensitive behaviour of application program
Make behavior, becoming need solve the problems, such as.
Invention content
In view of the problems of the existing technology, the embodiment of the present invention provides a kind of processing method and dress of monitoring application program
It sets.
On the one hand, the embodiment of the present invention provides a kind of processing method of monitoring application program, the method includes:
During the virtual machine after being loaded with modification system source code runs the application program, answered described in extraction calling
With the function parameter of program;
According to pre-stored strategy matching file and the function parameter, to the operational process of the application program
It is monitored, to obtain the sensitive behavior when application program is run.
On the other hand, the embodiment of the present invention provides a kind of processing unit of monitoring application program, and described device includes:
Extraction unit, for after being loaded with modification system source code virtual machine run the application program during,
The function parameter of the application program is called in extraction;
Monitoring unit, for according to pre-stored strategy matching file and the function parameter, journey to be applied to described
The operational process of sequence is monitored, to obtain the sensitive behavior when application program is run.
The processing method of monitoring application program provided in an embodiment of the present invention, can monitor the full mistake of operation of application program
Journey, and comprehensively obtain the running sensitive operation behavior of application program.
Description of the drawings
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technology description to be briefly described, it should be apparent that, the accompanying drawings in the following description is this hair
Some bright embodiments for those of ordinary skill in the art without creative efforts, can be with root
Other attached drawings are obtained according to these attached drawings.
Fig. 1 is the flow diagram for the processing method that the embodiment of the present invention monitors application program;
Fig. 2 is the structural schematic diagram for the processing unit that the embodiment of the present invention monitors application program;
Fig. 3 is device entity structural schematic diagram provided in an embodiment of the present invention.
Specific implementation mode
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with the embodiment of the present invention
In attached drawing, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment is
A part of the embodiment of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, those of ordinary skill in the art
The every other embodiment obtained without creative efforts, shall fall within the protection scope of the present invention.
Fig. 1 is the flow diagram for the processing method that the embodiment of the present invention monitors application program, as shown in Figure 1, of the invention
The processing method for the monitoring application program that embodiment provides, includes the following steps:
S1:During the virtual machine after being loaded with modification system source code runs the application program, institute is called in extraction
State the function parameter of application program.
Specifically, device carries during the virtual machine after being loaded with modification system source code runs the application program
Take the function parameter for calling the application program.It should be noted that:The virtual machine of unmodified system source code, can not extract tune
With the function parameter of application program (Android Package, hereinafter referred to as APK).The function parameter may include the function
Input value and return value, different APK are corresponding with different function parameters.In framework layer (including application layer, the frame of original system
Layer, running environment layer and inner nuclear layer), by the corresponding location determination of framework layer it is APK that needs are monitored, monitoring point, and write
Enter modified system source code, since above-mentioned framework layer is relevant with ndk layers, so as to monitor ndk layers of sensitive row
For the application program in the embodiment of the present invention is the application program of above-mentioned needs monitoring unless otherwise instructed.It is answered with obtaining mobile phone
Illustrate being amended as follows for system source code with concrete example for the application program of table:
Landroid/app/ApplicationPackageManager;
List<PackageInfo>getInstalledPackages(int flags);Obtain mobile phone application table
\android\frameworks\base\core\java\android\app\
ApplicationPackageManager.java
Wherein:The first row be really need the corresponding monitoring point of application program, the second row that monitor be execute the needs monitoring
Application program transfer function, the third line be written modification system source code path and file, it can be seen that:In path
" frameworks " correspond to framework layer in ccf layer, different monitoring points is required for different roads in original system source code
Different monitor codes is written in diameter, the corresponding monitoring point of application program that other needs monitor, the application for executing needs monitoring
The path of program transferred function, modification system source code is written and file are as follows, and specific description repeats no more.
