CN104182681A - Hook-based iOS (iPhone operating system) key behavior detection device and detection method thereof - Google Patents

Hook-based iOS (iPhone operating system) key behavior detection device and detection method thereof Download PDF

Info

Publication number
CN104182681A
CN104182681A CN201410429756.8A CN201410429756A CN104182681A CN 104182681 A CN104182681 A CN 104182681A CN 201410429756 A CN201410429756 A CN 201410429756A CN 104182681 A CN104182681 A CN 104182681A
Authority
CN
China
Prior art keywords
behavior
module
information
ios
unit
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201410429756.8A
Other languages
Chinese (zh)
Other versions
CN104182681B (en
Inventor
张淼
徐国爱
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Zhilian Anhang Technology Co ltd
Original Assignee
BEIJING SOFTSEC TECHNOLOGY Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by BEIJING SOFTSEC TECHNOLOGY Co Ltd filed Critical BEIJING SOFTSEC TECHNOLOGY Co Ltd
Priority to CN201410429756.8A priority Critical patent/CN104182681B/en
Publication of CN104182681A publication Critical patent/CN104182681A/en
Application granted granted Critical
Publication of CN104182681B publication Critical patent/CN104182681B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/565Static detection by checking file integrity
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/033Test or assess software

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Alarm Systems (AREA)

Abstract

Disclosed are a hook-based iOS (iPhone operating system) key behavior detection device and a detection method thereof. Key behaviors of an iOS system is acquired in real time through an API (application programming interface) of hook key behaviors; set key behaviors of the iOS system of an iPhone terminal is monitored; information related to the key behaviors is acquired; the information is displayed to a user in a server or is stored as a results report used for a user to perform checking and assessment. The device comprises a behavior tracking module disposed in an iOS terminal layer correspondingly, a user interface module, a safety risk report module and a behavior analysis module; the user interface module, the safety risk report module and the behavior analysis module are connected in order and arranged in a PC (personal computer) device layer. The device has the innovative advantages that system key behavior detection is timely and comprehensive, various system key behaviors can be detected, an extension capacity is god, the device supports multiple operating systems, and various different detection reports can be provided to allow convenient consulting and analysis.

