CN104376255B

CN104376255B - Application program running control method and device

Info

Publication number: CN104376255B
Application number: CN201410715416.1A
Authority: CN
Inventors: 杨威; 李常坤
Original assignee: Beijing Qihoo Technology Co Ltd; Qizhi Software Beijing Co Ltd
Current assignee: Beijing Qihoo Technology Co Ltd
Priority date: 2014-11-28
Filing date: 2014-11-28
Publication date: 2017-05-24
Anticipated expiration: 2034-11-28
Also published as: CN104376255A

Abstract

The invention relates to an application program running control method. The method is characterized by comprising the steps that reflection calling is conducted on an installation package so as to load a target application program implemented by the installation package, wherein the package name of the installation package is the same as that of a host application program, and the installation package serves as a supplementary resource of the host application program; a monitoring module is called by the host application program to monitor activities of the target application program; when the monitoring module monitors that the target application program needs to call a non-matched resource, resource references of related call instructions are redirected so that a correct resource can be provided for running of the target application program. Preferably, the installation package, subjected to reflection calling by the host application program, of the target application program belongs to an installed resource file of the host application program. Correspondingly, the invention further provides an application program running control device. By the adoption of the application program running control method and device, a sandbox operating environment guaranteeing normal running of the target application program can be provided for the target application program, and the security of a system can be ensured.

Description

Application program progress control method and device

Technical field

The present invention relates to security of computer software technical field, more particularly to a kind of application program progress control method and phase The device answered.

Background technology

Sandbox is a kind of performing environment according to security strategy limiting program behavior, is practically applicable to various behaviour extensively at present In making system.By taking Android as an example, some application programs are special for the purpose realized outside application program inherent function needs It is not commercial object, random application system authority obtains privacy of user data, performs network access, keep device activity, send Short message behavior etc..It is light then privacy of user leaking data may be caused, or occupying system resources, it is heavy then may be detained by malice Take, product placement, consumption rate, fraud inveigle etc., user is suffered a loss.Therefore, the execution ring for being provided by sandbox technology Border, is managed by sandbox to the resource of system, authority, allows application program to be run in the sandbox, the access elder generation of application program Examined by security strategy through sandbox, thus, formed a kind of isolation operational effect relative to system in itself, can be effectively The safety of protection system.For security strategy used in sandbox, adapting to a variety of operating systems has different details Consider that the ABC that these relevant technologies are realized is grasped by those skilled in the art, does not repeat for this reason.

There are various examples to realize sandbox technology at present.In these examples, on the one hand, sandbox technology is for compatible market Various applications, typically only by limiting the security strategy of sandbox, control the executable resource of the application and realize.However, Security fields, the technical merit of attacking and defending both sides is shifting, traditional sandbox only by limitation security strategy, is difficult to sometimes Guarantee to reach desired purpose, it is necessary to by means of new departure of richer technology content.On the other hand, sandbox technology is often It is related to system bottom to operate, and in the operating system of the Unix systems such as with Android as representative, itself there is strict power Limit management, so, just causes on the premise of Root mandates are not obtained, it is difficult to go to construct sandbox using sandbox technology.Can be only Path is warded off, goes to realize exempting from the sandbox environment under Root environment, however, in this case, often causing more many Technology barrier, these obstacles are depending on the specific implementation of sandbox.

In currently available technology, Root sandboxs are exempted from for this, despite the presence of theoretical possible, have no ripe case.But, Analysis more than is as can be seen that a kind of safer sandbox technology will be realized based on Root environment is exempted from, it is necessary to reference to its tool Body technique principle is come the specific configuration for considering its own and the reconstruct that considers when necessary to related application so that weight Application program after structure among keeping relatively independent sandbox, journey can be applied by this with seamless operation in system is had been based on Operation of the sequence in sandbox, realizes due security control effect.

The content of the invention

The first object of the present invention is to provide a kind of safety operation of applied program control method, to ensure to exempt from Root sandboxs The safe operation of configured application program in environment.

The second object of the present invention is to provide a kind of application program operation for being suitable to run the method described in the first purpose Control device.

To realize the purpose of the present invention, the present invention is adopted the following technical scheme that：

A kind of application program progress control method of the invention, comprises the following steps：

The installation kit as the subsidiary resource of host application for having identical bag name with host application is called in reflection, To load the destination application that the installation kit is realized；

Monitoring module is called by host application, the activity to destination application is monitored；

When monitoring destination application and needing to call the resource not matched, the resource for redirecting related call instruction is drawn With providing correct resource with the operation for the destination application.

Preferably, the installation kit of the destination application that the host application reflection is called, belongs to host and applies journey The installation resource file of sequence.

Preferably, when calling loaded targets application program using reflection, by the installation resource to host application Call and meet destination application resource access.

Preferably, the host application with the configuration file of the installation kit to system registry.

The monitoring module is registered as service processes, with calling for Hook Function associated objects application program active process Instruct to realize the activity monitoring to the destination application.

The resource not matched include because destination application do not install but called by reflection caused by be considered as wrong The resource for accessing by mistake.

The resource not matched includes the resource in system resource and the installation kit.

The system resource corresponds to the instruction of notifications column and animation switching command, monitors destination application process When accessing such system resource, null value is returned to it to shield its call instruction.

When destination application calls the resource in the installation kit, it is corresponding call instruction to use reflection method of calling It is redirected to the correct resource in the installation kit.

Preferably, when monitoring destination application and carrying out unwarranted access, being returned to related call instruction Define data.

Preferably, in the resource file and/or dynamic library file of the host program and the intended application installation kit Corresponding document is identical.

A kind of application program operating control device of the invention, it includes：

Call unit, reflection call with host application have identical bag name as the subsidiary resource of host application Installation kit, to load the destination application that the installation kit is realized；

Monitoring module, is configured as being called by host application, and the activity to destination application is monitored；

Processing unit, when monitor destination application need call the resource not matched when, redirect correlation call finger The quoting resource of order, correct resource is provided with the operation for the destination application.

Compared to prior art, the present invention at least has the following advantages that：

1st, remove to load the destination application that there is identical bag name with host application by reflection call-by mechanism, due to There is identical bag name with host application, in android system, can make movable component and serviced component set up with The proper communication of ActivityManagerService, can make movable component, serviced component and broadcast component etc., smoothly quilt again PackageManagerService is recognized, reduced in the prior art about the error rate of shell adding application program operation exception.

2nd, by being set up in host application between the destination application of former installation kit and sandbox running environment Communication so that the active procedure of destination application can be monitored further by the monitoring module of sandbox running environment, from And to its applicable security strategy, and quoting resource redirection etc. is carried out to it, it is ensured that destination application can be applied by host Program normal load simultaneously keeps safe operation.

3rd, because host application and destination application have used identical bag name, it is not necessary to be to be reflected the mesh that calls Each component (Activity, Service, Receiver) for marking application program individually constructs principal function entrance (ActivityThread.main) program that the PackageManagerService brought by bag name is verified, need not also be considered Implementation complexity problem, so as to greatly improve program operational efficiency.

The additional aspect of the present invention and advantage will be set forth in part in the description, and these will become from the following description Obtain substantially, or recognized by practice of the invention.