Create new process application program:Ljava/lang/ProcessBuilder;
Start creates new process
\libcore\luni\src\main\java\java\lang;
Initialize application program:
Landroid/content/Intent;
Intent is initialized
Intent\android\frameworks\base\core\java\android\content\Intent.java;
Call the application program of Intent:
Landroid/content/Intent;
SetAction calls Intent's
setAction\android\frameworks\base\core\java\android\content\
Intent.java;
Add suspension windows application program:
Landroid/view/WindowManager;
LayoutParams adds suspension windows
\android\frameworks\base\core\java\android\view\WindowManager.java;
Wake up screen locking application program:
Landroid/os/PowerManager;
WakeUp () wakes up screen locking
\android\frameworks\base\core\java\android\os\PowerManager.java;
Detect mobile phone whether standby mode application program:
Landroid/app/KeyguardManager
InKeyguardRestrictedInputMode () detect mobile phone whether standby mode
\android\frameworks\base\core\java\android\app\KeyguardManager.java;
Use ssl safety communication application programs:
Ljavax/net/ssl/SSLContext;
getInstance("TLS");Use ssl safety communications
\android\libcore\luni\src\main\java\javax\net\ssl\SSLContext.java;
Obtain encrypted instance application program:
Ljavax/crypto/Cipher;
getInstance("DES");Obtain encrypted instance
\android\libcore\luni\src\main\java\javax\crypto\Cipher.java;
Call hash algorithm application program:
Ljava/security/MessageDigest;
GetInstance (" MD5 ") calls hash algorithm
\android\libcore\luni\src\main\java\java\security\MessageDigest.java;
Search alternative document application program:
Ljava/io/file;
File.list () searches alternative document
libcore/luni/src/main/java/java/io/File.java;
Dynamic registration receiver application program:
Landroid/content/ContextWrapper;
registerReceiver(myReceiver,filter);Dynamic registration receiver
\android\frameworks\base\core\java\android\content\
ContextWrapper.java;
Obtain FirstHeader, LastHeader, Headers application program:
Lorg/apache/http/message/AbstractHttpMessage
"getFirstHeader(""Set-Cookie"");
getLastHeader(""Set-Cookie"");
getHeaders(""Set-Cookie"");It " obtains
cookies\external\apache-http\src\org\apache\http\message\
AbstractHttpMessage.java;
Activate application program:
Landroid/app/Activity
StartActivity (Intent intent) is activated
Activity\android\frameworks\base\core\java\android\app\Activity.java;
Interface covering detection application program:
Landroid/widget/Toast;
The covering detection of the interfaces makeText
\android\frameworks\base\core\java\android\wigget\Toast.java;
Before the step of carrying out S1, in order to ensure the normal startup of the virtual machine after modification system source code, it is also necessary into
The following commissioning test test of row:
(1) the new system source code after the completion of modification is compiled, it can be in/out/target/ after compiling successfully
System image file userdata.img, system.img and ramdisk.img are generated under product/generi catalogues, then are compiled
Android system kernel source code is translated, kernel-qemu kernel mirror image files can be generated after compiling successfully.
(2) corresponding in covering Android Software Development Kit (Software Development Kit, hereinafter referred to as SDK)
Original system mirror image catalogue in file of the same name, if modification source code system version be 4.4.2 then its corresponding API level
For Android-19, it is therefore desirable to by android-sdk-linux/system-images/android-19/default/
Userdata.img, system.img and ramdisk.img and kernel-qemu under armeabi-v7a catalogues are covered as
Compiled good image file.
(3) virtual machine AVD Manager tools are run, the operation of AVD simulators is created, if virtual machine startup is normal, depending on
It is implanted into modified system source code success for virtual machine, after otherwise needing investigation problem, and remodifies system source code, then execute
Above-mentioned steps, until virtual machine starts normally.
S2:According to pre-stored strategy matching file and the function parameter, the operation to the application program
Journey is monitored, to obtain the sensitive behavior when application program is run.
Specifically, device is according to pre-stored strategy matching file and the function parameter, to the application program
Operational process be monitored, to obtain the sensitive behavior when application program is run.It should be noted that:Strategy matching text
Part may include the sample characteristics for having sensitive behavior, and sample characteristics can pass through sample learning training and obtain, and reflect sensitive row
For inherent feature.Sensitive behavior may include the sensitive behavior, the sensitive behavior of network behavior, file of virtual machine testing shielding
The sensitive behavior of operation, the sensitive behavior of privacy behavior, the sensitive behavior of network application, sensitive behavior of system process etc., more
Add specific description as shown in table 1:
Table 1
Sensitive behavior monitoring function is the calling to system API and records corresponding recalls information, according to known sensitivity
The analysis of behavior is it is found that these sensitive behaviors are concentrated mainly on backstage networking, operating database, backstage transmission message, steal use
The realization of family privacy etc., these behaviors has corresponding API in systems, therefore shows APK when APK calls this system API
Trigger such sensitive behavior.It is illustrated below:
Network behavior monitors:
Networking mode in android system is more, and including socket, URL etc., API has HttpGet, HttpPost
Deng when APK triggers networking behavior, the networking information such as URL can be obtained.