Description

IOS system core behavior pick-up unit and method based on hook
Technical field
The present invention relates to a kind of technology that detects i Phone operating system iOS critical behavior, exactly, relate to a kind of iOS system core behavior pick-up unit and method based on hook hook, belong to the technical field of the software security in information security.
Background technology
At present, the iOS critical behavior testing tool based on hook is little.The open source software of prior art also only includes: Introspy.Instrospy-iOS is carried out to brief introduction below: it is the upper instrument for detection of dynamic software action, assessment software security of a iOS.This instrument is divided into two parts: behaviortrace device and behavioural analysis device.Wherein, behaviortrace device is arranged in iOS terminal, the critical behavior that obtains designated software by the application programming interface API (Application Programming Interface) of hook critical behavior, these API comprise: encryption and decryption, IPC, data storage and network connection etc.Finally by the information recording of these function calls and be permanently stored in database.Behavioural analysis device is mounted in PC equipment, be using behaviortrace device generate database file as input, carry out after analyzing and processing, generate the result form of specified format (as xml, html) in this locality, and in result form, enumerate out all critical behaviors of carrying out in this designated software implementation.
Now, relevant iOS system core behavior detection field, the research that scientific research personnel both domestic and external carries out is all little, the pick-up unit of moulding phoenix feathers and unicorn horns especially.At present, iOS system core behavior detection method only has one: sensitive document monitoring.The basic ideas of this sensitive document monitoring are the sensitive documents in reading database and mate.Because all sensitive document databases in iOS system are all sqlite databases, can as access general data file, access it.So, the common operation steps of sensitive document monitoring is: the content (as note data storehouse) that first reads sensitive document database, then every setting a period of time, again read this sensitive document database, and read content is mated with former reading of content or result, obtain up-to-date file modification, judge whether to have triggered responsive behavior.
At present, only iOS system core behavior detection method is all that to monitor file operation be main, although also can capture the critical behavior of system,, its limitation is still larger.Such as:
(1) real-time detecting is not strong: it is that current iOS system core behavior detects the most general method using that the system core behavior based on monitoring file detects.Its main thought is exactly constantly to compare the content in sensitive document, for judging the critical behavior of system.
For example: by the sms.db file under constantly read/private/var/mobile/Library/SMS/ catalogue, judge whether the new data writing.If have, think and triggered system transmission, received note.But this method does not have real-time, after cannot sending in note, accepting, result just detected immediately.
(2) cost is high, efficiency is low: will relate to and read the multi-mode operation such as file, matching files because read sensitive document, time cost and other costs are too high.If file is very large, greatly reduce the efficiency of detection.
At present, on iOS platform, Malware is many, for example: Kaspersky Lab in 2012 have found the malicious application of a Find of being named as & Call, it can be in the situation that user cannot discover, and user communication record and short message content is sent to the server of appointment.Within 2014, Stefan Esser has found unflod malicious plugins, and it can obtain user's application identities appID (application identification) and password, and sends it to given server.These Malwares can be in the unwitting situation of user, the critical behavior of triggering system, as: stealthily send note, network or call etc., caused very large threat to privacy of user and property safety.Therefore, whether scientific and technical personnel in the industry both domestic and external, in the time paying close attention to detection of dynamic running software, trigger the detection technique of the critical behavior of Apple Macintosh operating system iOS.
Summary of the invention
In view of this, the object of this invention is to provide a kind of iOS system core behavior pick-up unit and method based on hook, the system core behaviors such as the present invention can Real-Time Monitoring phone, note, networking, geographic position, it is the function triggering by all system core behaviors of hook technical intercept, obtain the relevant information of critical behavior, and send to server, then by the system safety hazards detecting to user report.
In order to achieve the above object, the invention provides a kind of Apple Macintosh operating system iOS critical behavior pick-up unit based on hook, it is characterized in that: described device is the critical behavior of catching in real time iOS system by the application programming interface API of hook critical behavior (Application Programming Interface), for monitoring the setting critical behavior of apple terminal i OS system, obtain the information relevant to this critical behavior, and at service end real-time exhibition to user, or save as result form, audit and assessment for user; This device is by the behaviortrace module that is separately positioned on iOS terminating layer, and is positioned at PC mechanical floor, the Subscriber Interface Module SIM being linked in sequence, security risk reporting modules and behavioural analysis module totally four parts compositions; Wherein:
