CN104182681B - Hook-based iOS (iPhone operating system) key behavior detection device and detection method thereof - Google Patents

Hook-based iOS (iPhone operating system) key behavior detection device and detection method thereof Download PDF

Info

Publication number
CN104182681B
CN104182681B CN201410429756.8A CN201410429756A CN104182681B CN 104182681 B CN104182681 B CN 104182681B CN 201410429756 A CN201410429756 A CN 201410429756A CN 104182681 B CN104182681 B CN 104182681B
Authority
CN
China
Prior art keywords
behavior
module
information
critical
detection
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN201410429756.8A
Other languages
Chinese (zh)
Other versions
CN104182681A (en
Inventor
张淼
徐国爱
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Zhilian Anhang Technology Co ltd
Original Assignee
BEIJING SOFTSEC TECHNOLOGY Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by BEIJING SOFTSEC TECHNOLOGY Co Ltd filed Critical BEIJING SOFTSEC TECHNOLOGY Co Ltd
Priority to CN201410429756.8A priority Critical patent/CN104182681B/en
Publication of CN104182681A publication Critical patent/CN104182681A/en
Application granted granted Critical
Publication of CN104182681B publication Critical patent/CN104182681B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/565Static detection by checking file integrity
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/033Test or assess software

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Alarm Systems (AREA)

Abstract

Disclosed are a hook-based iOS (iPhone operating system) key behavior detection device and a detection method thereof. Key behaviors of an iOS system is acquired in real time through an API (application programming interface) of hook key behaviors; set key behaviors of the iOS system of an iPhone terminal is monitored; information related to the key behaviors is acquired; the information is displayed to a user in a server or is stored as a results report used for a user to perform checking and assessment. The device comprises a behavior tracking module disposed in an iOS terminal layer correspondingly, a user interface module, a safety risk report module and a behavior analysis module; the user interface module, the safety risk report module and the behavior analysis module are connected in order and arranged in a PC (personal computer) device layer. The device has the innovative advantages that system key behavior detection is timely and comprehensive, various system key behaviors can be detected, an extension capacity is god, the device supports multiple operating systems, and various different detection reports can be provided to allow convenient consulting and analysis.