Brief description of the drawings

The above-mentioned and/or additional aspect of the present invention and advantage will become from the following description of the accompanying drawings of embodiments Substantially and be readily appreciated that, wherein：

Fig. 1 is the process principle figure of application program collocation method of the invention；

Fig. 2 is the schematic diagram of application program configuration device of the invention；

Fig. 3 is the process principle figure of application program progress control method of the invention；

Fig. 4 is the schematic diagram of application program operating control device of the invention.

Specific embodiment

Embodiments of the invention are described below in detail, the example of the embodiment is shown in the drawings, wherein from start to finish Same or similar label represents same or similar element or the element with same or like function.Below with reference to attached It is exemplary to scheme the embodiment of description, is only used for explaining the present invention, and is not construed as limiting the claims.

Those skilled in the art of the present technique are appreciated that unless expressly stated, singulative " " used herein, " one It is individual ", " described " and " being somebody's turn to do " may also comprise plural form.It is to be further understood that what is used in specification of the invention arranges Diction " including " refer to the presence of the feature, integer, step, operation, element and/or component, but it is not excluded that in the presence of or addition One or more other features, integer, step, operation, element, component and/or their group.It should be understood that when we claim unit Part is " connected " or during " coupled " to another element, and it can be directly connected or coupled to other elements, or can also exist Intermediary element.Additionally, " connection " used herein or " coupling " can include wireless connection or wireless coupling.It is used herein to arrange Diction "and/or" includes one or more associated wholes or any cell of listing item and all combines.

Those skilled in the art of the present technique are appreciated that unless otherwise defined, all terms used herein (including technology art Language and scientific terminology), with art of the present invention in those of ordinary skill general understanding identical meaning.Should also Understand, those terms defined in such as general dictionary, it should be understood that with the context with prior art The consistent meaning of meaning, and unless by specific definitions as here, will not otherwise use idealization or excessively formal implication To explain.

Those skilled in the art of the present technique are appreciated that " terminal " used herein above, " terminal device " both include wireless communication The equipment of number receiver, the equipment of its wireless signal receiver for only possessing non-emissive ability, and including receiving and transmitting hardware Equipment, its have can on bidirectional communication link, perform two-way communication reception and transmitting hardware equipment.This equipment Can include：Honeycomb or other communication equipments, it has single line display or multi-line display or is shown without multi-line The honeycomb of device or other communication equipments；PCS (Personal Communications Service, PCS Personal Communications System), it can With combine voice, data processing, fax and/or its communication ability；PDA (Personal Digital Assistant, it is personal Digital assistants), it can include radio frequency receiver, pager, the Internet/intranet access, web browser, notepad, day Go through and/or GPS (Global Positioning System, global positioning system) receiver；Conventional laptop and/or palm Type computer or other equipment, its have and/or conventional laptop and/or palmtop computer including radio frequency receiver or its His equipment." terminal " used herein above, " terminal device " they can be portable, can transport, installed in the vehicles (aviation, Sea-freight and/or land) in, or be suitable for and/or be configured in local runtime, and/or with distribution form, operate in the earth And/or any other position operation in space." terminal " used herein above, " terminal device " can also be communication terminal, on Network termination, music/video playback terminal, for example, can be PDA, MID (Mobile Internet Device, mobile Internet Equipment) and/or the equipment such as mobile phone, or intelligent television, Set Top Box with music/video playing function.

Those skilled in the art of the present technique are appreciated that server used herein above, high in the clouds, remote network devices etc. are general Read, with effects equivalent, it includes but is not limited to computer, network host, single network server, multiple webserver collection Or the cloud that multiple servers are constituted.Here, cloud is taken by a large amount of computers based on cloud computing (Cloud Computing) or network Business device is constituted, wherein, cloud computing is one kind of Distributed Calculation, and be made up of the computer collection of a group loose couplings is super Virtual machine.In embodiments of the invention, can be by any logical between remote network devices, terminal device and WNS servers Letter mode realizes communication, including but not limited to, mobile communication based on 3GPP, LTE, WIMAX, based on TCP/IP, udp protocol Computer network communication and the low coverage wireless transmission method based on bluetooth, Infrared Transmission standard.

It will be appreciated by those skilled in the art that " application ", " application program ", " application software " and class alleged by the present invention It is the same concept well known to those skilled in the art like the concept of statement, refers to be instructed by series of computation machine and related data The computer software for being suitable to electronics operation of the organic construction of resource.Unless specified, programming language is not received in this name in itself Species, rank, the operating system or platform of operation of also not rely by it are limited.In the nature of things, this genus is not also appointed The terminal of what form is limited.

The application scenarios that the following a kind of application program collocation method that will be described of the invention and device are implemented, are to install The running environment based on Android operation system on mobile terminals.

In order to illustrate implementation of the invention, the present invention attempts to be carried out with reference to static and two aspects of dynamic of computer program Description, so-called static aspect refers to that program installation kit, file, database are stored in the storage object of medium；So-called dynamic side Face, refers to the dynamic object for being transferred and being performed in internal memory, including but not limited to process, thread, used data etc..In view of These features of computer software technology, should not by it is of the present invention and each method, step, sub-step, device, unit, Module etc., is interpreted as only static or only dynamic aspect in isolation, and those skilled in the art should be known this.So, ability Field technique personnel should be corresponded to dynamic Process Movement according to the present invention about static statement, or foundation The present invention corresponds to its static form of expression about dynamic Process Movement, it is established that static and certainty of both dynamic Association, understands the present invention based on this.

Those skilled in the art it is to be understood that the present invention based on exempt from Root carry power and proposes, however, carry power operation It is that the rights management that android system is implemented is controlled, the present invention is also applied to the Android behaviour that Root puies forward power of course In making system.

The present invention proposed based on sandbox principle, so, those skilled in the art are able to combine known sandbox reality Show principle to understand implementation of the invention.The effect of sandbox is the running environment of the offer relative closure for destination application, Application program is accessed the resource of system, by the application of sandbox security strategy, and be limited within the scope of regulation.Cause And, essence of the invention is that providing a kind of sandbox example, to be realized in terms of two, first aspect is to provide construction target should With the solution of program, second aspect is to provide corresponding with the former runs control program.The two aspects can be integrated In realizing software to a sandbox, destination application is processed using the realization of its first aspect, so using its The realization of two aspects, the sandbox running environment of safety is provided for destination application.

In view of this, application program collocation method of the invention, major embodiment sandbox example in a first aspect, for processing The destination application of corresponding sandbox running environment is adapted to, in one example as shown in fig.l, the method includes following step Suddenly：

S11, the parsing application program original installation kit, obtain its internal file.

Application program designated herein, i.e., alleged above destination application.Because the present invention is based on exempting from Root demands And propose, according to the intrinsic principles of Android, the destination application is generally the third-party application that user voluntarily installs.

The present invention can realize the installation control to third-party application by adapter erector.Specifically, Ke Yiyou User is downloaded by the sandboxed application that the present invention is provided and installs the third-party application and obtain the former installation kit, or Person, also can obtain corresponding installation package file by the sandboxed application from/data/app.For having filled application, can this hair It is bright be disposed after, induction user unloads old application, installs new opplication.

The means of the former installation kit of application program are parsed, is well known to those skilled in the art.Installation kit APK file essence On be using ZIP compress technique combination signature technology realization compressed package, therefore, on the one hand it can be discharged by decompression technique Internal file, on the other hand can also obtain its internal file (its generation in this case by the tool software of Apktool etc Code file can be reversed .smali files).Those skilled in the art can be given using these known technologies at one consummately Determine to process former installation kit in catalogue, so as to obtain inside therein by way of internal memory operation (non-file operation) File.

