CN113395242A - Packet capturing method and device for application data packet and computing equipment - Google Patents
Packet capturing method and device for application data packet and computing equipment Download PDFInfo
- Publication number
- CN113395242A CN113395242A CN202010176705.4A CN202010176705A CN113395242A CN 113395242 A CN113395242 A CN 113395242A CN 202010176705 A CN202010176705 A CN 202010176705A CN 113395242 A CN113395242 A CN 113395242A
- Authority
- CN
- China
- Prior art keywords
- class
- name
- network request
- specified
- interceptor
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/30—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
- H04L63/306—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information intercepting packet switched data communications, e.g. Web, Internet or IMS communications
Abstract
The invention discloses a packet capturing method, a device and computing equipment for application data packets, wherein the method comprises the following steps: acquiring a class loader of a target application, and acquiring a specified class through the class loader; when a client object of the http network request component is created, an interceptor interface of the http network request component is realized by utilizing the specified class, and the interceptor interface is loaded into the client object; and acquiring a data packet of the network request of the target application according to the client object loaded with the interceptor interface. Therefore, according to the scheme of the invention, the specific class of the interceptor is obtained by utilizing the interceptor characteristic of the okhttp network request component and the applied class loader, so that the application data packet can be effectively captured without being influenced by the traditional anti-packet-capturing strategies such as certificate binding and the like.
Description
Technical Field
The invention relates to the technical field of network security, in particular to a packet capturing method and device for an application data packet and computing equipment.
Background
With the rapid development and popularization of mobile terminals such as mobile phones and the like, the functions of mobile applications are becoming more and more abundant, and network requests sent by the mobile applications are becoming more and more frequent, and the network security problem is becoming more and more serious. Meanwhile, the network packet capturing tool is used as a network data monitoring program, can pointedly acquire required information, and performs network security analysis and network threat response by using the information, thereby playing an important role in the aspect of network security attack and defense.
And the Android system is the most extensive smartphone operating system at present, the Android application mainly uses HTTP and HTTPs protocols for data transmission at present, the HTTP protocol is a plaintext protocol and can be directly captured by using a packet capturing tool, while the HTTPs protocol is an encryption protocol, and it is not easy to capture a data packet by using the packet capturing tool under normal conditions.
In the prior art, for Android applications, the following two ways are mainly used for capturing a data packet: the method comprises the steps that a self-signed certificate of Fiddler/Charles is loaded on a mobile phone, then a proxy is set on the Fiddler/Charles, an HTTP/HTTPS data packet on target Android equipment can be captured, and the data packet of Android application needing to be captured can be screened out. And in the second mode, the target application is subjected to Packet Capture analysis by using a local VPN Packet Capture application similar to Packet Capture, so that the content of the HTTP/HTTPS data Packet can be obtained.
However, in the process of implementing the embodiment of the present invention, the inventor finds that the above-mentioned conventional packet capturing manner can only capture packets for target applications that do not use certificate binding, and once the target applications use certificate binding, the above-mentioned manner loses its effect. Therefore, the research and development of the data packet capturing tool based on the android platform are of great significance and practicability.
Disclosure of Invention
In view of the above problems, embodiments of the present invention are proposed to provide a packet capturing method, apparatus and computing device for application data packets, which overcome the above problems or at least partially solve the above problems.
According to an aspect of the embodiments of the present invention, there is provided a packet capturing method for an application data packet, including:
acquiring a class loader of a target application, and acquiring a specified class through the class loader;
when a client object of the http network request component is created, an interceptor interface of the http network request component is realized by utilizing the specified class, and the interceptor interface is loaded into the client object;
and acquiring a data packet of the network request of the target application according to the client object loaded with the interceptor interface.
According to another aspect of the embodiments of the present invention, there is provided a packet capturing device for application data packets, including:
the acquisition module is suitable for acquiring a class loader of the target application and acquiring a specified class through the class loader;
the interceptor realizing module is suitable for realizing an interceptor interface of the http network request component by utilizing the specified class when a client object of the http network request component is created;
a loading module adapted to load the interceptor interface into the client object;
and the packet capturing module is suitable for acquiring a data packet of the network request of the target application according to the client object loaded with the interceptor interface.
According to still another aspect of an embodiment of the present invention, there is provided a computing device including: the system comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete mutual communication through the communication bus;
the memory is used for storing at least one executable instruction, and the executable instruction enables the processor to execute the operation corresponding to the packet capturing method of the application data packet.