Description

IOS system critical behavior detection means and method based on hook
Technical field
The present invention relates to a kind of technology of detection i Phone operating system iOS critical behavior, exactly, is related to one kind IOS system critical behavior detection means and method based on hook hook, belongs to the technology neck of the software security in information security Domain.
Background technology
At present, the iOS critical behaviors detection instrument based on hook is little.The open source software of prior art is also only included: Introspy.Brief introduction is carried out to Instrospy-iOS below:It is to be used for dynamic detection software action on a iOS, assess soft The instrument of part safety.The instrument is divided into two parts:Behaviortrace device and behavior analyzer.Wherein, behaviortrace device is arranged on iOS In terminal, by application programming interface API (the Application Programming of hook critical behaviors Interface) obtaining the critical behavior of designated software, these API include:Encryption and decryption, IPC, data storage and network connection Deng.Finally by the information record of these function calls and it is permanently stored in data base.Behavior analyzer is mounted in PC equipment In, it is, using the database file of behaviortrace device generation as input, after being analyzed process, to be locally generated specified format The result form of (such as xml, html), and in result form, the institute performed during the designated software implementation procedure is set out is relevant Key behavior.
Now, relevant iOS system critical behavior detection field, the research that scientific research personnel both domestic and external carries out are all little, into The detection means of type is even more phoenix feathers and unicorn horns.At present, iOS system critical behavior detection method only has one kind:Sensitive document is monitored.Should The basic ideas of sensitive document monitoring are the sensitive documents in reading database and are matched.It is all in due to iOS system Sensitive document data base is sqlite data bases, can access it as accessing general data file.So, sensitive document Monitoring usual operating procedure be:The content (such as note data storehouse) of sensitive document data base is read first, then every setting For a period of time, sensitive document data base is re-read, and the content for being read is carried out with former reading of content or result Matching, obtains newest file modification, judges whether to trigger sensitive behavior.
At present, only iOS system critical behavior detection method is all to monitor based on file operation, although can also be captured To the critical behavior of system, but, its limitation is still than larger.Such as:
(1) real-time for detecting is not strong:It is current iOS system key row based on the system core behavioral value of monitoring file To detect the most common method for using.Its main thought is exactly constantly to compare the content in sensitive document, for judging system Critical behavior.
For example:By the sms.db files under continuous reading/private/var/mobile/Library/SMS/ catalogues, Determine whether the new data for writing.If having, then it is assumed that trigger system and send, have received note.But, this method does not have There is real-time, it is impossible in short message sending, after receiving, be just immediately detected result.
(2) high cost, efficiency are low:Because reading sensitive document to be related to read the multi-mode operations such as file, matching files, when Between cost it is too high with other costs.If file is very big, the efficiency of detection is greatly reduced.
At present, on iOS platforms, Malware is many, for example:Kaspersky Lab are found that a being named as within 2012 The malicious application of Find&Call, it can in the case where user cannot discover, by user communication record and short message content send to The server specified.Stefan Esser are found that unflod malicious plugins within 2014, and it is obtained in that the application identities of user AppID (application identification) and password, and send it to given server.These Malwares are all In the case of user is unwitting, the critical behavior of system can be triggered, such as:Note is stealthily sent, is networked or is called, given Privacy of user and property safety cause very big threat.Therefore, scientific and technical personnel in the industry both domestic and external are in concern dynamic detection During running software, if the detection technique of the critical behavior of triggering Apple Macintosh operating system iOS.
The content of the invention
In view of this, it is an object of the invention to provide a kind of iOS system critical behavior detection means and side based on hook Method, the present invention can be with the system core behaviors such as real-time monitoring phone, note, networking, geographical position, and it is blocked by hook technologies The function of all system core behavior triggerings is cut, the relevant information of critical behavior is obtained, and is sent to server, then will detect The system safety hazards come are to user report.
In order to achieve the above object, the invention provides a kind of Apple Macintosh operating system iOS critical behaviors based on hook are examined Survey device, it is characterised in that:Described device is the application programming interface API (Application by hook critical behaviors Programming Interface) captured in real time iOS system critical behavior, for monitoring the setting of Fructus Mali pumilae terminal i OS system Critical behavior, obtains the information related to the setting critical behavior, and in service end real-time exhibition to user, or save as knot Retribution table, so that user is audited and is assessed;The device be by the behaviortrace module for being separately positioned on iOS terminating layers, with And positioned at PC mechanical floors, the Subscriber Interface Module SIM being linked in sequence, security risk reporting modules and behavior analysiss module totally four portions Part is constituted;Wherein:
Behaviortrace module, sets the setting critical behavior of Fructus Mali pumilae terminal i OS system for real-time detection:First receive by going For the beginning detection signal that the communication unit of analysis module is sent, and by the hook unit captured in real time in behavior tracing module The setting critical behavior API of setting iOS terminal i OS systems, obtains the parameter and return value of these API, according still further to setting form After encapsulating these information, the information for having encapsulated is returned at behavior analysiss module by web socket socket communications Reason;
Subscriber Interface Module SIM, is responsible for and customer interaction information:On the one hand receive user's detection iOS system setting critical behavior Request, then send commencing signal and setting critical behavior type to be detected to behavior analysiss module;On the other hand receive The iOS system setting critical behavior information that security risk reporting modules are returned, and show to user;
Behavior analysiss module, for receiving and parsing through the setting critical behavior information come from the transmission of Fructus Mali pumilae terminal:The mould The communication unit of block is received after the detection type of Subscriber Interface Module SIM, will just be started detection signal and is sent to behaviortrace Module, and by the return information of the behaviortrace module for receiving, it is transmitted to data analysis unit process;Data analysis unit elder generation Return information to receiving carries out " decapsulation " process, after obtaining result, sends the result to safety analysis After unit carries out subsequent analysis, security risk reporting modules are relayed to;
Security risk reporting modules, are responsible for according to the analysis processing result of behavior analysiss module, it may be found that iOS system set Critical behavior information integration is determined into a result form that form is set including xml and html, be stored in locally, so that user examines Core and analysis;The iOS system that will be seen that simultaneously sets critical behavior information transmission to Subscriber Interface Module SIM, for showing use Family.
In order to achieve the above object, present invention also offers a kind of iOS system critical behavior detection means based on hook Detection method, it is characterised in that:Methods described includes following operative step:
Step 1, PC terminating layers arrange detection parameter and detection range:User arranges the Fructus Mali pumilae end for needing detection in PC terminals Behind the ip addresses at end and port numbers and its critical behavior, the detection means starts to start work;
Step 2, the behaviortrace module of iOS terminating layers is using hook technology for detection and each sensitive application program of extraction The parameter and return value of DLL API (Application Programming Interface), is sent to PC mechanical floors Behavior analysiss module;
Step 3, after the behavior analysiss module of PC mechanical floors receives the parameter and return value of each sensitive API, is carried out point Class Treatment Analysis;
Step 4, after the safety analysis unit in behavior analysiss module completes the safety analysis of critical behavior, by analysis result Send security risk reporting modules to, and be stored in the local file of setting form;Send analysis result to user simultaneously Interface module, according to different critical behaviors, is illustrated on different interfaces respectively.
IOS system critical behavior detection means of the present invention based on hook technologies, can monitor the setting in Fructus Mali pumilae terminal IOS system critical behavior, obtains the relevant information with the critical behavior, and shows user, Huo Zhebao in real time in service end Form is saved as, user is submitted to and is audited and assessed.Its innovation advantage is as follows:
(A) real-time of system core behavioral value:As the detection mechanism of the device is based on hook mechanism, with other Detection means is compared, and the maximum advantage of the device is that real-time is good.For example:As long as the note behavior of system is once triggered, this Invention detection means can just be immediately detected the behavior, and get addressee, sender and information content.Compared with direct monitoring Note data storehouse, the detection means it is in hgher efficiency, with very strong real-time.
(B) system core behavioral value is comprehensive:No matter how third party software pretends, and final its wants execution system to close During key behavior, the primary API of calling system is all obtained.The API of all hook in detection means of the present invention is that system is primary API, compared with other detection means, the scope of apparatus of the present invention detection is more deep, it is ensured that system core behavioral value it is complete Face property.