The internal file of Android installation kits, refering to shown in following table：

The file structure of table 1APK file internals

The present invention can obtain appended catalogue and text in table by parsing the former installation kit of the destination application Part, on this basis, with reference to realization as the shell adding installation kit of host application, refers to later step.

The shell adding installation kit of former installation kit described in S12, construction set and the internal file.

Hereinafter the internal file first with reference to needed for 1 pair of present invention construction shell adding installation kit of table is introduced.

In the various internal files for belonging to installation kit listed by table 1, MATA-INF catalogues are after being packed to alternative document Sign and generate, therefore, when being subsequently generated shell adding installation kit, have the signature of shell adding installation kit itself and produce identical mesh Directory structures and file, so the respective directories structure and file of former installation kit will not be placed into shell adding installation kit.

Res catalogue and its resource that includes down, be the resource for needing in destination application running to quote, target should Can operationally be conducted interviews by ID with program.Therefore, it is possible to reference to program realize difficulty consider, and consider whether by Part resource file therein is inserted in follow-up shell adding installation kit.The present embodiment pays close attention to home icon file therein for example Icon.png files, this document is the home icon file of destination application, during the installation kit normal mounting of destination application, In desktop the icon file can be shown as its shortcut icon.In the present embodiment, the pattern to the icon carries out local modification, example As added a tapered end pattern for its pattern lower right corner, the icon with specific markers is become, and by amended icon file As the icon file of shell adding installation kit, deposit in shell adding installation kit res under catalogue.Thus, after shell adding installation kit is installed, User the program can be carried out sandbox protection by the cognition of its icon.It is of course also possible to consider by res its under catalogue Its resource file is introduced as the internal file of construction shell adding installation kit, but when subsequent reflection calls the destination application, Quoting resource redirection need to be carried out, so that intended application can normally refer to correct resource.

Assets catalogue be used to deposit the resource file of broad sense, such as installation package file, font file etc. are incompressible File, can access the resource in the catalogue by path.In the present embodiment, not by the assets of former installation kit catalogue File is introduced, be in order to reduce the volume of shell adding installation kit, shell adding installation kit assets in catalogue, storage will be reflected The former installation kit of the destination application for calling.

Resources.arsc files are mainly the index set up to the application program pointed by installation kit, in the present embodiment In the file of the same name of former installation kit is also used not in shell adding installation kit.

Lib file under catalogue, mainly deposit .so dynamic library files, the dynamic library file of the former installation kit whether by Assemble together in shell adding installation kit, similarly, can be taken in reference to program implementation complexity, select on demand.

Androidmanifest.xml files, are more important global configuration files in installation kit, and it is responsible for system Four big components of android system are registered, and to system application authority etc..In shell adding installation kit, add as needs The important internal file for entering shell adding installation kit is accounted for, and being incorporated into shell adding with the copy completely the same with former installation kit installs Bao Zhong.The file of the same name of former installation kit is due to the Androidmanifest.xml files in shell adding installation kit, its bag famous prime minister Together, thus shell adding installation kit is in systems after installation and operation host application, noted to system with Androidmanifest.xml Each component of volume and application system authority, the entrance of each component is just established with this, makes the reflected intended application journey called Each component of sequence can be called by ActivityManagerService, without being each component construction ActivityThread and the corresponding LoadedApk objects of offer, save the program realization link of operation context environmental.Together Reason, reflection call caused by PackageManagerService to major components whether the problem of lawful registration, also by because The registration of Androidmanifest.xml and be overcome.

Classes.dex is the code file (binary code executable file) in installation kit.In the present invention, will be by The file of the same name of pre-structured is replaced, but the file of the same name is aggregated in the shell adding installation kit together with alternative document.This The there is provided classes.dex of invention, is implanted with load-on module stub (), by the load-on module, can further start one Monitoring module, the monitoring module is used to monitor the active procedure of the reflected whole destination application for calling, therefore, it is general first Loaded in the destination application.The monitoring module is the implementor of sandbox running environment, is responsible for realizing both sides Function, on the one hand the access by monitoring objective application program to resource, redirects to quoting resource, makes intended application journey Sequence process can realize the normal reference to correct resource.Specifically, if related resource is to be reflected call former to install The resource of bag, then call the resource of the former installation kit for quoting by reflecting call-by mechanism, realizes redirecting.If system is provided Source or the installation resource of sensing host application, then can allow its acquiescence to quote and ensure its normal adduction relationship.If It is I/O operation, it is also possible to thereby redirect.On the other hand by access of the monitoring objective application program to system resource, For example whether request sends short message, determine whether that it is operated according to security strategy, this implementation is this when not allowing During behavior, self-defining data can be returned to related call instruction, for example, null value be returned to, so that it is guaranteed that some illegal behaviour can be prevented Make.The technology of the monitoring module is realized, using Hook technologies, the entrance of related call instruction carried out using Hook Function Monitoring, intercepts and captures this call instruction, turns to and performs corresponding Hook Function, is answered according to sandbox inherent logic by the Hook Function The call instruction is answered, so as to reach foregoing purpose.

Need exist for supplement be：Term " hook " is covered for by intercepting the function transmitted between component software Call, message or event come change or increase operating system, the technology of the behavior of application program or other software component.And locate The code for managing this intercepted function call, event or message is thus referred to as hook hook functions.Hook is generally used for various Target, including function is debugged and function is extended.Its example can be included in keyboard or mouse event is delivered to Them are intercepted before application program, or hooking system service call (system call) or system function behavior, function are performed Result etc., to monitor or change the function etc. of application program or other assemblies.The present embodiment can use hook hook functions Take over installation self checking operation required when the application program is run.

After getting out above-mentioned internal file and former installation kit, the present invention is further by above-mentioned selected internal file and original Installation kit is packed, and row is signed again after packing, that is, complete the construction of the shell adding installation kit, and former installation kit is installed positioned at shell adding The assets of bag in catalogue, the subsidiary resource as shell adding installation kit.Further the shell adding can be installed by next step to install Bag, so as to install host application.

File in view of the shell adding installation kit for being generated will be greater than former installation kit, the present invention and then shell adding can be installed Code file in bag is compressed, and generates compressed file and for reducing the additional text that the compressed file is code file Part, this compression process is similarly suitable for the former installation kit.As long as according to inverse algorithm during subsequent installation, using attached Add file is reduced to the compressed file in internal memory, you can realize host application and destination application normal Operation.Through the installation kit of overcompression, its increment is even less than zero close to zero, therefore efficiency is higher.

S13, the shell adding installation kit is installed.

As it was previously stated, one of implement scene of the invention, does not obtain Root authority, therefore, in this scene, can not pass through The present invention realizes installation of mourning in silence.In this case, the present invention, to start installation interface, is referred to preferentially by calling system erector Lead the installation that user completes the shell adding installation kit.

According to the modularized thoughts of computer program, the present invention and then can be carried according to above-mentioned application program collocation method For a kind of application program configuration device, specifically incorporated by reference to Fig. 2 and refering to as described below.

Application program configuration device of the invention, is made up of, respectively acquiring unit 11, structural unit 12 and installation unit 13 The function that unit is realized is as follows：

Described acquiring unit 11, for parsing the application program original installation kit, obtains its internal file.

