CN106325945A - Method for collecting network data by using IE browser of window operation system - Google Patents
Method for collecting network data by using IE browser of window operation system Download PDFInfo
- Publication number
- CN106325945A CN106325945A CN201610737752.5A CN201610737752A CN106325945A CN 106325945 A CN106325945 A CN 106325945A CN 201610737752 A CN201610737752 A CN 201610737752A CN 106325945 A CN106325945 A CN 106325945A
- Authority
- CN
- China
- Prior art keywords
- browser
- network data
- windows
- dll
- hook
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/445—Program loading or initiating
- G06F9/44521—Dynamic linking or loading; Link editing at or after load time, e.g. Java class loading
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The invention discloses a method for collecting network data by using an IE browser of a window operation system. The method comprises the following steps: (1) starting the window operation system and injecting a dynamic link library (DLL) module into the system by using a HOOK technology; (2) starting the IE browser and automatically loading the DLL module injected in the step 1; (3) obtaining and collecting HTTP network data of webpage request and response of a local site of the IE browser via the DLL module injected in the step 1 when the IE browser carries out online operation; (4) saving the HTTP network data intercepted and captured in the step 3 in local via the DLL module injected in the step 1; (5) exiting and closing the IE browser and automatically unloading the DLL module injected in the step 1 via the browser; and (6) shutting down the window operation system and back injecting the DLL module injected in the step 1 into the system by using the HOOK technology. Through the method for collecting network data by using the IE browser of the window operation system, the HOOK technology features of a Windows system are applied to acquisition of the network data; various information is intercepted and captured in the operation process of accessing to websites via the IE browser in the Widows system; a data reference is supplied to the subsequent online analysis of individual users.
Description
Technical field
The technology of the present patent application belongs to the information getting method technical field in network data exchange, is particularly directed to make
When carrying out upper net operation by Windows and IE browser, obtain web browsing data and the method for information.
Background technology
The high speed development applied along with Web technology and Web, the arriving of big data age, various Web are applied website, special
The monitoring of other social platform, the public opinion monitoring of each company, user data collection, big data mining application more and more extensive;
All trades and professions also become increasingly dependent on the Internet and rely on internet information height.But, the data of the Internet are all magnanimity,
The data how extracting needs become a technical bottleneck.
Additionally, a kind of situation is to need the understanding to individual Internet Access information and analysis.Generally, user internet behavior
Message data content captures method as can using wireshark software class and realizes.Wireshark (front title Ethereal) is
One network package analyzes software.It is to capture network package that network package analyzes the function of software, and demonstrates as far as possible the most
Detailed network package data.Wireshark uses WinPCAP as interface, and direct and network interface card carries out data message exchange.Logical
Cross Winpcap crawl network card data bag and realize to the way obtaining internet behavior data simple, capture content intact.If but grabbed
When taking the data content of HTTPS network address website, it is all data after SSL encryption which captures data content, uses wireshark
Software checks that data content is mess code.To this end, reduction network address website data content must carry out SSL deciphering, but SSL deciphering needs
The private key to announce never, therefore which restoring data content can not realize.
A kind of method conventional in computer programming is " hook " technical method, and the method is actually one section of program, i.e.
It is a program segment processing message, is called by system, it is linked into system.Whenever specific message sends, do not arrive
Before reaching purpose window, hook program the most first captures this message, that is Hook Function first obtains control.At this moment Hook Function
With processed (change) this message, it is also possible to do not deal with and continue to transmit this message, it is also possible to force the biography of end
Pass.Hook is it can be appreciated that WINDOWS leaves our back door for, and such as you want to control keyboard, the DOS epoch very simply by
INT, and the WINDOWS epoch do not allow us directly to operate hardware;Owing to WINDOWS is message-driven, so we can
To intercept Keyboard Message to reach to control the purpose of keyboard.The message of the process that draws oneself up is the simplest, but is intended to control institute
There is process message will utilize hook.Being placed in DLL by Hook Function, all of message about keyboard all has to pass through hook
Subfunction filters, and so you just can do at will.
The technical scheme of the application is exactly the feature of Hook Function to be used in the acquisition of network data, passes through Hook Function
The method of operation carry out realizing acquisition and the collection of web browser various information in running operating process, use for follow-up individual
The online at family is analyzed provides data refer.