(C) detection of multiple systems critical behavior and expansion capacity:At present, other instruments can only support specific behavior, Such as instrospy can only detect file operation, http networkings etc..Detection means of the present invention is to be to Fructus Mali pumilae operation based on hook System iOS critical behavior implementing monitorings.But hook is based on MobileSubstrate frameworks, as long as determining critical behavior again After the API of triggering, MobileHooker can just capture the iOS system critical behavior, it becomes possible to increase correspondence according to user's request API, so as to increase more iOS system critical behaviors detection support.At present, the present invention has been able to support more than 5 classes System core behavior detection, the especially detection to mobile phone short message system action is that current other instruments cannot all be realized 's.The device can also constantly add new system core behavior as detection target.
(D) support multiple operating system:With respect to other software security tool, detection means of the present invention can support Fructus Mali pumilae terminal Real-time detection is implemented in all system core behaviors of more than iOS6.
(E) examining report multiformity:Detection means of the present invention can be after to the detection of iOS system critical behavior, respectively certainly The dynamic examining report for generating html forms and xml forms, it is easy to which the book of final entry is managed;Also, inspection can be generated when needing Survey the comprehensive report of result, convenient comprehensive access, analysis.
In a word, the present invention has good popularizing application prospect.
Description of the drawings
Fig. 1 is structure composition figure of the present invention based on the Apple Macintosh operating system iOS critical behavior detection means of hook.
Fig. 2 is detection method operation step of the present invention based on the Apple Macintosh operating system iOS critical behavior detection means of hook Rapid flow chart.
Fig. 3 is the behaviortrace module operating procedure flow chart in iOS critical behaviors detection means of the present invention.
Fig. 4 is the behavior analysiss module operating procedure flow chart in iOS critical behaviors detection means of the present invention.
Fig. 5 is the operating procedure flow chart in iOS critical behaviors detection means embodiment of the present invention.
Specific embodiment
To make the object, technical solutions and advantages of the present invention clearer, with reference to the accompanying drawings and examples to the present invention It is described in further detail.
IOS system critical behavior detection means of the present invention based on hook, is the application program by hook critical behaviors Critical behavior of the DLL API captured in real time to iOS system, for monitoring the setting critical behavior of Fructus Mali pumilae terminal i OS system, And the information related to the critical behavior is extracted, and PC foregrounds service end is then forwarded to, real-time exhibition is to user, or generates knot Retribution table, so that user is audited and is analyzed.
At present, detection means of the present invention supports that the setting critical behavior of the iOS system of detection is as shown in the table:
Behavior title Behavioural information Risk class
Phone Both call sides number, state and the duration of call 5
Note Short message receiving-transmitting both sides number and its short message content 5
Url connects Web page address url fields and Connection Time 5
Geographical position Access the Apply Names and access time in geographical position 4
Address list The Apply Names and access time of accessing address list 4
Photograph album Access the Apply Names and access time of photograph album 4
Bluetooth Whether bluetooth state, the application of bluetooth state and change time are changed 3
Referring to Fig. 1, the structure composition of iOS system critical behavior detection means of the present invention is introduced:It is provided with and is separately positioned on iOS The behaviortrace module of terminating layer, and positioned at PC mechanical floors, the Subscriber Interface Module SIM being linked in sequence, security risk reporting modules With behavior analysiss module totally four parts.Wherein:
Behaviortrace module, its function are the setting critical behaviors that real-time detection sets Fructus Mali pumilae terminal i OS system:First receive Detection signal being sent by the communication unit of behavior analysiss module, and it is real-time by the hook units in behavior tracing module The setting critical behavior API of capture setting iOS terminal i OS systems, obtains the parameter and return value of these API, according still further to setting After form encapsulates these information, the information for having encapsulated is returned to by behavior analysiss module by web socket (socket) communication Processed.
Subscriber Interface Module SIM, its function are responsible for and customer interaction information:On the one hand receive user's detection iOS system setting The request of critical behavior, then sends commencing signal and critical behavior type to be detected to behavior analysiss module;On the other hand The system core behavioural information that security risk reporting modules are returned is received, and is shown to user.
Behavior analysiss module, its function are to receive and parse through the critical behavior information come from the transmission of Fructus Mali pumilae terminal:The mould The communication unit of block is received after the detection type of Subscriber Interface Module SIM, will just be started detection signal and is sent to behaviortrace Module, and by the return information of the behaviortrace module for receiving, it is transmitted to data analysis unit process.Data analysis unit elder generation Return information to receiving carries out " decapsulation " process, after obtaining result, sends the result to safety analysis After unit carries out subsequent analysis, security risk reporting modules are relayed to.