According to another aspect of the embodiments of the present invention, there is provided a computer storage medium, where at least one executable instruction is stored, and the executable instruction causes a processor to perform an operation corresponding to the packet capturing method for the application data packet.
According to the packet capturing method, device and computing equipment for the application data packet, the specified class of the interceptor interface for realizing the okhttp network communication component is obtained through the class loader of the target application without being influenced by the reinforcement of the target application, the specified class of the interceptor interface cannot be obtained due to some reinforcement means, and the specified class is accurately obtained; and when a client object is created, loading an interceptor interface realized by using a specified class to the client object, and when a network request initiated by a target application is processed by using the client object, acquiring a data packet of the network request. Therefore, compared with the packet capturing mode in the prior art, the packet capturing method and the packet capturing device can enlarge the application range of the packet capturing and improve the effectiveness of the packet capturing.
The foregoing description is only an overview of the technical solutions of the embodiments of the present invention, and the embodiments of the present invention can be implemented according to the content of the description in order to make the technical means of the embodiments of the present invention more clearly understood, and the detailed description of the embodiments of the present invention is provided below in order to make the foregoing and other objects, features, and advantages of the embodiments of the present invention more clearly understandable.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the embodiments of the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
fig. 1 is a flowchart illustrating a packet capturing method for an application data packet according to an embodiment of the present invention;
FIG. 2 is a flow chart of a packet capturing method for application data packets according to another embodiment of the present invention;
fig. 3 is a schematic structural diagram illustrating a packet capturing apparatus for application data packets according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of a computing device provided in an embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present invention will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the invention are shown in the drawings, it should be understood that the invention can be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art.
Fig. 1 shows a flowchart of a packet capturing method for an application data packet according to an embodiment of the present invention. The scheme is applied to android application, and a data packet of network communication initiated by the android application is captured; also, the method may be performed by any computing device having data processing capabilities. As shown in fig. 1, the method comprises the steps of:
step S110: and acquiring a class loader of the target application, and acquiring the specified class through the class loader.
The specified class is a class required by the interrupt of the okhttp network communication component.
Specifically, a class loader of the target application is obtained, a class name and a method name in the class loader are not changed due to the reinforcement of the target application, and the obtaining of the specified class by the class loader may not be limited by the reinforcement of the application.
Step S120: when a client object of the http network request component is created, the interceptor interface of the http network request component is realized by using the specified class, and the interceptor interface is loaded into the client object.
The okhttp network request component is a framework of the android system for processing network requests, and has the following advantages: all requests connected to the same host address are allowed, and the request efficiency is improved; sharing Socket, reducing the request times to the server; through the connection pool, the request delay is reduced; caching response data to reduce duplicate network requests; the consumption of data flow is reduced; GZip compression is automatically processed.
Specifically, when an okhttpclient object (client object) for creating an okhttp network request component is detected, an interrupt interface is realized by using a specified class obtained by a classloader, and the interface is loaded into the okhttpclient object. The method comprises the steps of monitoring a data packet of a network request of a target application by realizing an interrupt interface and loading the interface in the OkHttpClient construction, and is suitable for both http and https. And by utilizing the interceptor characteristic of the okhttp network request component, the data packet capturing can be free from the influence of the traditional anti-packet capturing strategies such as certificate binding and the like.
Step S130: and acquiring a data packet of the network request of the target application according to the client object loaded with the interceptor interface.
The http payload object is loaded with an interrupt interface, so that a network request processing is realized, and a data packet of a network request processed by the created http payload object can be acquired for network security analysis and response.
According to the packet capturing method for the application data packet provided by the embodiment, the specified class of the interceptor interface for realizing the okhttp network communication component is obtained through the class loader of the target application without being influenced by the reinforcement of the target application, so that the condition that the specified class of the interceptor interface cannot be obtained due to some reinforcement means is avoided, and the specified class is accurately obtained; and when a client object is created, loading an interceptor interface realized by using a specified class to the client object, and when a network request initiated by a target application is processed by using the client object, acquiring a data packet of the network request. Therefore, compared with a packet grabbing mode in the prior art, the application range of the packet grabbing can be enlarged, and the effectiveness of the packet grabbing is improved.
Fig. 2 is a flowchart illustrating a packet capturing method for an application data packet according to another embodiment of the present invention. As shown in fig. 2, the method comprises the steps of:
step S210: and acquiring a class loader of the target application, and acquiring the specified class through the class loader.