The means of the former installation kit of application program are parsed, is well known to those skilled in the art.Installation kit APK file essence On be using ZIP compress technique combination signature technology realization compressed package, therefore, on the one hand it can be discharged by decompression technique Internal file, on the other hand can also obtain its internal file (its generation in this case by the tool software of Apktool etc Code file can be reversed .smali files).Those skilled in the art can be given using these known technologies at one consummately Determine to process former installation kit in catalogue, so as to obtain internal file therein.It is emphasized that the present invention is alleged obtaining Its internal file, recommendation is obtained in the way of known internal memory operation, rather than refers to file operation.

The internal file of Android installation kits, similarly refering to table 1.The present invention is by parsing the destination application Former installation kit, can obtain appended catalogue and file in table 1, on this basis, with reference to realizing as host application Shell adding installation kit, refers to the explanation of structural unit.

Described structural unit 12, for the shell adding installation kit of former installation kit described in construction set and the internal file.

Res catalogue and its resource that includes down, be the resource for needing in destination application running to quote, target should Can operationally be conducted interviews by ID with program.Therefore, it is possible to reference to program realize difficulty consider, and consider whether by Part resource file therein is inserted in follow-up shell adding installation kit.The present embodiment pays close attention to home icon file icon.png therein File, this document is the home icon file of destination application, during the installation kit normal mounting of destination application, can be in desktop Show the icon file as its shortcut icon.In the present embodiment, the pattern to the icon carries out local modification, for example, its figure The sample lower right corner adds a tapered end pattern, becomes the icon with specific markers, and using amended icon file as shell adding The icon file of installation kit, deposit in shell adding installation kit res under catalogue.Thus, after shell adding installation kit is installed, user can be with By the cognition of its icon, the program is carried out sandbox protection.It is of course also possible to consider by res other resources text under catalogue Part is introduced as the internal file of construction shell adding installation kit, but when subsequent reflection calls the destination application, need to be provided Source is quoted and is redirected, so that intended application can normally refer to correct resource.

After getting out above-mentioned internal file and former installation kit, the present invention is further by above-mentioned selected internal file and original Installation kit is packed, and row is signed again after packing, that is, complete the construction of the shell adding installation kit, and former installation kit is installed positioned at shell adding The assets of bag in catalogue, the subsidiary resource as shell adding installation kit.Further the shell adding can be installed by next installation unit Installation kit, so as to install host application.

Described installation unit 13, for installing the shell adding installation kit.

After installing the shell adding installation kit, the file in Androidmanifest.xml therein just completes the note to system Volume, the bag name that host application is used is the bag name of destination application, and both have uniformity, therefore host applies journey The component of the destination application that sequence can find reflected calling and run by ActivityManagerService enters Mouthful, also, the component of destination application can also pass through the examination of system PackageManagerService, program reality Existing difficulty subtracts greatly, and the operational efficiency of application program will also be greatly improved.

To embody the second aspect of sandbox example of the present invention, the present invention and then a kind of application program operation controlling party of offer Method, the method is mainly used in embodying the running of the host application, and to intended application journey in its running The load operating process of sequence.Those skilled in the art are it is to be understood that according to sandbox realization principle, progress control method of the invention The operation of host application and destination application for controlling collocation method of the invention to be constructed, therefore, the present invention Progress control method implement details, the instantiation that the host application need to be adapted to certainly does adaptability Matching, therefore, many variation instances derived from above-mentioned collocation method cause the adaptability of the progress control method to be adjusted of course It is whole, and these adjustment means are also of course for those skilled in the art to be known.

Refering to Fig. 3, application program progress control method of the invention specifically includes following steps：

S21, reflection call the peace as the subsidiary resource of host application for having identical bag name with host application Dress bag, to load the destination application that the installation kit is realized.

Understood with reference to the description previously with regard to application program collocation method, host application is to refer to the shell adding installation kit Program after installation, and the installation kit be refer to deposit in shell adding installation kit assets application program under catalogue is former installs Bag.After installation, the installation kit of the destination application that host application reflection is called belongs to the installation of host application Resource file.The installation kit is called in reflection, that is, mean to run the destination application.

Reflex mechanism of the present invention can be Java reflex mechanisms, Java reflex mechanisms be in running status, For any one class, all properties and method of this class can be known；For any one object, it can be called Any one method；The function of the method for this dynamic access information and dynamic call object is the reflection of JAVA language Mechanism.

The present invention recommend an example in, the host application by find first its installation after by it The installation kit APK file that assets is carried, is then gone in execution APK by an Agent components (Activity) Activity, so as to realize calling the reflection of destination application.Host application is implemented reflection and is called firstly the need of logical Cross Classloader to realize, realized particular by DexClassLoader ().Realized using this Classloader to peace Calling for movable component in dress bag is means that those skilled in the art are grasped, is not repeated for this reason.When program is realized, by one Individual Proxy methods allow the execution of host application adapter destination application, once by after adapter, destination application All of execution is realized by proxy, and Context also becomes the Context of host program.Host application is in fact It is exactly individual ghost, it is that former installation kit apk is loaded into the inside of oneself to go to perform.In this case, although host applies Program has used the Androidmanifest.xml of destination application to system registry, due to operation context environmental Context may be different, it would still be possible to can cause the difficulty that resource is accessed occur, even can find that installation kit can not be accessed sometimes In resource situation.And this difficult degree, depending on aforementioned applications collocation method in, be constructed into shell adding application program In resource number.Howsoever, those skilled in the art can be overcome by the follow-up mode for disclosing.

The operation of destination application is involved in the reference to resource, though the disposal skill of this reference is this area skill Art personnel known, but also more numerous and diverse, therefore the present invention will aid in those skilled in the art's fast understanding by example as far as possible Some examples provided by the present invention.

Really, if the destination application resource to be accessed is registered to system by mounted host application In, such as previously described home icon file, then its reference to resource will very directly, by host application The resource that destination application is met by the calling of installation resource is accessed.In addition, then need to add some extra considerations.

If because construction shell adding installation kit causes the Context of host application can not be normal by destination application Access, it may be considered that improve this problem, resource is borrowed to former installation kit.Because destination application installation kit APK does not pacify Dress, therefore cannot just go to obtain the resource in APK, such as picture, text etc. by the Context of host application.APK exists The context that the context used during operation is host application is loaded, is that cannot obtain certainly with others' Context Oneself resource.It follows that host application is in addition to each component in wanting energy loading application programs, to be also to apply journey Sequence construct it needed for running environment.

Android application programs during operation, be by one be referred to as AssetsManager explorers come Reading is packaged in the resource file inside APK file.Each Activity component of application program associates one ContextImpl objects, this ContextImpl object is exactly the operation context environmental for describing activity components 's.The member function init of this ContextImpl object is called to perform initialization Activity assembly operating context rings The work in border, wherein just including creating the Resources objects and AssetsManager objects for access application resource Work.Wherein, ContextImpl.init functions are just defined on file f rameworks/base/core/java/ In android/app/ContextImpl.java.What the parameter packageInfo in ContextImpl.init functions was pointed to It is a loadedApk object, this loadedApk object factory is the current Apk started belonging to component.With visiting Ask Resources pairs of application resource as if pass through pointed by call parameters packageInfo to be a loadedApk The member function getResources of object is created.It follows that in order to create Resources objects, to extract or visit Application resource is asked, if the need for for the resource accessed in installation kit Apk, the present embodiment can also be respectively in applying One loadedAPK object of each component construction.