Security risk reporting modules, its function are the analysis processing results according to behavior analysiss module, it may be found that iOS systems Into one, system critical behavior information integration includes that xml and html sets the result form of form, be stored in locally, so that user examines Core and analysis;The system core behavioural information that will be seen that simultaneously sends Subscriber Interface Module SIM to, for showing user.
Referring to Fig. 2, following tool of the present invention based on the detection method of the iOS system critical behavior detection means of hook is introduced Body operating procedure:
Step 1, PC terminating layers arrange detection parameter and detection range:User is in PC terminals by " setting " option, configuration After needing ip addresses and port numbers and its critical behavior of the Fructus Mali pumilae terminal of detection, the detection means begins to start work.
In the step, arrange need detection the Fructus Mali pumilae terminal iOS system critical behavior as shown above, here no longer Repeat.
Step 2, the behaviortrace module of iOS terminating layers is using hook technology for detection and each sensitive application program of extraction The parameter and return value of DLL API (Application Programming Interface), is sent to PC mechanical floors Behavior analysiss module.The operation content of the step 2 is following (shown in Figure 3):
(21) critical behavior that behaviortrace module is arranged according to step 1, is written into/Library/ In configuration file under MobileSubstrate/DynamicLibraries/ catalogues, for specifying the effect of dynamic link library Scope.
(22) behaviortrace module utilizes the MobileLoader in MobileSubstrate frameworks, by what is voluntarily write Dynamic link library is injected into setting program, so that when these setting programs are started, dynamic link library is also written into internal memory simultaneously.
(23) after the API corresponding to critical behavior is triggered, the MobileHooker in MobileSubstrate frameworks makes Go to replace original API with the function voluntarily write.
(24) it is used in the function replaced at these, the API of each critical behavior is extracted using the method for Keywords matching Parameter and return value, and send these parameters and return value to data processing unit.
(25) data processing unit is according to different critical behaviors, using corresponding distinct methods from these parameters and return The information related to critical behavior is extracted in value.
(26) data processing unit is respectively adopted correspondingly different data method for packing according to different type, will be packaged Data is activation is to communication unit.
(27) behaviortrace module packaged data is activation is given behavior analysiss mould using socket communications by communication unit Block.
Step 3, after the behavior analysiss module of PC mechanical floors receives the parameter and return value of each sensitive API, is carried out point Class Treatment Analysis.The concrete operations content of the step 3 is following (shown in Figure 4):
(31) communication unit of behavior analysiss module receives the parameter of each sensitive API that behaviortrace module is detected And return value, send data analysis unit to.
(32) data analysis unit is decapsulated first, after obtaining the details of each iOS system critical behavior, then by its Send safety analysis unit to.
(33) safety analysis unit is analyzed to testing result according to the iOS system critical behavior configured in setting rule Process:Every kind of iOS system critical behavior (includes:Phone, note, url, photograph album, address list, geographical position, bluetooth etc.) respectively One safety analysis unit of correspondence, then respective handling is carried out by the safety analysis unit that the critical behavior belongs to.
Step 4, after the safety analysis unit in behavior analysiss module completes the safety analysis of critical behavior, by analysis result Send security risk reporting modules to, and be stored in the local file of setting form;Send analysis result to user simultaneously Interface module, according to different critical behaviors, is illustrated on different interfaces respectively.
Inventions have been Multi simulation running implements test, the test situation of embodiment is briefly described as follows:
As test and appraisal mechanism and the unit of final deployment software product, due to which and the flow process of software development is not known about, Although the potential threat in its software for being used can be found using static detection method, rate of false alarm is high, and can not Judge in running software, greatly threat is caused to the safe operation of these units.However, using detection means of the present invention This problem can be efficiently solved.The detection means monitors the running status of iOS system software in real time by hook mechanism, System core behavior is captured in the very first time, then the critical behavior for capturing is analyzed, audits and is positioned, generate result Form.The result form that test and appraisal mechanism and relevant unit can pass through to generate directly, is accurately judged to software generation.
Fig. 5 is the application flow block diagram of one embodiment of detection means of the present invention.
The result of the test of the emulation embodiment of the present invention is successful, realizes goal of the invention.