The specified class is a class required by an interrupt of the okhttp network communication component, the specified class is an existing class and can be different according to different requirements, and specific class names are not listed in the text.
And in the embodiment of the invention, packet capturing is carried out by utilizing the interceptor characteristic of the okhttp network request component, the okhttp network request component is suitable for android application, and the target application is android application which uses the okhttp network request component for network communication.
Specifically, the class required for realizing the interrupt is obtained through the classloader, so that the condition that the specified class cannot be accurately obtained due to the influence of application reinforcement can be avoided. In addition, in this embodiment, the class loader of the target application is obtained through xpseed (application modification service), where an Xposed Framework (Xposed Framework) is a set of open-source Framework services that run in an Android high-permission mode, and is a set of Framework services that can affect program running (modify a system) without modifying an APK file, and using xpseed can conveniently obtain classloaders without being hindered by permission.
Further, the class loader may obtain the specified class by name matching and/or feature matching, where the name matching process is as follows: the class loader matches a first name of a class to be selected with a second name of a specified class, and determines the class to be selected with the consistent name matching as the specified class, wherein the class to be selected is each class (the same below) in the class loader, and under a normal condition, the class name and the method name in the classloader are not influenced by application reinforcement, and the specified class can be quickly and accurately matched through name matching.
And the process of feature matching is as follows: the class loader matches the first characteristic of the class to be selected with the second characteristic of the specified class, and determines the class to be selected with consistent characteristic matching as the specified class; wherein the first feature and the second feature are each a specific feature that is not affected by a name. In practice, the class name and the method name may be confused, and the problem of name confusion can be avoided by matching certain specific features which are not influenced by the name, so that the accuracy of obtaining the specified class is improved. The specific characteristics that are not affected by the name include, but are not limited to, a JAVA public packet to which the interface of the class implementation belongs, a return value type of the class, and/or a type of an input parameter of the class.
In the actual acquisition of the designated class, the designated class may be acquired by any one of name matching and feature matching, or may be acquired by both methods. In some optional embodiments of the present invention, before the specified class is obtained, it may be determined whether the name of the specified class is an easily-confused name, and if so, the name is obtained through feature matching, that is, the class loader matches the first feature of the to-be-selected class with the second feature of the specified class; if not, the name matching is carried out, namely the class loader matches the first name of the class to be selected with the second name of the specified class. By the method, the efficiency and the accuracy of the acquisition of the specified class can be considered at the same time.
Step S220: when a client object of the http network request component is created, the interceptor interface of the http network request component is realized by using the specified class, and the interceptor interface is loaded into the client object.
Specifically, when a network request is sent by using an okhttp, a construction class of an okhttpparent is required to be used for creating the request, when the okhttpparent object is created, it is indicated that a new network request needs to be processed, and at this time, implementation of an interrupt is added, so that packet capture can be performed for the network request.
Furthermore, a hook function is set on a method for creating a client object through an xposed (application modification service) so as to carry out hook at the accurate time for creating an okhttpclient object, and the implementation of adding an interrupt in time is facilitated; furthermore, hook can be conveniently performed by using xposed. Correspondingly, when the client object is created, the interceptor interface is realized by utilizing the hook function dynamic proxy, namely when the execution is detected to create the okhttpparent object, the interceptor interface is realized by utilizing the dynamic proxy and is loaded into the newly created okhttpparent object, wherein the dynamic proxy can ensure that the interceptor interface is realized efficiently.
Step S230: and acquiring a data packet of the network request of the target application according to the client object loaded with the interceptor interface.
Wherein, the data packet of the network request of the target application comprises request data and response data of the network request.
Specifically, the okhttp processes a network request initiated by an application to a network terminal through a series of interceptors, and after an interceptor implemented by using a specified class is loaded in an okhttpparent object, request data can be acquired before the request, and response data can be acquired after a network response, so as to complete packet capture of a data packet of the network request.
Step S240: and comparing the uniform resource locator contained in the request data with the malicious locator in the malicious locator database, and filtering the malicious request of the target application according to the comparison result.
After capturing the request of the network request, performing malicious detection on a request URL (Uniform Resource Locator) contained in the network request, and if the request URL is a malicious URL, filtering out the request URL to avoid the network security from being threatened, so as to maintain the network security.