Behaviortrace module, for detecting in real time the setting critical behavior of setting apple terminal i OS system: first receive the beginning detection signal of being sent by the communication unit of behavioural analysis module, and caught in real time the setting critical behavior API that sets iOS terminal i OS system by the hook unit in behavior tracing module, obtain parameter and the rreturn value of these API, encapsulate after these information according to setting form again, by web socket socket communication, the information having encapsulated is returned to behavioural analysis module and process;
Subscriber Interface Module SIM, is responsible for and customer interaction information: on the one hand accept user and detect the request of iOS default critical behavior, send commencing signal and critical behavior type to be detected then to behavioural analysis module; Receive on the other hand the system core behavioural information that security risk reporting modules is returned, and show to user;
Behavioural analysis module, for receiving and resolve the critical behavior information sending from apple terminal: the communication unit of this module receives after the type of detection from Subscriber Interface Module SIM, just beginning detection signal is sent to behaviortrace module, and by the return message of the behaviortrace module receiving, be transmitted to data analysis unit processing; Data analysis unit is first carried out " decapsulation " processing to the return message receiving, and obtains after result, sends this result to safety analysis unit and carries out after subsequent analysis, then be transmitted to security risk reporting modules;
Security risk reporting modules, is responsible for according to the analysis processing result of behavioural analysis module, the iOS system core behavioural information of discovery is integrated into one and comprises that xml and html set the result form of form, is stored in this locality, for user's examination & verification and analysis; Send the system core behavioural information of discovery to Subscriber Interface Module SIM, for showing user simultaneously.
In order to achieve the above object, the present invention also provides a kind of detection method of the iOS system core behavior pick-up unit based on hook, it is characterized in that: described method comprises following operation steps:
Step 1, PC terminating layer arranges detected parameters and sensing range: user arranges behind the ip address and port numbers and critical behavior thereof that needs the apple terminal detecting in PC terminal, and this pick-up unit starts startup work;
Step 2, the behaviortrace module of iOS terminating layer is utilized hook technology for detection and is extracted parameter and the rreturn value of each responsive application programming interface API (Application Programming Interface), sends to the behavioural analysis module of PC mechanical floor;
Step 3, the behavioural analysis module of PC mechanical floor receives after the parameter and rreturn value of each sensitive API, the Treatment Analysis of classifying;
Step 4, the safety analysis unit in behavioural analysis module completes after the safety analysis of critical behavior, sends analysis result to security risk reporting modules, and is stored in the local file of setting form; Send analysis result to Subscriber Interface Module SIM simultaneously, according to different critical behaviors, be illustrated in respectively on different interfaces.
The present invention is based on the iOS system core behavior pick-up unit of hook technology, can monitor the setting iOS system core behavior in apple terminal, obtain and the relevant information of this critical behavior, and show in real time user in service end, or save as form, submit to user and audit and assessment.Its innovation advantage is as follows:
(A) real-time that system core behavior detects: because the detection mechanism of this device is based on hook mechanism, compared with other pick-up units, the advantage of this device maximum is that real-time is good.For example: once as long as the note behavior of system is triggered, pick-up unit of the present invention just can detect the behavior immediately, and gets addressee, sender and the information content.Compared with direct monitoring short message database, the efficiency of this pick-up unit is higher, has very strong real-time.
(B) what system core behavior detected is comprehensive: no matter how third party software pretends, and when finally it wants executive system critical behavior, all obtains the primary API of calling system.The API of all hook in pick-up unit of the present invention is the primary API of system, and compared with other pick-up units, the scope that apparatus of the present invention detect is more deep, has ensured that system core behavior detects comprehensive.