Summary of the invention
During conducting interviews due to existing HTTPS network address website, the data content that webpage sends and receives passes through
SSL encryption, and the website data content that common wireshark software approach captures is all data after SSL encryption, and SSL
Cipher mode to crack difficulty high, it is difficult to the SSL data content intercepted and captured is carried out SSL deciphering and then restoring data content.
The present invention proposes a kind of collection HTTPS network address website passing through Hook Technique in Windows system IE browser
The method of Internet data.Realizing foregoing invention purpose technical scheme is: utilize the IE browser of Windows to carry out network
Collecting method, the method step is as follows: (1) Windows starts, and utilizes HOOK technology to inject to operating system dynamic
State chained library (DLL) module;(2) IE browser starts, the injected dynamic link library of the automatic load step of IE browser 1 (DLL)
Module;(3) IE browser is opened website and is carried out upper net operation, step 1 injected dynamic link library (DLL) module obtains,
Gather the web-page requests on IE browser local side and the http network data of response;(4) the injected dynamic link library of step 1
(DLL) the http network data that step 3 is intercepted and captured by module are saved in this locality;(4) IE browser exits closedown, and IE browser is automatic
Unloading step 1 injected dynamic link library (DLL) module;(5) Windows shutdown, re-uses HOOK technology anti-to system
Implantation step 1 injected dynamic link library (DLL) module.In said method, windows platform terminal computer runs this
After bright software, Hook Technique is used to inject DLL module file of the present invention to windows system;When user uses IE browser to enter
During the operation of row internet behavior, the data content that the DLL module of injection produces intercepting and capturing internet behavior, and determine whether configuration
The data content of webpage to be collected in Xiang;Finally preserve and intercept and capture the data content of webpage to be collected in configuration item.Utilize the method
The situation of the HTTPS website pages specified can be accessed, it is also possible to user uses access for acquisition and recording with acquisition and recording user
Internal HTTPS webpage uses the service condition of internal information, it becomes possible to effectively trace the person liable of some security informations leakage.
The minimum version of Windows is required by the application, Windows i.e. used be window XP with
The operating system of upper version.Operating system more than this version occupies more than the 99% of individual's operating system, therefore range of application
The most extensive, there is universality.
In the above-mentioned IE browser utilizing Windows carries out the step (3) of network data acquisition method, obtain,
The http network packet collected includes web page content information and the person of surfing the web realizes the information that browsing event occurs, even if
The hook module institute record all injected in step (1) by all information of net operation in IE browser, it is to avoid information is omitted.As
After the hook module really injected in step (1), if occurring the data acquisition can not successful shape when gathering http network data
During condition, unsuccessful information is documented in journal file so that subsequent analysis.
Said method is during using, and the hook module injected in step (1) is by the hook of multiple Hook Functions
The set that chain is constituted, cooperates between each Hook Function and realizes final multi information acquisition function.
Said method is when windows system starts, and invention software uses HOOK technology institute in system implantation step (1)
State hook module DLL.While IE browser starts, the hook module injected in step (1) will be synchronized to add by IE browser
Load is got up, and uses the network data of all middle with step (1) the hook module Hook Function injected of any operation of IE browser
Obtain and keep synchronous operation, it is to avoid the omission in data collection.
Accompanying drawing explanation
Fig. 1 is that Hook Function injects and the anti-flow chart injected.
Fig. 2 hook injection module intercepts and captures collection data message flow process figure in IE browser.