Claims (7)

1. a kind of Apple Macintosh operating system iOS critical behavior detection means based on hook, it is characterised in that:Described device is to pass through Application programming interface API (the Application Programming Interface) captured in real time of hook critical behaviors The critical behavior of iOS system, for monitoring the setting critical behavior of Fructus Mali pumilae terminal i OS system, obtains and the setting critical behavior Related information, and in service end real-time exhibition to user, or result form is saved as, so that user is audited and is commented Estimate;The device is by the behaviortrace module for being separately positioned on iOS terminating layers, and positioned at PC mechanical floors, the use being linked in sequence Totally four parts are constituted for family interface module, security risk reporting modules and behavior analysiss module;Wherein:
Behaviortrace module, sets the setting critical behavior of Fructus Mali pumilae terminal i OS system for real-time detection:First receive by behavior point The beginning detection signal that the communication unit of analysis module is sent, and set by the hook units captured in real time in behavior tracing module The setting critical behavior API of Fructus Mali pumilae terminal i OS system, obtains the parameter and return value of these API, according still further to setting form encapsulation After these information, the information for having encapsulated is returned to by behavior analysiss module by web socket socket communications and is processed;
Subscriber Interface Module SIM, is responsible for and customer interaction information:On the one hand receive asking for user's detection iOS system setting critical behavior Ask, then commencing signal and setting critical behavior type to be detected are sent to behavior analysiss module;On the other hand receive safety The iOS system setting critical behavior information that risk report module is returned, and show to user;
Behavior analysiss module, for receiving and parsing through the setting critical behavior information come from the transmission of Fructus Mali pumilae terminal:The module Communication unit is received after the detection type of Subscriber Interface Module SIM, will just be started detection signal and is sent to behaviortrace mould Block, and by the return information of the behaviortrace module for receiving, it is transmitted to data analysis unit process;Data analysis unit is first right The return information for receiving carries out " decapsulation " process, after obtaining result, sends the result to safety analysis list After unit carries out subsequent analysis, security risk reporting modules are relayed to;
Security risk reporting modules, are responsible for according to the analysis processing result of behavior analysiss module, it may be found that iOS system setting close Key behavioural information is integrated into a result form that form is set including xml and html, be stored in it is local, for user's examination & verification with Analysis;The iOS system that will be seen that simultaneously sets critical behavior information transmission to Subscriber Interface Module SIM, for showing user.
2. device according to claim 1, it is characterised in that:Described device supports that the setting of the iOS system of detection is crucial Behavior includes:Phone, note, network connection, address list are accessed, and photograph album is accessed, and geographical position accesses, bluetooth state.
3. device according to claim 2, it is characterised in that:Information content in the setting critical behavior is:Phone Information is both call sides number, state and the duration of call, and short message is short message receiving-transmitting both sides number and its short message content, network Link information is web page address URL (Uniform Resource Locator) fields and Connection Time, and geographical location information is The Apply Names and access time in geographical position are accessed, when address list access information is the Apply Names of accessing address list and access Between, photograph album access information is the Apply Names and access time for accessing photograph album, and Bluetooth status information is whether bluetooth changes state Or change application and its change time of bluetooth state.
4. a kind of detection method of the iOS system critical behavior detection means based on hook, it is characterised in that:Methods described includes Following operative step:
Step 1, PC terminating layers arrange detection parameter and detection range:User arranges the Fructus Mali pumilae terminal of needs detection in PC terminals Behind ip addresses and port numbers and its critical behavior, the detection means starts to start work;
Step 2, the behaviortrace module of iOS terminating layers is using hook technology for detection and each sensitive application programming of extraction The parameter and return value of interface API (Application Programming Interface), is sent to the behavior of PC mechanical floors Analysis module;
Step 3, after the behavior analysiss module of PC mechanical floors receives the parameter and return value of each sensitive API, is carried out at classification Reason analysis;
Step 4, after the safety analysis unit in behavior analysiss module completes the safety analysis of critical behavior, analysis result is transmitted Security risk reporting modules are given, and is stored in the local file of setting form;Send analysis result to user interface simultaneously Module, according to different critical behaviors, is illustrated on different interfaces respectively.
5. method according to claim 4, it is characterised in that:In the step 1, the Fructus Mali pumilae terminal for needing detection is set IOS system critical behavior include:Phone, note, network connection, address list are accessed, and photograph album is accessed, and geographical position accesses and blue Dental phenomenon;Wherein, phone information is both call sides number, state and the duration of call, and short message is short message receiving-transmitting both sides' number And its short message content, network connection information is web page address URL (UniformResourceLocator) fields and Connection Time, Geographical location information is the Apply Names and access time for accessing geographical position, and address list access information is answering for accessing address list With title and access time, photograph album access information is the Apply Names and access time for accessing photograph album, and Bluetooth status information is blue Whether tooth changes state or the application for changing bluetooth state and its change time.
6. method according to claim 4, it is characterised in that:The step 2 includes following operation content:
(21) critical behavior that behaviortrace module is arranged according to step 1, is written into/Library/ In configuration file under MobileSubstrate/DynamicLibraries/ catalogues, for specifying the effect of dynamic link library Scope;
(22) behaviortrace module utilizes the MobileLoader in MobileSubstrate frameworks, by the dynamic voluntarily write Chained library is injected into setting program, so that when these setting programs are started, dynamic link library is also written into internal memory simultaneously;
(23) after the API corresponding to critical behavior is triggered, the MobileHooker in MobileSubstrate frameworks is using certainly The function that row is write goes to replace original API;
(24) it is used in the function replaced at these, the API parameters of each critical behavior is extracted using the method for Keywords matching And return value, and send these parameters and return value to data processing unit;
(25) data processing unit is according to different critical behaviors, using corresponding distinct methods from these parameters and return value Extract the information related to critical behavior;
(26) data processing unit is respectively adopted correspondingly different data method for packing according to different type, by packaged data It is sent to communication unit;
(27) behaviortrace module packaged data is activation is given behavior analysiss module using socket communications by communication unit.
7. method according to claim 4, it is characterised in that:The step 3 includes following operation content:
(31) communication unit of behavior analysiss module receives the parameter of each sensitive API that behaviortrace module is detected and returns Value is returned, data analysis unit is sent to;
(32) data analysis unit is decapsulated first, after obtaining the details of each iOS system critical behavior, then is transmitted Give safety analysis unit;
(33) safety analysis unit is analyzed place according to the iOS system critical behavior configured in setting rule to testing result Reason:Every kind of operation in the iOS system critical behavior corresponds to a safety analysis unit respectively, then is belonged to by the critical behavior Safety analysis unit carry out respective handling.
CN201410429756.8A 2014-08-28 2014-08-28 Hook-based iOS (iPhone operating system) key behavior detection device and detection method thereof Expired - Fee Related CN104182681B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410429756.8A CN104182681B (en) 2014-08-28 2014-08-28 Hook-based iOS (iPhone operating system) key behavior detection device and detection method thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410429756.8A CN104182681B (en) 2014-08-28 2014-08-28 Hook-based iOS (iPhone operating system) key behavior detection device and detection method thereof