(C) detection of multiple systems critical behavior and expansion capacity: at present, other instruments can only be supported specific behavior, such as instrospy can only detect file operation, http networking etc.Pick-up unit of the present invention is to Apple Macintosh operating system iOS critical behavior implementing monitoring based on hook.But hook is again based on MobileSubstrate framework, as long as determined after the API of critical behavior triggering, MobileHooker just can catch this iOS system core behavior, just can increase corresponding API according to user's request, thereby increases the detection support of more iOS system core behavior.At present, the present invention can support the detection of system core behaviors more than 5 classes, the especially detection to mobile phone short message system action, and other instruments all cannot be realized at present.This device can also constantly add new system core behavior as detecting target.
(D) support multiple operating system: other software security instruments relatively, pick-up unit of the present invention can support all system core behaviors more than apple terminal i OS6 to implement to detect in real time.
(E) examining report diversity: pick-up unit of the present invention can, after the behavior of iOS system core is detected, generate respectively the examining report of html form and xml form automatically, is easy to book of final entry management; And, can in needs, generate the consolidated return of testing result, conveniently comprehensively consult, analyze.
In a word, the present invention has good popularizing application prospect.
Brief description of the drawings
Fig. 1 is the structure composition diagram that the present invention is based on the Apple Macintosh operating system iOS critical behavior pick-up unit of hook.
Fig. 2 is the detection method operation steps process flow diagram that the present invention is based on the Apple Macintosh operating system iOS critical behavior pick-up unit of hook.
Fig. 3 is the behaviortrace module operation flow chart of steps in iOS critical behavior pick-up unit of the present invention.
Fig. 4 is the behavioural analysis module operation flow chart of steps in iOS critical behavior pick-up unit of the present invention.
Fig. 5 is the operation steps process flow diagram in iOS critical behavior pick-up unit embodiment of the present invention.
Embodiment
For making the object, technical solutions and advantages of the present invention clearer, below in conjunction with drawings and Examples, the present invention is described in further detail.
The present invention is based on the iOS system core behavior pick-up unit of hook, it is the critical behavior that captures in real time iOS system by the application programming interface API of hook critical behavior, for monitoring the setting critical behavior of apple terminal i OS system, and extract the information relevant with this critical behavior, send to again PC foreground service end, real-time exhibition is to user, or generation result form, audits and analyzes for user.
The setting critical behavior of the iOS system that at present, pick-up unit support of the present invention detects is as shown in the table:
Behavior title Behavioural information Risk class
Phone Both call sides number, state and the duration of call 5
Note Short message receiving-transmitting both sides number and short message content thereof 5
Url connects Web page address url field and tie-time 5
Geographic position Apply Names and the access time in access geographic position 4
Address list The Apply Names of accessing address list and access time 4
Photograph album Apply Names and the access time of access photograph album 4
Bluetooth Whether change application and the change time of bluetooth state, bluetooth state 3
Referring to Fig. 1, introduce the structure composition of iOS system core behavior pick-up unit of the present invention: be provided with the behaviortrace module that is separately positioned on iOS terminating layer, and be positioned at PC mechanical floor, the Subscriber Interface Module SIM being linked in sequence, security risk reporting modules and behavioural analysis module totally four parts.Wherein:
Behaviortrace module, its function is to detect in real time the setting critical behavior of setting apple terminal i OS system: first receive the beginning detection signal of being sent by the communication unit of behavioural analysis module, and caught in real time the setting critical behavior API that sets iOS terminal i OS system by the hook unit in behavior tracing module, obtain parameter and the rreturn value of these API, encapsulate after these information according to setting form again, by web socket (socket) communication, the information having encapsulated is returned to behavioural analysis module and process.
Subscriber Interface Module SIM, its function is to be responsible for and customer interaction information: on the one hand accept user and detect the request of iOS default critical behavior, send commencing signal and critical behavior type to be detected then to behavioural analysis module; Receive on the other hand the system core behavioural information that security risk reporting modules is returned, and show to user.
Behavioural analysis module, its function is to receive and resolve the critical behavior information sending from apple terminal: the communication unit of this module receives after the type of detection from Subscriber Interface Module SIM, just beginning detection signal is sent to behaviortrace module, and by the return message of the behaviortrace module receiving, be transmitted to data analysis unit processing.Data analysis unit is first carried out " decapsulation " processing to the return message receiving, and obtains after result, sends this result to safety analysis unit and carries out after subsequent analysis, then be transmitted to security risk reporting modules.