Similarly, the configuration of specific shell adding installation kit is adapted to, as needed, it may be considered that to resource Resources classes Member variable mResource, mAssets in constructed fuction modify, and pass through described with when each component is started MResource, mAssets transfer corresponding resource.

Similarly, it is also contemplated that the AssetsPath functions in explorer AssetsManager are modified, change Rear AssetsPath functions point to the resource file (be often referred to assets) in the destination application installation kit, The resource is obtained to transfer the AssetsPath functions by the AssetsManager when each component is started Corresponding resource in file.

Wherein, the constructed fuction of Resources classes is defined on file f rameworks/base/core/java/ In android/content/res/Resources.java.Because the constructed fuction of Resources classes is by parameter assets institutes The AssetManager object for pointing to is stored in member variable mAssets, i.e. mAssets=assets so that The constructed fuction of Resources classes can be by mAssets come the resource of access application.Therefore, the present embodiment can pass through Member variable mAssets in resources-type constructed fuction is modified to realize transferring application program institute by mAssets The resource for needing.Really, above-mentioned implementation is also adopted by reflex mechanism to realize.

Certainly, the present embodiment can also be modified to the AssetsPath functions in explorer AssetsManager, The application resource file road specified such as is added by the member function addAssetsPath of AssetsManager objects Footpath is (such as：Path is /data/app/com.qihoo.box-1.apk) in AssetsPath functions.Due to AddAssetsPath be hide API we cannot directly invoke, so can only be realized by reflex mechanism.

As previously described, in addition it is also necessary to Classloader is realized in load-on module, loading the corresponding loading in each component Class.Can realize in the following way：A kind of mode is the path column being added to the path of the application program in Classloader In table pathList, construction searches the Classloader of loading classes according to the application path；Another way is that class is added The member variable carried in device is modified, and construction looks for the Classloader of loading classes with super first.Due to being moved using Classloader The technology of state loading application programs has been well known to those skilled in the art, therefore only provides exemplary illustration herein, does not repeat for this reason.

S22, monitoring module is called by host application, the activity to destination application is monitored.

As a sandbox example, in destination application is run on sandbox running environment, generally by the loading Module is called prior to the reflection of the destination application and preferentially calls a monitoring module.This monitoring module is institute above The monitoring module of title.

As it was previously stated, the monitoring module is the core implementor of sandbox running environment, it is responsible for realizing both sides function, On the one hand by access of the monitoring objective application program to resource, quoting resource is redirected, enters destination application Journey can realize the normal reference to correct resource.Specifically, if related resource is to be reflected the former installation kit that calls Resource, then call the resource of the former installation kit for quoting by reflecting call-by mechanism, realizes redirecting.If system resource or Person points to the installation resource of host application, then its acquiescence can be allowed to quote and ensure its normal adduction relationship.If I/O Operation, it is also possible to thereby redirect.For example, drawing of carrying out of the resource of the above-mentioned installation kit about to destination application With can both be realized by the modification to above-mentioned AssetsManager, it is also possible to specifically call the tool of resource by monitoring Body call instruction, is realized using Hook technologies.On the other hand by access of the monitoring objective application program to system resource, example Such as whether request sends short message, determine whether that its is operated according to security strategy, when not allowing this row of this implementation For when, can to related call instruction return self-defining data, null value is for example returned to, so that it is guaranteed that some illegal behaviour can be prevented Make.The monitoring module is registered as service processes, with the call instruction of Hook Function associated objects application program active process To realize the activity monitoring to the destination application.The monitoring module is entered using Hook Function to related call instruction Mouth point is monitored that intercept and capture this call instruction, steering performs corresponding Hook Function, by the Hook Function according to sandbox itself Logic carrys out the response call instruction, so as to reach foregoing purpose.It is related to treatment of the monitoring module for surveillance operation, especially It is security control aspect, will below provides more specifically example and illustrate.

S23, when monitoring destination application and needing to call the resource not matched, redirect the money of related call instruction Source is quoted, and correct resource is provided with the operation for the destination application.

The resource not matched designated herein, should not limit to and be interpreted as being configured in host application shell adding installation kit Res and assets resource, it is thus understood that resource and system resource including the resource including the two catalogues, and target Application program original installation kit inside including res, assets including all resources that may be called by process.It is especially right Resource in destination application original installation kit, because not being mounted, when related call instruction is implemented to call to it, generally Abuse can be erroneously interpreted as.

The alleged quoting resource for redirecting related call instruction, is primarily referred to as in destination application process running The redirection of realization, be included in may occur in the process running by Hook Function using AssetsManager's Member variable and the resource re-orientation processes to former installation kit realized, be included in process running may occur to institute The redirection directly to fixed number value of the reference of resource in former installation kit is stated, if not being subject to this intervention, in the installation kit Individual resources may be included in process running due to the abuse of the process can be erroneously interpreted as without installation It is middle may occur to informing service (NotificationManager) and animation function (OverridePendingTransition) the shielding processing called (returns to null value using Hook Function to its call instruction ), and the re-orientation processes of the call instruction including the access to resource without permission (can be such as empty to its return The self-defining data of value, spurious numerical etc) etc..So, " redirection " designated herein should be the understanding of broad sense, refer to according to All realized logic according to sandbox and conclude ensure the safe practice means realized based on Hook Function that process is normally run.

As can be seen that by application program progress control method of the invention, can normally be adjusted by host application With destination application and ensure the normal operation of destination application.

Accordingly, Fig. 4 is referred to, is aided with the present invention further provides a kind of device and is realized a kind of application program operation control Device, it includes call unit 21, monitoring module 22 and processing unit 23.

Described call unit 21, has being applied as host for identical bag name for reflecting to call with host application The installation kit of the subsidiary resource of program, to load the destination application that the installation kit is realized.

Similarly, reflex mechanism of the present invention can be Java reflex mechanisms, and Java reflex mechanisms are in operation shape In state, for any one class, all properties and method of this class can be known；For any one object, can Call its any one method；The function of the method for this dynamic access information and dynamic call object is JAVA language Reflex mechanism.

The present invention recommend an example in, the host application by find first its installation after by it The installation kit APK file that assets is carried, is then gone in execution APK by an Agent components (Activity) Activity, so as to realize calling the reflection of destination application.Host application is implemented reflection and is called firstly the need of logical Cross Classloader to realize, realized particular by DexClassLoader ().Realized to work using this Classloader The technology called of dynamic component is grasped by those skilled in the art, is not repeated for this reason.When program is realized, can be by a Proxy Method allows the execution of host application adapter destination application, once after by adapter, destination application is all of Perform and realized by proxy, and Context also becomes the Context of host program.Host application is exactly in fact individual Ghost, it is that former installation kit apk is loaded into the inside of oneself to go to perform.In this case, although host application Through the Androidmanifest.xml using destination application to system registry, because operation context environmental context can Can be different, it would still be possible to can cause the difficulty that resource is accessed occur, even can find that the resource in installation kit can not be accessed sometimes Situation.And this difficult degree, depending on aforementioned applications collocation method in, be constructed into the resource in shell adding application program Number.Howsoever, those skilled in the art can be overcome by the follow-up mode for disclosing.

Really, if the destination application resource to be accessed is registered to system by mounted host application In, such as previously described icon, then its reference to resource will very directly, by the money of installation to host application The resource that destination application is met by the calling of source is accessed.In addition, then need to add some extra considerations.