It should be noted here that, after a data packet of a network request is obtained, a series of security analyses may be performed on the data packet and corresponding threat countermeasures may be taken to ensure network security, the URL comparison and filtering indicated in the step S240 are only one optional analysis and countermeasures, and in practical implementation, a person skilled in the art may flexibly set the analysis manner and the measures to be taken, for example, dynamically modify the data packet while capturing the data packet, and assist in network security analysis.
According to the packet capturing method for the application data packet provided by the embodiment, the class loader of the target application is obtained through xpseed, so that the limitation of high authority is avoided; the class loader obtains the specified class through name matching and/or feature matching, and the efficiency and/or accuracy of obtaining the specified class can be improved; and setting a hook function on the method for creating the client object to perform hook at the accurate time for creating the okhttpparent object, so that the implementation of adding an interceptor in time is facilitated, and subsequently, the okhttpparent object loaded with the interceptor interface can be used for acquiring a data packet of a network request of a target application, and performing network security analysis and threat response based on the data packet. Therefore, according to the scheme of the embodiment, the packet capturing mode legally utilizes the interceptor characteristic of the okhttp network request component, the packet capturing mode is not influenced by traditional anti-packet capturing strategies such as certificate binding, the specified classes are obtained according to the feature matching aiming at the classes which are possibly confused, the application range is expanded to all Android applications using the okhttp communication, and the data packet of the Android applications using the okhttp for network communication is captured.
Fig. 3 is a schematic structural diagram illustrating a packet capturing apparatus for application data packets according to an embodiment of the present invention.
As shown in fig. 3, the apparatus includes:
an obtaining module 310, adapted to obtain a class loader of a target application, and obtain a specified class through the class loader;
the interceptor implementing module 320 is adapted to implement an interceptor interface of the http network request component by using the specified class when creating the client object of the http network request component;
a loading module 330 adapted to load the interceptor interface into the client object;
and the packet capturing module 340 is adapted to obtain a data packet of the network request of the target application according to the client object loaded with the interceptor interface.
In an optional manner, the obtaining module is further adapted to: and acquiring the class loader of the target application through the application modification service.
In an optional manner, the obtaining module is further adapted to: the class loader matches a first name of a class to be selected with a second name of an appointed class, and determines the class to be selected with the consistent name matching as the appointed class; and/or the presence of a gas in the gas,
the class loader matches the first characteristic of the class to be selected with the second characteristic of the specified class, and determines the class to be selected with consistent characteristic matching as the specified class; wherein the first feature and the second feature are each a specific feature that is not affected by a name.
In an optional manner, the apparatus further comprises: the judging module is suitable for judging whether the name of the specified class is a confusable name or not;
the acquisition module is further adapted to: and if the name of the specified class is a name which is easy to confuse, the class loader matches the first feature of the class to be selected with the second feature of the specified class.
In an alternative approach, the name-independent specific features include: the type of input parameter of the class, the return value type of the class, and/or the JAVA public package to which the interface of the class implementation belongs.
In an optional manner, the apparatus further comprises: a setting module adapted to set a hook function on a device creating the client object by applying a modification service;
the interceptor implementing module is further adapted to: and when the client object is created, utilizing a hook function dynamic proxy to realize an interceptor interface.
In an alternative mode, the data packet of the network request of the target application includes request data and response data of the network request.
In an optional manner, the apparatus further comprises: a filtration module adapted to: and comparing the uniform resource locator contained in the request data with the malicious locator in the malicious locator database, and filtering the malicious request of the target application according to the comparison result.
In an optional manner, the target application is an android application that uses an okhttp web request component for web communication.
The embodiment of the invention provides a nonvolatile computer storage medium, wherein at least one executable instruction is stored in the computer storage medium, and the computer executable instruction can execute the packet capturing method of the application data packet in any method embodiment.
The executable instructions may be specifically configured to cause the processor to:
acquiring a class loader of a target application, and acquiring a specified class through the class loader;
when a client object of the http network request component is created, an interceptor interface of the http network request component is realized by utilizing the specified class, and the interceptor interface is loaded into the client object;
and acquiring a data packet of the network request of the target application according to the client object loaded with the interceptor interface.
In an alternative, the executable instructions cause the processor to:
and acquiring the class loader of the target application through the application modification service.