Security risk reporting modules, its function is according to the analysis processing result of behavioural analysis module, the iOS system core behavioural information of discovery is integrated into one and comprises that xml and html set the result form of form, is stored in this locality, for user's examination & verification and analysis; Send the system core behavioural information of discovery to Subscriber Interface Module SIM, for showing user simultaneously.
Referring to Fig. 2, introduce the following concrete operation step of the detection method of the iOS system core behavior pick-up unit that the present invention is based on hook:
Step 1, PC terminating layer arranges detected parameters and sensing range: user is in PC terminal by " setting " option, and configuration needs behind the ip address and port numbers and critical behavior thereof of the apple terminal detecting, and this pick-up unit just starts startup work.
In this step, arrange need detect this apple terminal the behavior of iOS system core as shown above, repeat no more here.
Step 2, the behaviortrace module of iOS terminating layer is utilized hook technology for detection and is extracted parameter and the rreturn value of each responsive application programming interface API (Application Programming Interface), sends to the behavioural analysis module of PC mechanical floor.The content of operation following (shown in Figure 3) of this step 2:
(21) critical behavior that behaviortrace module arranges according to step 1, in the configuration file under be written into/Library/MobileSubstrate/DynamicLibraries/ catalogue, is used to specify the reach of dynamic link library.
(22) behaviortrace module is utilized the MobileLoader in MobileSubstrate framework, and the dynamic link library of writing is voluntarily injected into setting program, so that in the time starting these setting programs, dynamic link library is also written into internal memory simultaneously.
(23) after the corresponding API of critical behavior triggers, the MobileHooker in MobileSubstrate framework uses the function of writing voluntarily to remove to replace original API.
(24) function for replacing at these, adopts the method for keyword coupling to extract API parameter and the rreturn value of each critical behavior, and sends these parameters and rreturn value to data processing unit.
(25) data processing unit, according to different critical behaviors, adopts corresponding distinct methods from these parameters information relevant to critical behavior with extraction rreturn value.
(26) data processing unit adopts respectively corresponding different pieces of information method for packing according to dissimilar, and packaged data are sent to communication unit.
(27) communication unit adopts socket communication that the good data of behaviortrace module package are sent to behavioural analysis module.
Step 3, the behavioural analysis module of PC mechanical floor receives after the parameter and rreturn value of each sensitive API, the Treatment Analysis of classifying.The concrete operations of this step 3 the contents are as follows (shown in Figure 4):
(31) communication unit of behavioural analysis module receives parameter and the rreturn value of each sensitive API that behaviortrace module detects, sends data analysis unit to.
(32) first decapsulation of data analysis unit, obtains after the details of each iOS system core behavior, then is sent to safety analysis unit.
(33) safety analysis unit carries out analyzing and processing according to setting the iOS system core behavior configuring in rule to testing result: the respectively corresponding safety analysis unit of every kind of iOS system core behavior (comprising: phone, note, url, photograph album, address list, geographic position, bluetooth etc.), then the safety analysis unit being belonged to by this critical behavior carries out respective handling.
Step 4, the safety analysis unit in behavioural analysis module completes after the safety analysis of critical behavior, sends analysis result to security risk reporting modules, and is stored in the local file of setting form; Send analysis result to Subscriber Interface Module SIM simultaneously, according to different critical behaviors, be illustrated in respectively on different interfaces.
The present invention has carried out Multi simulation running and has implemented test, below the test situation of brief description embodiment:
As the unit of test and appraisal mechanism and final deployment software product, because it does not understand the flow process of software development, although can find the potential threat in its software using with static detection method, but, rate of false alarm is high, and can not in the time of running software, judge, the safe operation of these units has been caused to great threat.But, use pick-up unit of the present invention effectively to address this problem.This pick-up unit is monitored the running status of iOS system software in real time by hook mechanism, capture system core behavior in the very first time, then the critical behavior capturing is analyzed, audited and locates, and generates result form.Test and appraisal mechanism and relevant unit can be produced directly, judge accurately this software by the result form generating.
Fig. 5 is the application flow block scheme of an embodiment of pick-up unit of the present invention.
The test findings of emulation embodiment of the present invention is successfully, has realized goal of the invention.