Detailed description of the invention
For becoming apparent from technical solution of the present invention is described, it is introduced in detail below.It is technical solution of the present invention as shown in Figure 1
Hook Function inject and the flow process of anti-injection process, first after Windows starts, utilize HOOK technology to form
System injects hook module DLL.When IE browser starts, the dynamic link library of the injection that IE browser will load automatically
DLL realizes Hook Function registration, and the startup of Hook Function and IE browser is realized binding, i.e. realizes the HOOK in figure and injects
DLL process;As in figure 2 it is shown, after invention software completes hook module DLL injection, start fortune when user opens IE browser
During row, IE browser will load the hook module DLL of injection automatically, and Hook Function obtains, gathers HTTP webpage data information;Hook
In submodule DLL, the HTTPS webpage data information of intercepting and capturing is preserved by Hook Function, if running into the information that can not preserve,
Then the web page address that can not preserve or operation are preserved by Hook Function as journal file;User is exiting closedown IE browser
Time, IE browser, by simultaneously by hook module DLL uninstall process together with Hook Function, is stopped with the stopping of browser execution
Only;When last Windows is out of service, closes the process of invention software and carry out the cancellation of hook module DLL, as
Two step after Fig. 1.In the technical scheme of the application, the mode of hook program is used to be synchronized by the operation information realization of IE browser dynamic
State obtains, and the data message of acquisition is not by SSL encryption, needs be decrypted to be stranded after reducing traditional data acquisition of information
Difficulty, has reached to simplify on internet information obtains.
The foregoing is only presently preferred embodiments of the present invention, not in order to limit the present invention, all in essence of the present invention
Any amendment, equivalent and the simple modifications etc. made in content, should be included within the scope of the present invention.
Claims (6)
1. the IE browser utilizing Windows carries out network data acquisition method, it is characterised in that the method step is such as
Under: (1) Windows starts, and utilizes HOOK technology to inject dynamic link library (DLL) module to operating system;(2) IE is clear
Device of looking at starts, the automatic load step of IE browser 1 injected dynamic link library (DLL) module;(3) IE browser opens website net
Location carries out upper net operation, the webpage that step 1 injected dynamic link library (DLL) module obtains, gathers on IE browser local side
Request and the http network data of response;(4) the HTTP net that step 3 is intercepted and captured by the injected dynamic link library of step 1 (DLL) module
Network data are saved in this locality;(4) IE browser exits closedown, the injected dynamic link library of the automatic unloading step of IE browser 1
(DLL) module;(5) Windows shutdown, re-uses HOOK technology to the injected dynamic link library of the anti-implantation step of system 1
(DLL) module.
The IE browser utilizing Windows the most according to claim 1 carries out network data acquisition method, and it is special
Levying and be, Windows used is the operating system of the above version of window XP.
The IE browser utilizing Windows the most according to claim 1 carries out network data acquisition method, and it is special
Levying and be, acquisition in step (3), the http network packet collected include web page content information and the person of surfing the web realizes
The information that browsing event occurs.
The IE browser utilizing Windows the most according to claim 1 carries out network data acquisition method, and it is special
Levying and be, the Hook Function module injected in step (1) is the set that the hook chain of multiple Hook Function is constituted.
The IE browser utilizing Windows the most according to claim 1 carries out network data acquisition method, utilizes
The IE browser of Windows carries out network data acquisition method, it is characterised in that the acquisition of network data in step (3)
Synchronous operation is kept with IE browser.
The IE browser utilizing Windows the most according to claim 1 carries out network data acquisition method, utilizes
The IE browser of Windows carries out network data acquisition method, it is characterised in that when the hook letter injected in step (1)
After digital-to-analogue block, when obtaining, gathering http network data, if generation data acquisition can not be successful, unsuccessful information is recorded
So that subsequent analysis to journal file.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610737752.5A CN106325945A (en) | 2016-08-26 | 2016-08-26 | Method for collecting network data by using IE browser of window operation system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610737752.5A CN106325945A (en) | 2016-08-26 | 2016-08-26 | Method for collecting network data by using IE browser of window operation system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN106325945A true CN106325945A (en) | 2017-01-11 |