Described monitoring module 22, is configured as being loaded by host application, and the activity to destination application is carried out Monitoring.

As a sandbox example, in destination application is run on sandbox running environment, generally by the loading Module is called prior to the reflection of the destination application and preferentially calls a monitoring module 22.Before this monitoring module 22 is Monitoring module 22 alleged by text.

As it was previously stated, the monitoring module 22 is the core implementor of sandbox running environment, it is responsible for realizing both sides work( Can, on the one hand the access by monitoring objective application program to resource, redirects to quoting resource, makes destination application Process can realize the normal reference to correct resource.Specifically, if related resource is to be reflected the former installation kit that calls Resource, then call the resource of the former installation kit for quoting by reflecting call-by mechanism, realize redirecting.If system resource Or the installation resource of sensing host application, then its acquiescence can be allowed to quote and to ensure its normal adduction relationship.If I/O operation, it is also possible to thereby redirect.For example, what the resource of the above-mentioned installation kit about to destination application was carried out Quote, can both be realized by the modification to above-mentioned AssetsManager, it is also possible to which resource is specifically called by monitoring Specific call instruction, is realized using Hook technologies.On the other hand by access of the monitoring objective application program to system resource, For example whether request sends short message, determine whether that it is operated according to security strategy, this implementation is this when not allowing During behavior, self-defining data can be returned to related call instruction, for example, null value be returned to, so that it is guaranteed that some illegal behaviour can be prevented Make.The monitoring module 22 is registered as service processes, and finger is called with Hook Function associated objects application program active process Make realizing the activity monitoring to the destination application.The monitoring module 22 is using Hook Function to related call instruction Entrance monitored, intercept and capture this call instruction, turn to and perform corresponding Hook Function, by the Hook Function according to sandbox Inherent logic carrys out the response call instruction, so as to reach foregoing purpose.It is related to place of the monitoring module 22 for surveillance operation Reason, especially security control aspect, will below provide more specifically example and illustrate.

Described processing unit 23, when being configured as monitoring destination application and needing to call the resource not matched, The quoting resource of related call instruction is redirected, correct resource is provided with the operation for the destination application.

Using monitoring module of the invention 22, it is possible to achieve the structure of more powerful sandbox running environment.Below in conjunction with One instantiation, further to supplement the explanation to the monitoring unit in the present invention.

The monitoring module 22 can obtain the extension corresponding to specific event behavior from a backstage sandbox HOOK frameworks Hook plug-in unit (Hook Function), using the particular event behavior of hook plug-in unit hook and monitoring objective application so as to realize to target The movable monitoring of program process.Described backstage sandbox HOOK frameworks, are managed concentratedly beyond the clouds, are entered to each terminal Row distribution.Wherein, high in the clouds is mainly configured with Java hook plugin libraries and Native hook plugin libraries.Monitoring module 22 needs hook During specific event behavior, request is sent to backstage sandbox HOOK frameworks by long-range card i/f, obtain and be directed to particular event row For HOOK functions, i.e., described hook plug-in unit sets up to the monitoring of particular event behavior capture and processes whereby.

And then, the intended application that operating host application will be located in assigned catalogue described in further loading.Such as It is preceding described, destination application is called, it is to be realized using known Java reflections call-by mechanism.Destination application quilt During loading, the module that has been monitored 22 establishes monitoring using plug-in unit is linked up with, therefore, all event behaviors of destination application are equal Within the monitoring range of monitoring module 22.The installation kit of destination application is complete unmodified, therefore, intended application After program is loaded by host application, can completely legal, normally run, realize what destination application can be realized originally Institute is functional.

Due to the loading of monitoring module 22 and destination application, it is host application process and is driven, is all place A part for primary application program process, and monitoring module 22 is prior to destination application loading, thus, operating monitoring module 22 establish the monitoring to all event behaviors of destination application.Anything produced in destination application running Part behavior, its event message module 22 that can be monitored is captured and processed accordingly.

The monitored module 22 of particular event behavior that destination application is produced is captured, and substantially triggers particular event row For when, corresponding hook plug-in unit (Hook Function) is captured in the monitored module 22 of produced event message.Capture the event Message, you can know the intention of the event, can then carry out follow-up treatment.

Processing unit 23 described in the particular event behavior place of carrying out reason is implemented, it is necessary to obtain event behavior treatment strategy. In this sub-step, further human-computer interaction function can be realized by system service.In order to realize man-machine interaction effect, One interactive module is registered as system service by the present invention in advance, and host application can interact mould by its interactive interface with this Block communicates, so as to realize acquisition of the host application to user instruction or preset instructions.

As it was previously stated, the acquisition modes of event behavioral strategy are very versatile and flexible, by construct a strategy generating device come Perform, it is the strategy selected one or be used in any combination of the invention to be exemplified below several：

(1) after the capture of monitoring module 22 particular event behavior, by the built-in interactive interface of host application, to described Interactive module sends request, and strategy is processed from interactive module to user interface pop-up inquiry user, and the pop-up interface can be direct Content and its risk of the user about event behavior are informed, corresponding option is selected as treatment strategy by user.User selects After respective selection and determination, interactive module obtains the treatment strategy for the particular event behavior, is fed back to monitoring module 22, corresponding event behavior of the treatment strategy that monitoring module 22 can be according to produced by the user instruction to destination application is entered The treatment of row next step.

(2) when some event behaviors for being acknowledged as relative low-risk occur, such as to the read-only operation of contact person Behavior, or when user is voluntarily retrieved for the treatment strategy to be taken of particular event behavior for the present invention is provided with, this Invention is using a local policy database retrieval accordingly for the treatment strategy of particular event behavior.That is, this is local In policy database, the association between particular event behavior and corresponding treatment strategy is established, and store various events The record data of corresponding relation between behavior and corresponding treatment strategy, can use for present invention retrieval.The present invention is from local After corresponding treatment strategy is obtained in policy database, the treatment of next step can be done to corresponding event behavior.

(3) if user is provided with the option for remotely obtaining treatment strategy, or acquiescence in local policy number for the present invention According to library searching less than particular event behavior specific strategy when can remotely obtain, and or carried out by foregoing (1st) kind situation Interact and cannot get response of the user to pop-up within the regulation time limit, such situation, host application can pass through Its built-in remote policy interface, request is sent to the high in the clouds of pre- framework, is obtained corresponding to the corresponding of the particular event behavior Treatment strategy, and for follow-up treatment.

It is pointed out that relevant three of the above obtains the mode for the treatment of strategy, can intersect and use cooperatively, for example, one Denier interactive module receives the feature of the event message of the transmission of monitoring module 22, you can according to default setting, with reference to (2nd) kind side Formula retrieves local policy database in advance, obtains the treatment strategy of system recommendation (if can not be obtained from local policy database , it might even be possible to further obtained from the policy database of high in the clouds by (3rd) kind mode).Then, mode is planted with reference to (1st), The treatment strategy that pop-up interface sets system recommendation is default option.If user does not confirm that the acquiescence is selected within the regulation time limit , then it is defined execution subsequent instructions by the treatment strategy of system recommendation；If it is changed into new default option by user, to Monitoring module 22 returns to the treatment strategy that user is set.It can be seen that, interactive process can be more flexible freely to realize.

Described local policy database, can be a copy of high in the clouds policy database, therefore, in the present invention, if A renewal step is put, for downloading high in the clouds policy database for updating local policy database.