Claims (7)

1. the Apple Macintosh operating system iOS critical behavior pick-up unit based on hook, it is characterized in that: described device is the critical behavior of catching in real time iOS system by the application programming interface API of hook critical behavior (Application Programming Interface), for monitoring the setting critical behavior of apple terminal i OS system, obtain the information relevant to this critical behavior, and at service end real-time exhibition to user, or save as result form, audit and assessment for user; This device is by the behaviortrace module that is separately positioned on iOS terminating layer, and is positioned at PC mechanical floor, the Subscriber Interface Module SIM being linked in sequence, security risk reporting modules and behavioural analysis module totally four parts compositions; Wherein:
Behaviortrace module, for detecting in real time the setting critical behavior of setting apple terminal i OS system: first receive the beginning detection signal of being sent by the communication unit of behavioural analysis module, and caught in real time the setting critical behavior API that sets apple terminal i OS system by the hook unit in behavior tracing module, obtain parameter and the rreturn value of these API, encapsulate after these information according to setting form again, by web socket socket communication, the information having encapsulated is returned to behavioural analysis module and process;
Subscriber Interface Module SIM, is responsible for and customer interaction information: on the one hand accept user and detect the request of iOS default critical behavior, send commencing signal and critical behavior type to be detected then to behavioural analysis module; Receive on the other hand the system core behavioural information that security risk reporting modules is returned, and show to user;
Behavioural analysis module, for receiving and resolve the critical behavior information sending from apple terminal: the communication unit of this module receives after the type of detection from Subscriber Interface Module SIM, just beginning detection signal is sent to behaviortrace module, and by the return message of the behaviortrace module receiving, be transmitted to data analysis unit processing; Data analysis unit is first carried out " decapsulation " processing to the return message receiving, and obtains after result, sends this result to safety analysis unit and carries out after subsequent analysis, then be transmitted to security risk reporting modules;
Security risk reporting modules, is responsible for according to the analysis processing result of behavioural analysis module, the iOS system core behavioural information of discovery is integrated into one and comprises that xml and html set the result form of form, is stored in this locality, for user's examination & verification and analysis; Send the system core behavioural information of discovery to Subscriber Interface Module SIM, for showing user simultaneously.
2. device according to claim 1, is characterized in that: the setting critical behavior of the iOS system that described device support detects comprises: phone, note, network connect, address list access, photograph album access, geographic position access, bluetooth state.
3. device according to claim 2, it is characterized in that: the described information content that each is set in critical behavior is: phone information is both call sides number, state and the duration of call, short message is short message receiving-transmitting both sides number and short message content thereof, network connection information is web page address URL (UniformResourceLocator) field and tie-time, geographical location information is Apply Names and the access time in access geographic position, address list visit information is Apply Names and the access time of accessing address list, photograph album visit information is Apply Names and the access time of access photograph album, bluetooth state information is the application whether bluetooth changes state or change bluetooth state, with and the change time.
4. a detection method for the iOS system core behavior pick-up unit based on hook, is characterized in that: described method comprises following operation steps:
Step 1, PC terminating layer arranges detected parameters and sensing range: user arranges behind the ip address and port numbers and critical behavior thereof that needs the apple terminal detecting in PC terminal, and this pick-up unit starts startup work;
Step 2, the behaviortrace module of iOS terminating layer is utilized hook technology for detection and is extracted parameter and the rreturn value of each responsive application programming interface API (Application Programming Interface), sends to the behavioural analysis module of PC mechanical floor;
Step 3, the behavioural analysis module of PC mechanical floor receives after the parameter and rreturn value of each sensitive API, the Treatment Analysis of classifying;
Step 4, the safety analysis unit in behavioural analysis module completes after the safety analysis of critical behavior, sends analysis result to security risk reporting modules, and is stored in the local file of setting form; Send analysis result to Subscriber Interface Module SIM simultaneously, according to different critical behaviors, be illustrated in respectively on different interfaces.
5. method according to claim 4, it is characterized in that: in described step 1, the iOS system core behavior of this apple terminal that needs detect is set comprises: phone, note, network connect, address list access, photograph album access, geographic position access and bluetooth state, wherein, phone information is both call sides number, state and the duration of call, short message is short message receiving-transmitting both sides number and short message content thereof, network connection information is web page address URL (UniformResourceLocator) field and tie-time, geographical location information is Apply Names and the access time in access geographic position, address list visit information is Apply Names and the access time of accessing address list, photograph album visit information is Apply Names and the access time of access photograph album, bluetooth state information is the application whether bluetooth changes state or change bluetooth state, with and the change time.
6. method according to claim 4, is characterized in that: described step 2 comprises following content of operation:
(21) critical behavior that behaviortrace module arranges according to step 1, in the configuration file under be written into/Library/MobileSubstrate/DynamicLibraries/ catalogue, is used to specify the reach of dynamic link library;
(22) behaviortrace module is utilized the MobileLoader in MobileSubstrate framework, and the dynamic link library of writing is voluntarily injected into setting program, so that in the time starting these setting programs, dynamic link library is also written into internal memory simultaneously;
(23) after the corresponding API of critical behavior triggers, the MobileHooker in MobileSubstrate framework uses the function of writing voluntarily to remove to replace original API;
(24) function for replacing at these, adopts the method for keyword coupling to extract API parameter and the rreturn value of each critical behavior, and sends these parameters and rreturn value to data processing unit;
(25) data processing unit, according to different critical behaviors, adopts corresponding distinct methods from these parameters information relevant to critical behavior with extraction rreturn value;
(26) data processing unit adopts respectively corresponding different pieces of information method for packing according to dissimilar, and packaged data are sent to communication unit;
(27) communication unit adopts socket communication that the good data of behaviortrace module package are sent to behavioural analysis module.
7. method according to claim 4, is characterized in that: described step 3 comprises following content of operation:
(31) communication unit of behavioural analysis module receives parameter and the rreturn value of each sensitive API that behaviortrace module detects, sends data analysis unit to;
(32) first decapsulation of data analysis unit, obtains after the details of each iOS system core behavior, then is sent to safety analysis unit;
(33) safety analysis unit carries out analyzing and processing according to setting the iOS system core behavior configuring in rule to testing result: the respectively corresponding safety analysis unit of every kind of described iOS system core behavior, then the safety analysis unit being belonged to by this critical behavior carries out respective handling.
CN201410429756.8A 2014-08-28 2014-08-28 Hook-based iOS (iPhone operating system) key behavior detection device and detection method thereof Expired - Fee Related CN104182681B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410429756.8A CN104182681B (en) 2014-08-28 2014-08-28 Hook-based iOS (iPhone operating system) key behavior detection device and detection method thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410429756.8A CN104182681B (en) 2014-08-28 2014-08-28 Hook-based iOS (iPhone operating system) key behavior detection device and detection method thereof