In an alternative, the executable instructions cause the processor to:
the class loader matches a first name of a class to be selected with a second name of an appointed class, and determines the class to be selected with the consistent name matching as the appointed class; and/or the presence of a gas in the gas,
the class loader matches the first characteristic of the class to be selected with the second characteristic of the specified class, and determines the class to be selected with consistent characteristic matching as the specified class; wherein the first feature and the second feature are each a specific feature that is not affected by a name.
In an alternative, the executable instructions cause the processor to:
judging whether the name of the specified class is a name which is easy to confuse;
and if the name of the specified class is a name which is easy to confuse, the class loader matches the first feature of the class to be selected with the second feature of the specified class.
In an alternative approach, the name-independent specific features include: the type of input parameter of the class, the return value type of the class, and/or the JAVA public package to which the interface of the class implementation belongs.
In an alternative, the executable instructions cause the processor to:
setting a hook function on a method for creating the client object by applying a modification service;
and when the client object is created, utilizing a hook function dynamic proxy to realize an interceptor interface.
In an alternative mode, the data packet of the network request of the target application includes request data and response data of the network request.
In an alternative, the executable instructions cause the processor to:
and comparing the uniform resource locator contained in the request data with the malicious locator in the malicious locator database, and filtering the malicious request of the target application according to the comparison result.
In an optional manner, the target application is an android application that uses an okhttp web request component for web communication.
Fig. 4 is a schematic structural diagram of a computing device according to an embodiment of the present invention, and the specific embodiment of the present invention does not limit the specific implementation of the computing device.
As shown in fig. 4, the computing device may include: a processor (processor)402, a Communications Interface 404, a memory 406, and a Communications bus 408.
Wherein: the processor 402, communication interface 404, and memory 406 communicate with each other via a communication bus 408. A communication interface 404 for communicating with network elements of other devices, such as clients or other servers. The processor 402, configured to execute the program 410, may specifically execute the relevant steps in the above-described embodiment of the method for packet capturing of application data packets for a computing device.
In particular, program 410 may include program code comprising computer operating instructions.
The processor 402 may be a central processing unit CPU or an application Specific Integrated circuit asic or one or more Integrated circuits configured to implement embodiments of the present invention. The computing device includes one or more processors, which may be the same type of processor, such as one or more CPUs; or may be different types of processors such as one or more CPUs and one or more ASICs.
And a memory 406 for storing a program 410. Memory 406 may comprise high-speed RAM memory, and may also include non-volatile memory (non-volatile memory), such as at least one disk memory.
The program 410 may specifically be configured to cause the processor 402 to perform the following operations:
acquiring a class loader of a target application, and acquiring a specified class through the class loader;
when a client object of the http network request component is created, an interceptor interface of the http network request component is realized by utilizing the specified class, and the interceptor interface is loaded into the client object;
and acquiring a data packet of the network request of the target application according to the client object loaded with the interceptor interface.
In an alternative, the program 410 causes the processor to:
and acquiring the class loader of the target application through the application modification service.
In an alternative, the program 410 causes the processor to:
the class loader matches a first name of a class to be selected with a second name of an appointed class, and determines the class to be selected with the consistent name matching as the appointed class; and/or the presence of a gas in the gas,
the class loader matches the first characteristic of the class to be selected with the second characteristic of the specified class, and determines the class to be selected with consistent characteristic matching as the specified class; wherein the first feature and the second feature are each a specific feature that is not affected by a name.
In an alternative, the program 410 causes the processor to:
judging whether the name of the specified class is a name which is easy to confuse;
and if the name of the specified class is a name which is easy to confuse, the class loader matches the first feature of the class to be selected with the second feature of the specified class.
In an alternative approach, the name-independent specific features include: the type of input parameter of the class, the return value type of the class, and/or the JAVA public package to which the interface of the class implementation belongs.
In an alternative, the program 410 causes the processor to:
setting a hook function on a method for creating the client object by applying a modification service;
and when the client object is created, utilizing a hook function dynamic proxy to realize an interceptor interface.
In an alternative, the program 410 causes the processor to:
the data packet of the network request of the target application comprises request data and response data of the network request.
In an alternative, the program 410 causes the processor to:
and comparing the uniform resource locator contained in the request data with the malicious locator in the malicious locator database, and filtering the malicious request of the target application according to the comparison result.
In an optional manner, the target application is an android application that uses an okhttp web request component for web communication.