Send message monitoring:
The API of short message is sent in android system mainly including sendText, sendDataMessage etc., when APK is tactile
When hair sends short message behavior, the content etc. of the destination address, short message that send short message can be got.
The monitoring of operating database:
Some application datas in android system are generally held in local data base, such as contact person, call note
Record etc. preserves all in the form of database.Operating database is mainly by ContentResover classes in Android
The API such as query, insert, delete, update operate database;When APK operating databases, it can be obtained
Operation behavior and the database name of operation.
Steal privacy of user monitoring:
The privacy of user that malice APK is obtained includes mainly the information such as subscriber phone number, IMEI, position, android system
In its corresponding API include getLine1Number, get DeviceId etc.;Phase is carried out when APK carries out these sensitive behaviors
The record answered.
The processing method of monitoring application program provided in an embodiment of the present invention, can monitor the full mistake of operation of application program
Journey, and comprehensively obtain the running sensitive operation behavior of application program.
It is on the basis of the above embodiments, described according to pre-stored strategy matching file and the function parameter,
The operational process of the application program is monitored, to obtain the sensitive behavior when application program is run, including:
The function parameter is sent to journal output module, the journal output module is previously stored with the strategy
With file, the strategy matching file includes sensitive behavior sample characteristics.
Specifically, the function parameter is sent to journal output module by device, the journal output module prestores
It includes sensitive behavior sample characteristics to have the strategy matching file, the strategy matching file.It should be noted that:Daily record is defeated
The function parameter of acquisition can be stored by going out module, and sample characteristics can be carried out in journal output module and are joined with the function after parsing
Several aspect ratios pair.
Parse the function parameter in the journal output module, and by the analysis result of the function parameter with it is described
Sensitive behavior sample characteristics are compared.
Specifically, device parses the function parameter in the journal output module, and by the solution of the function parameter
Analysis result is compared with the sensitive behavior sample characteristics.Parsing is illustrated below:Record all sensitivities that APK is called
API and its function parameter, while the process UID belonging to the secondary behavior is recorded, for determining the behavior is sent out by which APK
, then all log information is obtained by logcat and shell and is parsed.
According to the comparison as a result, to obtain the sensitive behavior when application program is run.
Specifically, device according to the comparison as a result, to obtain the sensitive behavior when application program is run.It will solution
The result of analysis is compared with sensitive behavior sample characteristics, if sensitive behavior sample characteristics and the result of parsing match, recognizes
Sensitive behavior is produced when being run for APK, for example contains transmission short message, acquisition user mobile phone number etc..If sensitive behavior sample is special
Sign and the result of parsing mismatch, then it is assumed that APK does not generate sensitive behavior when running.
The processing method of monitoring application program provided in an embodiment of the present invention, by carrying out feature in journal output module
It compares, more automatically realizes the operation overall process of monitoring application program, and it is running quick comprehensively to obtain application program
Feel operation behavior.
On the basis of the above embodiments, it is described according to the comparison as a result, when being run with obtaining the application program
Sensitive behavior after, the method further includes:
By the sensitive behavior got and the strategy matching file generated in the same report.
Specifically, device by the sensitive behavior got and the strategy matching file generated in the same report
In.It can be by checking or download offline this report online, facilitating inquiry and managing the sensitive behavior.
The processing method of monitoring application program provided in an embodiment of the present invention, generation includes sensitive behavior and strategy matching
The same report of file, convenient for being inquired sensitive behavior and being managed.
On the basis of the above embodiments, the function parameter includes:The input value and return value of the function.