Publications (2)

Publication Number Publication Date
CN104182681A true CN104182681A (en) 2014-12-03
CN104182681B CN104182681B (en) 2017-05-03

Family

ID=51963713

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410429756.8A Expired - Fee Related CN104182681B (en) 2014-08-28 2014-08-28 Hook-based iOS (iPhone operating system) key behavior detection device and detection method thereof

Country Status (1)

Country Link
CN (1) CN104182681B (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104462973A (en) * 2014-12-18 2015-03-25 上海斐讯数据通信技术有限公司 System and method for detecting dynamic malicious behaviors of application program in mobile terminal
CN106506263A (en) * 2016-10-20 2017-03-15 广州爱九游信息技术有限公司 Application information obtains system, unit and method
CN107463359A (en) * 2016-06-02 2017-12-12 深圳市慧动创想科技有限公司 A kind of convenient method in iOS ipa bag code implants
CN107493299A (en) * 2017-09-20 2017-12-19 杭州安恒信息技术有限公司 A kind of user behavior source tracing method based on three-tier architecture
CN107665306A (en) * 2017-09-06 2018-02-06 武汉斗鱼网络科技有限公司 A kind of method, apparatus, client and server for detecting illegal file injection
CN107889089A (en) * 2017-11-09 2018-04-06 飞天诚信科技股份有限公司 A kind of mobile terminal and its method for handling blue-teeth data
CN109697338A (en) * 2018-12-10 2019-04-30 深圳市网心科技有限公司 A kind of software installation hold-up interception method and relevant apparatus

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102638617A (en) * 2012-03-30 2012-08-15 中国科学技术大学苏州研究院 Active response system based on intrusion detection for Android mobile phones
CN102810143A (en) * 2012-04-28 2012-12-05 天津大学 Safety detecting system and method based on mobile phone application program of Android platform
WO2013093011A1 (en) * 2011-12-23 2013-06-27 Deutsche Telekom Ag Monitoring user activity on smart mobile devices

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013093011A1 (en) * 2011-12-23 2013-06-27 Deutsche Telekom Ag Monitoring user activity on smart mobile devices
CN102638617A (en) * 2012-03-30 2012-08-15 中国科学技术大学苏州研究院 Active response system based on intrusion detection for Android mobile phones
CN102810143A (en) * 2012-04-28 2012-12-05 天津大学 Safety detecting system and method based on mobile phone application program of Android platform

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
MANUEL EGELE: "Detecting Privacy Leaks in iOS Applications", 《NDSS》 *
WILLIAM ENCK: "An Information Flow Tracking System for Real-Time Privacy Monitoring on Smartphones", 《COMMUNICATIONS OF THE ACM》 *
YAJIN ZHOU: "Dissecting Android Malware: Characterization and Evolution", 《IEEE》 *