Publications (2)

Publication Number Publication Date
CN104182681A CN104182681A (en) 2014-12-03
CN104182681B true CN104182681B (en) 2017-05-03

Family

ID=51963713

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410429756.8A Expired - Fee Related CN104182681B (en) 2014-08-28 2014-08-28 Hook-based iOS (iPhone operating system) key behavior detection device and detection method thereof

Country Status (1)

Country Link
CN (1) CN104182681B (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104462973B (en) * 2014-12-18 2017-11-14 上海斐讯数据通信技术有限公司 The dynamic malicious act detecting system and method for application program in mobile terminal
CN107463359A (en) * 2016-06-02 2017-12-12 深圳市慧动创想科技有限公司 A kind of convenient method in iOS ipa bag code implants
CN106506263B (en) * 2016-10-20 2020-03-20 广州爱九游信息技术有限公司 Application information acquisition system, device, apparatus and method
CN107665306B (en) * 2017-09-06 2019-12-03 武汉斗鱼网络科技有限公司 A kind of method, apparatus, client and the server of the injection of detection illegal file
CN107493299A (en) * 2017-09-20 2017-12-19 杭州安恒信息技术有限公司 A kind of user behavior source tracing method based on three-tier architecture
CN107889089B (en) * 2017-11-09 2020-06-02 飞天诚信科技股份有限公司 Mobile terminal and method for processing Bluetooth data
CN109697338A (en) * 2018-12-10 2019-04-30 深圳市网心科技有限公司 A kind of software installation hold-up interception method and relevant apparatus