Specifically, the function parameter in device includes:The input value and return value of the function.It can refer to above-mentioned reality
Example is applied, is repeated no more.
It is provided in an embodiment of the present invention monitoring application program processing method, by extract function parameter in input value and
The monitoring to application program can be realized in return value.
On the basis of the above embodiments, the sensitive behavior includes the sensitive row for the virtual machine testing shielding
For, the sensitive behavior of network behavior, the sensitive behavior of file operation, the sensitive behavior of privacy behavior, network application sensitive row
For the sensitive behavior of, system process.
Specifically, the sensitive behavior in device includes the sensitive behavior for being directed to the virtual machine testing shielding, network
The sensitive behavior of behavior, the sensitive behavior of file operation, the sensitive behavior of privacy behavior, the sensitive behavior of network application, system
The sensitive behavior of process.Above-described embodiment is can refer to, is repeated no more.
The processing method of monitoring application program provided in an embodiment of the present invention, it may be determined that more specifical sensitive behavior.
Fig. 2 is the structural schematic diagram for the processing unit that the embodiment of the present invention monitors application program, as shown in Fig. 2, of the invention
Embodiment provides a kind of processing unit of monitoring application program, including extraction unit 1 and monitoring unit 2, wherein:
Extraction unit 1 is used for during the virtual machine after being loaded with modification system source code runs the application program,
Extraction calls the function parameter of the application program, monitoring unit 2 to be used for according to pre-stored strategy matching file, Yi Jisuo
Function parameter is stated, the operational process of the application program is monitored, to obtain the sensitive row when application program is run
For.
Specifically, virtual machine of the extraction unit 1 for after being loaded with modification system source code runs the application program
In the process, extraction calls the function parameter of the application program, extraction unit 1 that function parameter is sent to monitoring unit 2, monitors
Unit 2 is used for according to pre-stored strategy matching file and the function parameter, to the operational process of the application program
It is monitored, to obtain the sensitive behavior when application program is run.
The processing unit of monitoring application program provided in an embodiment of the present invention, can monitor the full mistake of operation of application program
Journey, and comprehensively obtain the running sensitive operation behavior of application program.
On the basis of the above embodiments, the monitoring unit 2 is specifically used for:
The function parameter is sent to journal output module, the journal output module is previously stored with the strategy
With file, the strategy matching file includes sensitive behavior sample characteristics;The letter is parsed in the journal output module
Number parameter, and the analysis result of the function parameter is compared with the sensitive behavior sample characteristics;According to the comparison
As a result, to obtain the sensitive behavior when application program is run.
Specifically, the monitoring unit 2 is specifically used for:The function parameter is sent to journal output module, the day
Will output module is previously stored with the strategy matching file, and the strategy matching file includes sensitive behavior sample characteristics;
Parse the function parameter in the journal output module, and by the analysis result of the function parameter and the sensitive behavior
Sample characteristics are compared;According to the comparison as a result, to obtain the sensitive behavior when application program is run.
The processing unit of monitoring application program provided in an embodiment of the present invention, by carrying out feature in journal output module
It compares, more automatically realizes the operation overall process of monitoring application program, and it is running quick comprehensively to obtain application program
Feel operation behavior.
On the basis of the above embodiments, the monitoring unit 2 also particularly useful for:
By the sensitive behavior got and the strategy matching file generated in the same report.
Specifically, the monitoring unit 2 is also particularly useful for by the sensitive behavior got and strategy matching text
Part generates in the same report.
The processing unit of monitoring application program provided in an embodiment of the present invention, generation includes sensitive behavior and strategy matching
The same report of file, convenient for being inquired sensitive behavior and being managed.
On the basis of the above embodiments, the function parameter includes:The input value and return value of the function.
Specifically, the function parameter in monitoring unit 2 includes:The input value and return value of the function.
It is provided in an embodiment of the present invention monitoring application program processing method, by extract function parameter in input value and
The monitoring to application program can be realized in return value.
On the basis of the above embodiments, the sensitive behavior includes the sensitive row for the virtual machine testing shielding
For, the sensitive behavior of network behavior, the sensitive behavior of file operation, the sensitive behavior of privacy behavior, network application sensitive row
For the sensitive behavior of, system process.