The algorithms or displays presented herein are not inherently related to any particular computer, virtual system, or other apparatus. Various general purpose systems may also be used with the teachings herein. The required structure for constructing such a system will be apparent from the description above. In addition, embodiments of the present invention are not directed to any particular programming language. It is appreciated that a variety of programming languages may be used to implement the teachings of embodiments of the present invention as described herein, and any descriptions of specific languages are provided above to disclose the best modes of embodiments of the invention.
In the description provided herein, numerous specific details are set forth. It is understood, however, that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the embodiments of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be interpreted as reflecting an intention that: that is, the claimed embodiments of the invention require more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this invention.
Those skilled in the art will appreciate that the modules in the device in an embodiment may be adaptively changed and disposed in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and furthermore they may be divided into a plurality of sub-modules or sub-units or sub-components. All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or elements of any method or apparatus so disclosed, may be combined in any combination, except combinations where at least some of such features and/or processes or elements are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Furthermore, those skilled in the art will appreciate that while some embodiments herein include some features included in other embodiments, rather than other features, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments. For example, in the following claims, any of the claimed embodiments may be used in any combination.
The various component embodiments of the invention may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. Those skilled in the art will appreciate that a microprocessor or Digital Signal Processor (DSP) may be used in practice to implement some or all of the functionality of some or all of the components according to embodiments of the present invention. Embodiments of the invention may also be implemented as apparatus or device programs (e.g., computer programs and computer program products) for performing a portion or all of the methods described herein. Such programs implementing embodiments of the present invention may be stored on computer-readable media or may be in the form of one or more signals. Such a signal may be downloaded from an internet website or provided on a carrier signal or in any other form.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. Embodiments of the invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The usage of the words first, second and third, etcetera do not indicate any ordering. These words may be interpreted as names. The steps in the above embodiments should not be construed as limiting the order of execution unless specified otherwise.
The invention discloses: A1. a packet grabbing method for application data packets comprises the following steps:
acquiring a class loader of a target application, and acquiring a specified class through the class loader;
when a client object of the http network request component is created, an interceptor interface of the http network request component is realized by utilizing the specified class, and the interceptor interface is loaded into the client object;
and acquiring a data packet of the network request of the target application according to the client object loaded with the interceptor interface.
A2. The method of a1, wherein the obtaining the class loader of the target application further comprises: and acquiring the class loader of the target application through the application modification service.
A3. The method of A1 or A2, wherein the obtaining, by the class loader, the specified class further comprises:
the class loader matches a first name of a class to be selected with a second name of an appointed class, and determines the class to be selected with the consistent name matching as the appointed class; and/or the presence of a gas in the gas,
the class loader matches the first characteristic of the class to be selected with the second characteristic of the specified class, and determines the class to be selected with consistent characteristic matching as the specified class; wherein the first feature and the second feature are each a specific feature that is not affected by a name.
A4. The method of a3, wherein, prior to the obtaining of the specified class by the class loader, the method further comprises: judging whether the name of the specified class is a name which is easy to confuse;
the class loader matching the first characteristic of the class to be selected with the second characteristic of the specified class further comprises:
and if the name of the specified class is a name which is easy to confuse, the class loader matches the first feature of the class to be selected with the second feature of the specified class.
A5. The method of A3 or a4, wherein the name-insensitive specific features include: the type of input parameter of the class, the return value type of the class, and/or the JAVA public package to which the interface of the class implementation belongs.
A6. The method of any one of a1-a5, wherein the method further comprises: setting a hook function on a method for creating the client object by applying a modification service;
when creating a client object of the http network request component, the interceptor interface for realizing the http network request component by using the specified class further comprises:
and when the client object is created, utilizing a hook function dynamic proxy to realize an interceptor interface.
A7. The method of any of a1-a6, wherein the data packet of the network request of the target application includes request data and response data of the network request.
A8. The method of a7, wherein after the obtaining the packet of the network request of the target application, the method further comprises:
and comparing the uniform resource locator contained in the request data with the malicious locator in the malicious locator database, and filtering the malicious request of the target application according to the comparison result.
A9. The method according to any one of A1-A8, wherein the target application is an android application that uses a http web request component for web communications.
The invention also discloses: B10. a packet capture device for application data packets, comprising:
the acquisition module is suitable for acquiring a class loader of the target application and acquiring a specified class through the class loader;
the interceptor realizing module is suitable for realizing an interceptor interface of the http network request component by utilizing the specified class when a client object of the http network request component is created;
a loading module adapted to load the interceptor interface into the client object;
and the packet capturing module is suitable for acquiring a data packet of the network request of the target application according to the client object loaded with the interceptor interface.