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102638617A (en) * 2012-03-30 2012-08-15 中国科学技术大学苏州研究院 Active response system based on intrusion detection for Android mobile phones
CN102810143A (en) * 2012-04-28 2012-12-05 天津大学 Safety detecting system and method based on mobile phone application program of Android platform
WO2013093011A1 (en) * 2011-12-23 2013-06-27 Deutsche Telekom Ag Monitoring user activity on smart mobile devices

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013093011A1 (en) * 2011-12-23 2013-06-27 Deutsche Telekom Ag Monitoring user activity on smart mobile devices
CN102638617A (en) * 2012-03-30 2012-08-15 中国科学技术大学苏州研究院 Active response system based on intrusion detection for Android mobile phones
CN102810143A (en) * 2012-04-28 2012-12-05 天津大学 Safety detecting system and method based on mobile phone application program of Android platform

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
An Information Flow Tracking System for Real-Time Privacy Monitoring on Smartphones;William Enck;《communications of the acm》;20140331;第99-106页 *
Detecting Privacy Leaks in iOS Applications;Manuel Egele;《NDSS》;20111231;全文 *
Dissecting Android Malware: Characterization and Evolution;Yajin Zhou;《IEEE》;20121231;第95-109页 *

Also Published As

Publication number Publication date
CN104182681A (en) 2014-12-03

Similar Documents

Publication Publication Date Title
CN104182681B (en) Hook-based iOS (iPhone operating system) key behavior detection device and detection method thereof
TWI603600B (en) Determine vulnerability using runtime agent and network sniffer
CN105956474B (en) Android platform software unusual checking system
CN106101145B (en) A kind of website vulnerability detection method and device
TWI575397B (en) Point-wise protection of application using runtime agent and dynamic security analysis
TW201642135A (en) Detecting malicious files
CN106878108B (en) Network flow playback test method and device
CN111835756B (en) APP privacy compliance detection method and device, computer equipment and storage medium
CN103780450B (en) The detection method and system of browser access network address
CN106294102A (en) The method of testing of application program, client, server and system
CN109683997B (en) Method for accessing application program interface through sandbox, sandbox and sandbox equipment
CN108664395A (en) Applied program testing method, device, equipment and storage medium
CN103746992A (en) Reverse-based intrusion detection system and reverse-based intrusion detection method
CN105653947A (en) Method and device for assessing application data security risk
CN103442361A (en) Method for detecting safety of mobile application, and mobile terminal
CN109510738B (en) Communication link test method and device
Wang et al. Leakdoctor: Toward automatically diagnosing privacy leaks in mobile applications
Chester et al. M-perm: A lightweight detector for android permission gaps
CN112115060A (en) Audio test method and system based on terminal
CN111241547B (en) Method, device and system for detecting override vulnerability
US20190297107A1 (en) Method and apparatus for generating attack string
CN103326892B (en) The operating method and device of web interface
CN115378655A (en) Vulnerability detection method and device
Liu et al. Understanding digital forensic characteristics of smart speaker ecosystems
CN107508838A (en) A kind of access control method, device and system

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CB03 Change of inventor or designer information
CB03 Change of inventor or designer information

Inventor after: Sun Dawei

Inventor before: Zhang Miao

Inventor before: Xu Guoai

TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20220622

Address after: 336, floor 3, building 4, No. 44, North Third Ring Middle Road, Haidian District, Beijing 100088

Patentee after: Beijing Zhilian Anhang Technology Co.,Ltd.

Address before: No. 21-413-2, No. 10, Xitucheng Road, Haidian District, Beijing 100876

Patentee before: BEIJING SOFTSEC TECHNOLOGY Co.,Ltd.

CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20170503