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104462973A (en) * 2014-12-18 2015-03-25 上海斐讯数据通信技术有限公司 System and method for detecting dynamic malicious behaviors of application program in mobile terminal
CN104462973B (en) * 2014-12-18 2017-11-14 上海斐讯数据通信技术有限公司 The dynamic malicious act detecting system and method for application program in mobile terminal
CN107463359A (en) * 2016-06-02 2017-12-12 深圳市慧动创想科技有限公司 A kind of convenient method in iOS ipa bag code implants
CN106506263A (en) * 2016-10-20 2017-03-15 广州爱九游信息技术有限公司 Application information obtains system, unit and method
CN107665306A (en) * 2017-09-06 2018-02-06 武汉斗鱼网络科技有限公司 A kind of method, apparatus, client and server for detecting illegal file injection
CN107665306B (en) * 2017-09-06 2019-12-03 武汉斗鱼网络科技有限公司 A kind of method, apparatus, client and the server of the injection of detection illegal file
CN107493299A (en) * 2017-09-20 2017-12-19 杭州安恒信息技术有限公司 A kind of user behavior source tracing method based on three-tier architecture
CN107889089A (en) * 2017-11-09 2018-04-06 飞天诚信科技股份有限公司 A kind of mobile terminal and its method for handling blue-teeth data
CN107889089B (en) * 2017-11-09 2020-06-02 飞天诚信科技股份有限公司 Mobile terminal and method for processing Bluetooth data
CN109697338A (en) * 2018-12-10 2019-04-30 深圳市网心科技有限公司 A kind of software installation hold-up interception method and relevant apparatus

Also Published As

Publication number Publication date
CN104182681B (en) 2017-05-03

Similar Documents

Publication Publication Date Title
CN104182681A (en) Hook-based iOS (iPhone operating system) key behavior detection device and detection method thereof
CN111522922B (en) Log information query method and device, storage medium and computer equipment
CN106101145B (en) A kind of website vulnerability detection method and device
CN101345751B (en) Identifying application user as source of database activity
CN109376078B (en) Mobile application testing method, terminal equipment and medium
CN113489713B (en) Network attack detection method, device, equipment and storage medium
CN110083391A (en) Call request monitoring method, device, equipment and storage medium
CN106878108B (en) Network flow playback test method and device
CN104200155A (en) Monitoring device and method for protecting user privacy based on iPhone operating system (iOS)
CN103746992B (en) Based on reverse intruding detection system and method thereof
Karlsson et al. Android anti-forensics: Modifying cyanogenmod
CN101605074A (en) The method and system of communication behavioural characteristic monitoring wooden horse Network Based
CN103401845B (en) A kind of detection method of website safety, device
CN103780450B (en) The detection method and system of browser access network address
CN108073506A (en) Test method and device
CN103442361A (en) Method for detecting safety of mobile application, and mobile terminal
CN105653947A (en) Method and device for assessing application data security risk
CN105574146A (en) Website intercepting method and device
CN113177205B (en) Malicious application detection system and method
US10701087B2 (en) Analysis apparatus, analysis method, and analysis program
CN103268448A (en) Method and system for dynamically detecting safety of mobile applications
CN112560090A (en) Data detection method and device
CN104640105A (en) Method and system for mobile phone virus analyzing and threat associating
CN107644161A (en) Safety detecting method, device and the equipment of sample
Liccardi et al. Improving mobile app selection through transparency and better permission analysis

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CB03 Change of inventor or designer information

Inventor after: Sun Dawei

Inventor before: Zhang Miao

Inventor before: Xu Guoai

CB03 Change of inventor or designer information
TR01 Transfer of patent right

Effective date of registration: 20220622

Address after: 336, floor 3, building 4, No. 44, North Third Ring Middle Road, Haidian District, Beijing 100088

Patentee after: Beijing Zhilian Anhang Technology Co.,Ltd.

Address before: No. 21-413-2, No. 10, Xitucheng Road, Haidian District, Beijing 100876

Patentee before: BEIJING SOFTSEC TECHNOLOGY Co.,Ltd.

TR01 Transfer of patent right
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20170503

CF01 Termination of patent right due to non-payment of annual fee