Specifically, the sensitive behavior in monitoring unit 2 include for the virtual machine testing shielding sensitive behavior,
The sensitive behavior of network behavior, the sensitive behavior of file operation, the sensitive behavior of privacy behavior, the sensitive behavior of network application,
The sensitive behavior of system process.
The processing method of monitoring application program provided in an embodiment of the present invention, it may be determined that more specifical sensitive behavior.
It is real that the processing unit of monitoring application program provided in an embodiment of the present invention specifically can be used for executing above-mentioned each method
The process flow of example is applied, details are not described herein for function, is referred to the detailed description of above method embodiment.
Fig. 3 is device entity structural schematic diagram provided in an embodiment of the present invention, as shown in figure 3, described device includes:Processing
Device (processor) 301, memory (memory) 302 and bus 303;
Wherein, the processor 301, memory 302 complete mutual communication by bus 303;
The processor 301 is used to call the program instruction in the memory 302, to execute above-mentioned each method embodiment
The method provided, such as including:During the virtual machine after being loaded with modification system source code runs the application program,
The function parameter of the application program is called in extraction;It is right according to pre-stored strategy matching file and the function parameter
The operational process of the application program is monitored, to obtain the sensitive behavior when application program is run.
The present embodiment discloses a kind of computer program product, and the computer program product includes being stored in non-transient calculating
Computer program on machine readable storage medium storing program for executing, the computer program include program instruction, when described program instruction is calculated
When machine executes, computer is able to carry out the method that above-mentioned each method embodiment is provided, such as including:It is being loaded with modification system
During virtual machine after source code runs the application program, the function parameter of the application program is called in extraction;According to pre-
The strategy matching file and the function parameter first stored, is monitored the operational process of the application program, to obtain
Sensitive behavior when the application program operation.
The present embodiment provides a kind of non-transient computer readable storage medium, the non-transient computer readable storage medium
Computer instruction is stored, the computer instruction makes the computer execute the method that above-mentioned each method embodiment is provided, example
Such as include:During the virtual machine after being loaded with modification system source code runs the application program, answered described in extraction calling
With the function parameter of program;According to pre-stored strategy matching file and the function parameter, to the application program
Operational process is monitored, to obtain the sensitive behavior when application program is run.
One of ordinary skill in the art will appreciate that:Realize that all or part of step of above method embodiment can pass through
The relevant hardware of program instruction is completed, and program above-mentioned can be stored in a computer read/write memory medium, the program
When being executed, step including the steps of the foregoing method embodiments is executed;And storage medium above-mentioned includes:ROM, RAM, magnetic disc or light
The various media that can store program code such as disk.
The embodiments such as device described above are only schematical, wherein the unit illustrated as separating component
It may or may not be physically separated, the component shown as unit may or may not be physics list
Member, you can be located at a place, or may be distributed over multiple network units.It can be selected according to the actual needs
In some or all of module achieve the purpose of the solution of this embodiment.Those of ordinary skill in the art are not paying creativeness
Labour in the case of, you can to understand and implement.
Through the above description of the embodiments, those skilled in the art can be understood that each embodiment can
It is realized by the mode of software plus required general hardware platform, naturally it is also possible to pass through hardware.Based on this understanding, on
Stating technical solution, substantially the part that contributes to existing technology can be expressed in the form of software products in other words, should
Computer software product can store in a computer-readable storage medium, such as ROM/RAM, magnetic disc, CD, including several fingers
It enables and using so that a computer equipment (can be personal computer, server or the network equipment etc.) executes each implementation
Method described in certain parts of example or embodiment.
Finally it should be noted that:The above various embodiments is only to illustrate the technical solution of the embodiment of the present invention rather than right
It is limited;Although the embodiment of the present invention is described in detail with reference to foregoing embodiments, the ordinary skill of this field
Personnel should understand that:It still can be with technical scheme described in the above embodiments is modified, or to which part
Or all technical features carries out equivalent replacement;And these modifications or replacements, it does not separate the essence of the corresponding technical solution
The range of each embodiment technical solution of the embodiment of the present invention.