Generally, the strategy for particular event behavior could be arranged to " refusal ", " RUN ", " inquiry " three often See option, its specific purpose for characterizing is：

Refusal：For the particular event behavior, the falseness that event behavior has been finished is sent to destination application Message, to forbid the event behavior to actually occur；

Operation：Do not made any changes for the particular event behavior, corresponding event message is forwarded directly into system disappears Breath mechanism, it is allowed to which destination application continues its event behavior；

Inquiry：Independence or to depend on both of the aforesaid option one of any, for the particular event behavior, marks its state to be Unknown state, it is follow-up when repeating to occur the behavior, it is necessary to row pop-up inquiry user again.

In practical application, option " inquiry " can be ignored, it is only necessary to consider whether to refuse or allow current event behavior to occur .

Described event behavior, it is varied, specifically include following several big types：

(1) terminal, relevant operation of networking：

Obtain operator's informaiton：Destination application can for example be moved by getSimOperatorName () function The IMSI of dynamic terminal, thus can determine whether the title of operator, further can send agreement instruction to operator, realize The illegal objective deducted fees etc.Monitor supervision platform, just can be to the capture of event behavior by linking up with message related to this.

Switching APN operations：Similarly, destination application realizes ANP switching controls by the function relevant with APN switchings Operation, the module 22 that can also be monitored is monitored by calling corresponding hook plug-in unit.

Similar operation, also including obtaining the operation of handset identity code IME, also with it is above-mentioned similarly.

(2) informing advertisement operation：Informing advertisement is the means for most easily being utilized by rogue program, and monitoring module 22 passes through Corresponding hook plug-in unit is called to be monitored the event message that notify functions are produced, also can be to its implementing monitoring.

(3) traffic operation：

As phone dials operation, the event of calling system dialing interface can be monitored by startActivity () function Behavior, event behavior monitoring can be set up using corresponding hook plug-in unit to dialing phone operation.

Short message is operated, corresponding to the function of sendTextMessage () etc, similarly, can be by hook plug-in unit to this Class function sets up event behavior monitoring.

Contact person operates：Query (), insert () function are corresponded generally to, monitoring module 22 is linked up with using plug-in unit is linked up with This class function can realize the monitoring capture to such event behavior.

(4) command operation：

As SU proposes power operation or execution of command operations, it is both needed to use Execve () function, monitoring module 22 is by monitoring this The return message of function, just can realize the monitoring of such event behavior.

(5) interface and access operation：

The event behavior of shortcut is such as created, then corresponding to sentBroacast () function.Similarly, for concealing program The operation of icon, can also correspond to specific function and monitor it.

As http network accesses operation, then corresponding to functions such as sentTo (), write ().

(6) procedure operation：

Such as application loading is operated, and refers to that current goal application program loads the operation of related application, by right The functions such as dexClassloader (), loadLibrary () carry out hook monitoring, it is possible to achieve such event behavior is caught Obtain.

Attached bag is and for example installed, then corresponding to installPackage () function.

(7) other risky operation：

For example, subprocess invades operation, derivative operation, the operation of activation equipment manager etc., correspond respectively to.

Wherein, subprocess refers to the subprocess that destination application is set up, when destination application creates subprocess, prison Control module 22 will receive corresponding message, and judge its event behavior for creating subprocess.Thus, monitoring module 22 further to Subprocess implant monitor module 22 in the subprocess in the way of inline hook, just can subsequently continue the thing to the subprocess Part behavior is monitored.Thus, the subprocess of the either own process of destination application, or its establishment, they are direct Or the event behavior for being triggered indirectly, can be monitored by monitoring module of the invention 22, realize preferably Initiative Defense effect More preferably.

And the derivative, refer to file that destination application is voluntarily created, or remote download file, typically Refer to sensitive derivative, such as installation kit.The event can be captured by linking up with fClose () function.It is pointed out that working as After monitoring module 22 captures the event behavior, can as the method previously described, being sent further with remote layout bank interface please Ask to high in the clouds, judge the safe class of the derivative, the present invention using its black, white, grey safe class rule of conduct by high in the clouds After remote layout bank interface obtains high in the clouds result of determination, further pop-up asks the user whether to set up to the sensitive derivative Initiative Defense, thus just can further consolidate the effect of Initiative Defense.

Above-mentioned event behavior is only that extracts is used, it is impossible to be interpreted as the limitation of the event behavior to present invention monitoring.

According to the above-mentioned tactful and above-mentioned explanation on event behavior for the treatment of, active defense method of the invention just can be right Various event behaviors are processed accordingly.It is exemplified below several typical application examples：

(1) to the application of the fine interception of destination application：

After part rogue program is mounted, the state in normally using within the quite a long time benumbs user Awareness of safety.But, after one rapid lapse of time of operation, the destination application is attempted causing user from backstage one short message of insertion Concern, reach advertisement and swindle effect.After setting up active defense mechanism to the destination application, the present invention is such as preceding institute State, by monitoring of the corresponding hook plug-in unit to short message handling function in monitoring module 22, once destination application generation is short Believe the event behavior of operation, just can capture this event behavior, then, monitoring module 22 notifies to be used as system by its interactive interface The interactive module of system service operation, is warned from interactive module to user interface pop-up.After user clicks the treatment strategy of " refusal ", By converse monitoring module 22 of feeding, wherein hook plug-in unit just can hinder actually occurring for the event behavior accordingly, strick precaution wind is reached The purpose of danger.

(2) application of malicious file is discharged to destination application.

Destination application is a Games Software, is downloaded by way of checking and updating and discharges malice attached bag, and adjusted The attached bag is installed with systemic-function.The present invention is established after the sandbox running environment of Initiative Defense to the destination application, Its event behavior downloaded file and produced can be monitored, is alerted accordingly by interactive module pop-up.User instruction is refused Afterwards, corresponding hook plug-in unit just can directly delete this document in monitoring module 22, or only refuse the installation row of this document For.

In the present invention, for such malice attached bag, it is considered as sensitive derivative, to derivative with the presence or absence of malice Judge, can remotely be judged by using predetermined safe class.Specifically, when detecting generation derivative When, the characteristic information of corresponding file or its signature etc is sent to high in the clouds by remote layout bank interface, and from high in the clouds Its safe class is obtained, if black, grey application, then advises that user's refusal is installed in pop-up；If white application, then can permit Perhaps it passes through.By this method, the Prevention-Security to sensitive derivative can just be realized.If high in the clouds can't detect the derivative Relative recording, can require that this method is its upload this document, and unknown applications are denoted as by high in the clouds, accordingly, should with ash With being marked, for future use.

(3) application invaded subprocess.

Monitored destination application creates subprocess in the process of running, and subprocess further discharges malicious event Behavior.When monitoring module 22 monitors destination application establishment subprocess, that is, the entrance of subprocess is obtained, then entered to the son Journey is implanted into monitoring module 22 of the invention, and all HOOK plug-in units (hook plug-in unit) all can be loaded into this in the way of inline hook In subprocess and initialize it is good realize hook, to set up the monitoring to the event behavior of the subprocess.Thus, it is possible to find out, The event behavior for either directly being triggered by destination application process, or entered by the son that destination application process is created The indirect event behavior that journey is triggered, the module 22 that can be monitored successfully is monitored.

From above-mentioned analysis, the sand of application program progress control method of the invention and its construction of corresponding device institute Case running environment, with efficient feasibility.