B11. The apparatus of B10, wherein the acquisition module is further adapted to: and acquiring the class loader of the target application through the application modification service.
B12. The apparatus of B10 or B11, wherein the acquisition module is further adapted to: the class loader matches a first name of a class to be selected with a second name of an appointed class, and determines the class to be selected with the consistent name matching as the appointed class; and/or the presence of a gas in the gas,
the class loader matches the first characteristic of the class to be selected with the second characteristic of the specified class, and determines the class to be selected with consistent characteristic matching as the specified class; wherein the first feature and the second feature are each a specific feature that is not affected by a name.
B13. The apparatus of B12, wherein the apparatus further comprises: the judging module is suitable for judging whether the name of the specified class is a confusable name or not;
the acquisition module is further adapted to: and if the name of the specified class is a name which is easy to confuse, the class loader matches the first feature of the class to be selected with the second feature of the specified class.
B14. The apparatus of B12 or B13, wherein the name-insensitive specific features include: the type of input parameter of the class, the return value type of the class, and/or the JAVA public package to which the interface of the class implementation belongs.
B15. The apparatus of any one of B10-B14, wherein the apparatus further comprises: a setting module adapted to set a hook function on a device creating the client object by applying a modification service;
the interceptor implementing module is further adapted to: and when the client object is created, utilizing a hook function dynamic proxy to realize an interceptor interface.
B16. The apparatus of any of B10-B15, wherein the data packet of the network request of the target application includes request data and response data of the network request.
B17. The apparatus of B16, wherein the apparatus further comprises: a filtration module adapted to: and comparing the uniform resource locator contained in the request data with the malicious locator in the malicious locator database, and filtering the malicious request of the target application according to the comparison result.
B18. The device according to any one of B10-B17, wherein the target application is an android application that uses a http web request component for web communications.
The invention also discloses: C19. a computing device, comprising: the system comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete mutual communication through the communication bus;
the memory is used for storing at least one executable instruction, and the executable instruction causes the processor to execute the operation corresponding to the packet capturing method of the application data packet according to any one of A1-A9.
The invention also discloses: D20. a computer storage medium having stored therein at least one executable instruction for causing a processor to perform operations corresponding to the packet capturing method for application data packets as described in any one of a1-a 9.
Claims (10)
1. A packet grabbing method for application data packets comprises the following steps:
acquiring a class loader of a target application, and acquiring a specified class through the class loader;
when a client object of the http network request component is created, an interceptor interface of the http network request component is realized by utilizing the specified class, and the interceptor interface is loaded into the client object;
and acquiring a data packet of the network request of the target application according to the client object loaded with the interceptor interface.
2. The method of claim 1, wherein the obtaining a class loader for a target application further comprises: and acquiring the class loader of the target application through the application modification service.
3. The method of claim 1 or 2, wherein said obtaining a specified class by a class loader further comprises:
the class loader matches a first name of a class to be selected with a second name of an appointed class, and determines the class to be selected with the consistent name matching as the appointed class; and/or the presence of a gas in the gas,
the class loader matches the first characteristic of the class to be selected with the second characteristic of the specified class, and determines the class to be selected with consistent characteristic matching as the specified class; wherein the first feature and the second feature are each a specific feature that is not affected by a name.
4. The method of claim 3, wherein prior to said retrieving a specified class by a class loader, the method further comprises: judging whether the name of the specified class is a name which is easy to confuse;
the class loader matching the first characteristic of the class to be selected with the second characteristic of the specified class further comprises:
and if the name of the specified class is a name which is easy to confuse, the class loader matches the first feature of the class to be selected with the second feature of the specified class.
5. The method of claim 3 or 4, wherein the specific characteristics that are not affected by name include: the type of input parameter of the class, the return value type of the class, and/or the JAVA public package to which the interface of the class implementation belongs.
6. The method of any of claims 1-5, wherein the method further comprises: setting a hook function on a method for creating the client object by applying a modification service;
when creating a client object of the http network request component, the interceptor interface for realizing the http network request component by using the specified class further comprises:
and when the client object is created, utilizing a hook function dynamic proxy to realize an interceptor interface.
7. The method of any of claims 1-6, wherein the network requested data packet of the target application includes request data and response data of the network request.