Claims (10)
1. a kind of processing method of monitoring application program, which is characterized in that including:
During the virtual machine after being loaded with modification system source code runs the application program, extraction is called described using journey
The function parameter of sequence;
According to pre-stored strategy matching file and the function parameter, the operational process of the application program is carried out
Monitoring, to obtain the sensitive behavior when application program is run.
2. according to the method described in claim 1, it is characterized in that, it is described according to pre-stored strategy matching file and
The function parameter is monitored the operational process of the application program, to obtain the sensitivity when application program is run
Behavior, including:
The function parameter is sent to journal output module, the journal output module is previously stored with the strategy matching text
Part, the strategy matching file include sensitive behavior sample characteristics;
Parse the function parameter in the journal output module, and by the analysis result of the function parameter and the sensitivity
Behavior sample feature is compared;
According to the comparison as a result, to obtain the sensitive behavior when application program is run.
3. according to the method described in claim 2, it is characterized in that, it is described according to the comparison as a result, to be answered described in acquisition
After sensitive behavior when being run with program, the method further includes:
By the sensitive behavior got and the strategy matching file generated in the same report.
4. according to the method described in claim 1, it is characterized in that, the function parameter includes:The input value of the function and
Return value.
5. according to the method described in claim 1, it is characterized in that, the sensitive behavior includes being directed to the virtual machine testing screen
The sensitive behavior of the sensitive behavior, network behavior covered, the sensitive behavior of file operation, the sensitive behavior of privacy behavior, network are answered
Sensitive behavior, the sensitive behavior of system process.
6. a kind of processing unit of monitoring application program, which is characterized in that including:
Extraction unit, for during the virtual machine after being loaded with modification system source code runs the application program, extracting
Call the function parameter of the application program;
Monitoring unit is used for according to pre-stored strategy matching file and the function parameter, to the application program
Operational process is monitored, to obtain the sensitive behavior when application program is run.
7. device according to claim 6, which is characterized in that the monitoring unit is specifically used for:
The function parameter is sent to journal output module, the journal output module is previously stored with the strategy matching text
Part, the strategy matching file include sensitive behavior sample characteristics;
Parse the function parameter in the journal output module, and by the analysis result of the function parameter and the sensitivity
Behavior sample feature is compared;
According to the comparison as a result, to obtain the sensitive behavior when application program is run.
8. device according to claim 7, which is characterized in that the monitoring unit also particularly useful for:
By the sensitive behavior got and the strategy matching file generated in the same report.
9. device according to claim 6, which is characterized in that the function parameter includes:The input value of the function and
Return value.
10. device according to claim 6, which is characterized in that the sensitive behavior includes being directed to the virtual machine testing
The sensitive behavior of shielding, the sensitive behavior of network behavior, the sensitive behavior of file operation, the sensitive behavior of privacy behavior, network
The sensitive behavior of application, the sensitive behavior of system process.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710240393.7A CN108734007A (en) | 2017-04-13 | 2017-04-13 | A kind of processing method and processing device of monitoring application program |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710240393.7A CN108734007A (en) | 2017-04-13 | 2017-04-13 | A kind of processing method and processing device of monitoring application program |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN108734007A true CN108734007A (en) | 2018-11-02 |
Family
ID=63924467
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710240393.7A Pending CN108734007A (en) | 2017-04-13 | 2017-04-13 | A kind of processing method and processing device of monitoring application program |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108734007A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109992489A (en) * | 2018-12-29 | 2019-07-09 | 上海连尚网络科技有限公司 | It is a kind of for monitoring the method and apparatus for the process performing applied in user equipment |