Family
ID=57790895
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610737752.5A Pending CN106325945A (en) | 2016-08-26 | 2016-08-26 | Method for collecting network data by using IE browser of window operation system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106325945A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107423048A (en) * | 2017-04-14 | 2017-12-01 | 网易乐得科技有限公司 | Method, apparatus, medium and the computing device of Data Collection |
| CN108536507A (en) * | 2018-03-22 | 2018-09-14 | 上海艺赛旗软件股份有限公司 | A kind of figure applicating text recognition methods and system |
| CN108595178A (en) * | 2018-05-04 | 2018-09-28 | 武汉极意网络科技有限公司 | A kind of collecting method, device and equipment based on hook |
| CN110855747A (en) * | 2019-10-14 | 2020-02-28 | 上海辰锐信息科技公司 | Method for collecting behavior audit data of user access application |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040250115A1 (en) * | 2003-04-21 | 2004-12-09 | Trend Micro Incorporated. | Self-contained mechanism for deploying and controlling data security services via a web browser platform |
| CN101561763A (en) * | 2009-04-30 | 2009-10-21 | 腾讯科技(北京)有限公司 | Method and device for realizing dynamic-link library |
| CN104252477A (en) * | 2013-06-27 | 2014-12-31 | 贝壳网际(北京)安全技术有限公司 | Method and device for controlling webpage pop-up window |
-
2016
- 2016-08-26 CN CN201610737752.5A patent/CN106325945A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040250115A1 (en) * | 2003-04-21 | 2004-12-09 | Trend Micro Incorporated. | Self-contained mechanism for deploying and controlling data security services via a web browser platform |
| CN101561763A (en) * | 2009-04-30 | 2009-10-21 | 腾讯科技(北京)有限公司 | Method and device for realizing dynamic-link library |
| CN104252477A (en) * | 2013-06-27 | 2014-12-31 | 贝壳网际(北京)安全技术有限公司 | Method and device for controlling webpage pop-up window |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107423048A (en) * | 2017-04-14 | 2017-12-01 | 网易乐得科技有限公司 | Method, apparatus, medium and the computing device of Data Collection |
| CN107423048B (en) * | 2017-04-14 | 2020-08-07 | 网易乐得科技有限公司 | Data collection method, device, medium and computing equipment |
| CN108536507A (en) * | 2018-03-22 | 2018-09-14 | 上海艺赛旗软件股份有限公司 | A kind of figure applicating text recognition methods and system |
| CN108595178A (en) * | 2018-05-04 | 2018-09-28 | 武汉极意网络科技有限公司 | A kind of collecting method, device and equipment based on hook |
| CN108595178B (en) * | 2018-05-04 | 2021-10-15 | 武汉极意网络科技有限公司 | Hook-based data acquisition method, device and equipment |
| CN110855747A (en) * | 2019-10-14 | 2020-02-28 | 上海辰锐信息科技公司 | Method for collecting behavior audit data of user access application |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Hong et al. | How you get shot in the back: A systematical study about cryptojacking in the real world | |
| JP6624771B2 (en) | Client-based local malware detection method | |
| CN106845236A (en) | A kind of application program various dimensions privacy leakage detection method and system for iOS platforms | |
| CN106325945A (en) | Method for collecting network data by using IE browser of window operation system | |
| CN103856446B (en) | A kind of login method, device and open platform system | |
| Zaman et al. | Malware detection in Android by network traffic analysis | |
| CN103745148B (en) | A kind of information protecting method and mobile terminal based on fingerprint recognition | |
| CN105956474A (en) | Abnormal behavior detection system of Android platform software | |
| CN109688097A (en) | Website protection method, website protective device, website safeguard and storage medium | |
| CN105426415A (en) | Management method, device and system of website access request | |
| CN109842617A (en) | Ad blocking method, apparatus and storage medium | |
| CN101483658B (en) | System and method for input content protection of browser | |
| CN102467628A (en) | Method for protecting data based on browser kernel intercept technology | |
| CN102831021A (en) | Method and device for interrupting or cleaning plugin | |
| CN104252477A (en) | Method and device for controlling webpage pop-up window | |
| CN104361281B (en) | A kind of solution of Android platform phishing attack | |
| Shin et al. | Potential forensic analysis of IoT data: an overview of the state-of-the-art and future possibilities | |
| CN101651671A (en) | Inter-system subscriber identity authentication system and method | |
| CN110336812A (en) | Resource intercepting processing method, device, computer equipment and storage medium | |
| US20180205705A1 (en) | Network request proxy system and method | |
| US8838094B2 (en) | Acquiring information from volatile memory of a mobile device | |
| US11449637B1 (en) | Systems and methods for providing web tracking transparency to protect user data privacy | |
| CN104484823B (en) | E-bank's PKI method of servicing and its system | |
| CN103488947A (en) | Method and device for identifying instant messaging client-side account number stealing Trojan horse program | |
| CN107644161A (en) | Safety detecting method, device and the equipment of sample |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170111 |