The present invention is further realized for ease of those skilled in the art, cloud server is disclosed further below and is set with terminal The standby related content for realizing that installation kit safe class judges that how to cooperate：

As it was previously stated, the characteristic information of cloud server is sent to by remote layout bank interface by client, including： The bag name of Android installation kits, and/or, version number, and/or, digital signature, and/or, the spy of Android components receiver Levy, and/or, the feature of Android components service, and/or, the feature of Android components activity, and/or, can hold Instruction or character string in style of writing part, and/or, the MD5 values (signature) of each file under Android installation kit catalogues.

The client of the method for the present invention or device is realized, specified characteristic information is uploaded onto the server into (high in the clouds), Searched in the preset rule base of server with specified single feature information or its combine the feature that matches and record；Wherein, Corresponding level of security is recorded comprising feature record and feature in the preset rule base of the server, is wrapped in every feature record The combination of information containing single feature or characteristic information；

Thousands of feature records are prefixed in server end rule base, wherein, list certain in first feature record The Android installation kits bag name of virus, lists the Android installation kit versions of certain normal use in Article 2 feature record Number and its digital signature MD5 values, Article 3 feature record in list certain normal use Android installation kits bag name and Its receiver feature, Article 4 feature record in list certain wooden horse Android installation kits bag name, version number and its Specific character string in ELF files, etc..

Mark on safe class, i.e., black, white (safety) or grey (unknown, suspicious) three kinds of marks, can be further Be expressed as：

Safety：The application is a normal application, the behavior for not having any threat user mobile phone safety；

It is dangerous：There is security risk in the application, it is possible to the application inherently Malware；It is also possible to the application originally Being the normal software of regular company issue, but because there are security breaches, the privacy of user, mobile phone safe is caused to be subject to prestige The side of body；

With caution：The application is a normal application, but be there are problems that, for example, user's imprudence can be allowed to be detained Take, or there is disagreeableness advertisement to be complained；After this kind of application is found, user can be pointed out to use with caution and inform this Using possible behavior, but decide whether remove the application in its sole discretion by user；

Wooden horse：The application is virus, wooden horse or other Malwares, here for being referred to generally simply as wooden horse, but not Represent the application only wooden horse.

It should be appreciated that the cooperation between high in the clouds and client, can be by those skilled in the art according to disclosed Content further expand, convert, additions and deletions and improve.Thus, disclosure recited above should not be construed as realizing side of the invention The limitation of method and device.

By test, the present invention has broader range of application and application effect relative to prior art, below slightly Illustrate：

Due to the present invention HOOK frameworks have been made into service platform, to link up with plug-in unit in the way of be terminal configuration monitoring Module 22, therefore, its loading only needs to depend on corresponding configuration file, efficient administration and is easily achieved, for technical personnel, Some simple function calls only need to write the configuration that configuration file is capable of achieving hook plug-in unit, and HOOK reentries, concurrency performance is high.

The loading to monitoring module 22 and destination application is successively realized using host application, then by monitoring Monitoring is set up in event behavior of the module 22 to destination application, it is possible to achieve to Java functions, the hook of Native functions.

In sum, the present invention can be destination application provide ensure its normally run sandbox running environment in, and And can ensure that the safety of system.

The above is only some embodiments of the invention, it is noted that for the ordinary skill people of the art For member, under the premise without departing from the principles of the invention, some improvements and modifications can also be made, these improvements and modifications also should It is considered as protection scope of the present invention.

Claims

1. a kind of application program progress control method, it is characterised in that comprise the following steps：

The installation kit as the subsidiary resource of host application for having identical bag name with host application is called in reflection, to add Carry the destination application that the installation kit is realized；

When monitoring destination application and needing to call the resource not matched, the quoting resource of related call instruction is redirected, Correct resource is provided with the operation for the destination application.

2. application program progress control method according to claim 1, it is characterised in that host application reflection is called Destination application installation kit, belong to the installation resource file of host application.

3. application program progress control method according to claim 1, it is characterised in that loaded targets are called using reflection During application program, the resource that destination application is met by the calling for installation resource to host application is accessed.

4. application program progress control method according to claim 1, it is characterised in that the host application is with institute The configuration file of installation kit is stated to system registry.

5. application program progress control method according to claim 1, it is characterised in that the monitoring module is registered as Service processes, with the call instruction of Hook Function associated objects application program active process realizing to the destination application Activity monitoring.

6. application program progress control method according to claim 1, it is characterised in that the resource not matched includes Because destination application do not install but called by reflection caused by be considered as the resource of abuse.

7. application program progress control method according to claim 1, it is characterised in that the resource not matched includes Resource in system resource and the installation kit.

8. application program progress control method according to claim 7, it is characterised in that the system resource corresponds to and is The instruction of system informing and animation switching command, when monitoring destination application process and accessing such system resource, return to it Null value is shielding its call instruction.

9. the application program progress control method according to claim 6 or 7, it is characterised in that destination application is called During resource in the installation kit, use reflection method of calling correct in the installation kit for corresponding call instruction is redirected to Resource.

10. application program progress control method according to claim 1, it is characterised in that when monitoring intended application journey When sequence carries out unwarranted access, self-defining data is returned to related call instruction.

11. application program progress control methods according to claim 1, it is characterised in that the host application Resource file and/or dynamic library file are identical with the corresponding document in the installation kit.

A kind of 12. application program operating control devices, it is characterised in that including：

The peace as the subsidiary resource of host application for having identical bag name with host application is called in call unit, reflection Dress bag, to load the destination application that the installation kit is realized；

Processing unit, when monitoring destination application and needing to call the resource not matched, redirects related call instruction Quoting resource, correct resource is provided with the operation for the destination application.

13. application program operating control devices according to claim 12, it is characterised in that host application reflection is adjusted The installation kit of destination application, belongs to the installation resource file of host application.

14. application program operating control devices according to claim 12, it is characterised in that the call unit is using anti- Penetrate when calling loaded targets application program, intended application journey is met by the calling for installation resource to host application The resource of sequence is accessed.

15. application program operating control devices according to claim 12, it is characterised in that the host application with The configuration file of the installation kit is to system registry.

16. application program operating control devices according to claim 12, it is characterised in that the monitoring module is registered It is service processes, with the call instruction of Hook Function associated objects application program active process realizing to the intended application journey The activity monitoring of sequence.

17. application program operating control devices according to claim 12, it is characterised in that the resource bag not matched Include because destination application do not install but called by reflection caused by be considered as the resource of abuse.

18. application program operating control devices according to claim 12, it is characterised in that the resource bag not matched Include the resource in system resource and the installation kit.

19. application program operating control devices according to claim 18, it is characterised in that the system resource is corresponded to Notifications column is instructed and animation switching command, when monitoring destination application process and accessing such system resource, it is returned Make the return trip empty value to shield its call instruction.

The 20. application program operating control device according to claim 16 or 17, it is characterised in that destination application is adjusted During with resource in the installation kit, reflection method of calling is used for corresponding call instruction is redirected in the installation kit just True resource.

21. application program operating control devices according to claim 12, it is characterised in that when monitoring intended application journey When sequence carries out unwarranted access, self-defining data is returned to related call instruction.

22. application program operating control devices according to claim 12, it is characterised in that the host application Resource file and/or dynamic library file are identical with the corresponding document in the installation kit.