| CN110430177A (en) * | 2019-07-26 | 2019-11-08 | 北京智游网安科技有限公司 | A kind of monitoring method, intelligent terminal and the storage medium of APP network behavior |
| CN112784272A (en) * | 2021-01-26 | 2021-05-11 | 京东数字科技控股股份有限公司 | Application program processing method and device, electronic equipment, system and storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104182688A (en) * | 2014-08-26 | 2014-12-03 | 北京软安科技有限公司 | Android malicious code detection device and method based on dynamic activation and behavior monitoring |
| US20150227746A1 (en) * | 2014-02-07 | 2015-08-13 | Northwestern University | System and Method for Privacy Leakage Detection and Prevention System without Operating System Modification |
| CN105488388A (en) * | 2015-12-22 | 2016-04-13 | 中软信息系统工程有限公司 | Method for implementing application software behavior monitoring system based on CPU temporal-spatial isolation mechanism |
| CN105550585A (en) * | 2016-03-02 | 2016-05-04 | 腾讯科技(深圳)有限公司 | Application security testing method, device and system |
| CN105975858A (en) * | 2015-12-08 | 2016-09-28 | 武汉安天信息技术有限责任公司 | Method and system for malicious code detection based on virtual technology in Android system |
-
2017
- 2017-04-13 CN CN201710240393.7A patent/CN108734007A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20150227746A1 (en) * | 2014-02-07 | 2015-08-13 | Northwestern University | System and Method for Privacy Leakage Detection and Prevention System without Operating System Modification |
| CN104182688A (en) * | 2014-08-26 | 2014-12-03 | 北京软安科技有限公司 | Android malicious code detection device and method based on dynamic activation and behavior monitoring |
| CN105975858A (en) * | 2015-12-08 | 2016-09-28 | 武汉安天信息技术有限责任公司 | Method and system for malicious code detection based on virtual technology in Android system |
| CN105488388A (en) * | 2015-12-22 | 2016-04-13 | 中软信息系统工程有限公司 | Method for implementing application software behavior monitoring system based on CPU temporal-spatial isolation mechanism |
| CN105550585A (en) * | 2016-03-02 | 2016-05-04 | 腾讯科技(深圳)有限公司 | Application security testing method, device and system |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109992489A (en) * | 2018-12-29 | 2019-07-09 | 上海连尚网络科技有限公司 | It is a kind of for monitoring the method and apparatus for the process performing applied in user equipment |
| CN110430177A (en) * | 2019-07-26 | 2019-11-08 | 北京智游网安科技有限公司 | A kind of monitoring method, intelligent terminal and the storage medium of APP network behavior |
| CN112784272A (en) * | 2021-01-26 | 2021-05-11 | 京东数字科技控股股份有限公司 | Application program processing method and device, electronic equipment, system and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110855676B (en) | Network attack processing method and device and storage medium | |
| US10289837B2 (en) | Log information generation apparatus and recording medium, and log information extraction apparatus and recording medium | |
| CN104885092B (en) | Security system and method for operating system | |
| CN104239786B (en) | Exempt from ROOT Initiative Defenses collocation method and device | |
| Eder et al. | Ananas-a framework for analyzing android applications | |
| US9229758B2 (en) | Passive monitoring of virtual systems using extensible indexing | |
| CN105074718A (en) | On-line behavioral analysis engine in mobile device with multiple analyzer model providers | |
| Huang et al. | Ontology-based intelligent system for malware behavioral analysis | |
| CN104994104A (en) | Server fingerprint mimicry and sensitive information mimicry method based on WEB security gateway | |
| CN104239797B (en) | Active defense method and device | |
| CN106815524B (en) | Malicious script file detection method and device | |
| CN109614203B (en) | Android application cloud data evidence obtaining and analyzing system and method based on application data simulation | |
| CN108734007A (en) | A kind of processing method and processing device of monitoring application program | |
| Faruki et al. | Droidanalyst: Synergic app framework for static and dynamic app analysis | |
| Sun et al. | Real-time behavior analysis and identification for Android application | |
| Kandukuru et al. | Android malicious application detection using permission vector and network traffic analysis | |
| JP2011233081A (en) | Application determination system and program | |
| KR101431192B1 (en) | Method for Rooting Attack Events Detection on Mobile Device | |
| Stirparo et al. | In-memory credentials robbery on android phones | |
| CN112528296B (en) | Vulnerability detection method and device, storage medium and electronic equipment | |
| CN112333171B (en) | Service data processing method and device and computer equipment | |
| CN106953874B (en) | Website falsification-proof method and device | |
| US20240054210A1 (en) | Cyber threat information processing apparatus, cyber threat information processing method, and storage medium storing cyber threat information processing program | |
| CN104158812B (en) | The method of controlling security and system of a kind of terminal applies | |
| CN110837612B (en) | Uniform Resource Identifier (URI) data acquisition method and device and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20181102 |