8. A packet capture device for application data packets, comprising:
the acquisition module is suitable for acquiring a class loader of the target application and acquiring a specified class through the class loader;
the interceptor realizing module is suitable for realizing an interceptor interface of the http network request component by utilizing the specified class when a client object of the http network request component is created;
a loading module adapted to load the interceptor interface into the client object;
and the packet capturing module is suitable for acquiring a data packet of the network request of the target application according to the client object loaded with the interceptor interface.
9. A computing device, comprising: the system comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete mutual communication through the communication bus;
the memory is used for storing at least one executable instruction, and the executable instruction causes the processor to execute the operation corresponding to the packet capturing method of the application data packet in any one of claims 1-7.
10. A computer storage medium having stored therein at least one executable instruction for causing a processor to perform operations corresponding to the packet capturing method for application data packets according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010176705.4A CN113395242A (en) | 2020-03-13 | 2020-03-13 | Packet capturing method and device for application data packet and computing equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010176705.4A CN113395242A (en) | 2020-03-13 | 2020-03-13 | Packet capturing method and device for application data packet and computing equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113395242A true CN113395242A (en) | 2021-09-14 |
Family
ID=77616127
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010176705.4A Pending CN113395242A (en) | 2020-03-13 | 2020-03-13 | Packet capturing method and device for application data packet and computing equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113395242A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115002180A (en) * | 2022-05-26 | 2022-09-02 | 上海商米科技集团股份有限公司 | Network request operation monitoring method and device and computer readable medium |
| CN115086206A (en) * | 2022-06-14 | 2022-09-20 | 工银科技有限公司 | Client software debugging method and device |
| CN115002180B (en) * | 2022-05-26 | 2024-05-14 | 上海商米科技集团股份有限公司 | Network request operation monitoring method, device and computer readable medium |
-
2020
- 2020-03-13 CN CN202010176705.4A patent/CN113395242A/en active Pending
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115002180A (en) * | 2022-05-26 | 2022-09-02 | 上海商米科技集团股份有限公司 | Network request operation monitoring method and device and computer readable medium |
| CN115002180B (en) * | 2022-05-26 | 2024-05-14 | 上海商米科技集团股份有限公司 | Network request operation monitoring method, device and computer readable medium |
| CN115086206A (en) * | 2022-06-14 | 2022-09-20 | 工银科技有限公司 | Client software debugging method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11082436B1 (en) | System and method for offloading packet processing and static analysis operations | |
| CN109067815B (en) | Attack event tracing analysis method, system, user equipment and storage medium | |
| US10834107B1 (en) | Launcher for setting analysis environment variations for malware detection | |
| CN108965203B (en) | Resource access method and server | |
| US9973531B1 (en) | Shellcode detection | |
| CN107563201B (en) | Associated sample searching method and device based on machine learning and server | |
| US8407789B1 (en) | Method and system for dynamically optimizing multiple filter/stage security systems | |
| CN110764807B (en) | Upgrading method, system, server and terminal equipment | |
| WO2013117148A1 (en) | Method and system for detecting behaviour of remotely intruding into computer | |
| CN108200053B (en) | Method and device for recording APT attack operation | |
| CN112291258B (en) | Gateway risk control method and device | |
| AU2014254253A1 (en) | Executable component injection utilizing hotpatch mechanisms | |
| CN111182537A (en) | Network access method, device and system for mobile application | |
| CN107623693B (en) | Domain name resolution protection method, device, system, computing equipment and storage medium | |
| CN108446300B (en) | Data information scanning method and device | |
| CN107231364B (en) | Website vulnerability detection method and device, computer device and storage medium | |
| CN112989335A (en) | Automobile protection method, automobile client, cloud server and system | |
| CN113395242A (en) | Packet capturing method and device for application data packet and computing equipment | |
| GB2514722B (en) | Controlling the Download of a File by Obtaining its Reputation Data from a Trusted Source | |
| CN112910895A (en) | Network attack behavior detection method and device, computer equipment and system | |
| US20170126716A1 (en) | Malware detection | |
| CN109784054B (en) | Behavior stack information acquisition method and device | |
| CN112395593A (en) | Instruction execution sequence monitoring method and device, storage medium and computer equipment | |
| WO2020224108A1 (en) | Url interception and conversion method, device, and computer apparatus | |
| JP2015132942A (en) | Connection destination information determination device, connection destination information determination method and program |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |