CN106681884A - System call monitoring method and device - Google Patents

System call monitoring method and device Download PDF

Info

Publication number
CN106681884A
CN106681884A CN201610490064.3A CN201610490064A CN106681884A CN 106681884 A CN106681884 A CN 106681884A CN 201610490064 A CN201610490064 A CN 201610490064A CN 106681884 A CN106681884 A CN 106681884A
Authority
CN
China
Prior art keywords
consumer process
consumer
function
tracked
system call
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201610490064.3A
Other languages
Chinese (zh)
Other versions
CN106681884B (en
Inventor
韩景维
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Cloud Computing Beijing Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN201610490064.3A priority Critical patent/CN106681884B/en
Publication of CN106681884A publication Critical patent/CN106681884A/en
Application granted granted Critical
Publication of CN106681884B publication Critical patent/CN106681884B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3003Monitoring arrangements specially adapted to the computing system or computing system component being monitored
    • G06F11/302Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system component is a software system

Landscapes

  • Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Mathematical Physics (AREA)
  • Quality & Reliability (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Debugging And Monitoring (AREA)
  • Selective Calling Equipment (AREA)

Abstract

The invention discloses a system call monitoring method and device. When an activation request of a user process is received, the user process is capable of being established according to user process identification which needs to actuate and is carried by the actuation request and the user process is tracked, and then, when the tracking information indicates that the user process is operating the system call, system call information is obtained and on the basis of the system call information, the system call operation of the user process is monitored; according to the scheme, kernel space data does not need to be revised. Not only is the implementation simple, but also fitness, stability and compatibility can be improved.

Description

Monitoring method and device that a kind of system is called
Technical field
The present invention relates to communication technical field, and in particular to monitoring method and device that a kind of system is called.
Background technology
In an operating system, most resources all is called to access by system, such as file and internal memory, Etc..If it is possible to control system is called, it is ensured that it is with authority, such as to be not from malice or non-that they call Method user, it becomes possible to the safety of system is improved to a great extent, for this purpose, prior art proposes the monitoring skill that system is called Art, i.e., call to system and intercepted and analyzed, and when determining that the system is called with authority according to analysis result, just allows to hold The capable system is called.
In the prior art, system vulnerability is mainly used, the data in system kernel space is modified to reach The purpose that interception is called.For example, specifically can in the syscall table (system call function table) in kernel spacing certain The address of individual syscall (system is called) function is modified, so as to change the sensing of the syscall functions so that system exists When calling the syscall functions, the function corresponding to address after change can be pointed to, such as one self-defining function is then, sharp The self-defining function is used, relevant information that the system calls is obtained and is analyzed, just can determine that the system is called and whether had Have permission, if allow to perform the system and call, etc..
In the research and practice process to prior art, it was found by the inventors of the present invention that currently existing scheme needs internally The data of nuclear space are modified, therefore, realize complex, it is additionally, since and is limited to system vulnerability itself, so, adaptation Property, stability and compatibility are also poor.
The content of the invention
The embodiment of the present invention provides monitoring method and the device that a kind of system is called, it is not necessary to change the number of kernel spacing According to, not only realize simply, and suitability, stability and compatibility can be improved.
The embodiment of the present invention provides the monitoring method that a kind of system is called, including:
The startup request of receive user process, it is described to start the mark that the consumer process for needing to start is carried in request;
Consumer process is created according to the mark, and the consumer process is tracked, obtain tracked information;
When tracked information indicates that the consumer process is called in the system of carrying out, system call information is obtained;
The system call operation of the consumer process is monitored based on the system call information.
Accordingly, the embodiment of the present invention provides the supervising device that a kind of system is called, including:
Receiving unit, the startup for receive user process is asked, and described startup carries the user for needing to start in request The mark of process;
Creating unit, for creating consumer process according to the mark;
Tracing unit, for being tracked to the consumer process, obtains tracked information;
Acquiring unit, for when tracked information indicates that the consumer process is called in the system of carrying out, acquisition system to be called Information;
Monitoring unit, for being supervised to the system call operation of the consumer process based on the system call information Control.
The embodiment of the present invention, can be according to the need carried in the startup request when the startup for receiving consumer process is asked The mark of the consumer process to be started creates consumer process, and the consumer process is tracked, then, when tracked information is indicated The consumer process obtains system call information when the system of carrying out is called, and based on the system call information to the consumer process System call operation be monitored;Because most of logic of the program is all completed in user's space, and without the need for empty to kernel Between data modify, therefore, realize relatively simple;It is additionally, since the program and is not necessarily based on system vulnerability, so, relatively For currently existing scheme, suitability, stability and compatibility are also greatly improved.
Description of the drawings
Technical scheme in order to be illustrated more clearly that the embodiment of the present invention, below will be to making needed for embodiment description Accompanying drawing is briefly described, it should be apparent that, drawings in the following description are only some embodiments of the present invention, for For those skilled in the art, on the premise of not paying creative work, can be attached to obtain others according to these accompanying drawings Figure.
Fig. 1 a are the schematic diagram of a scenario of the monitoring method that system provided in an embodiment of the present invention is called;
Fig. 1 b are the flow charts of the monitoring method that system provided in an embodiment of the present invention is called;
Fig. 2 a are another flow charts of the monitoring method that system provided in an embodiment of the present invention is called;
Fig. 2 b are another schematic diagram of a scenario of the monitoring method that system provided in an embodiment of the present invention is called;
Fig. 3 a are the structural representations of the supervising device that system provided in an embodiment of the present invention is called;
Fig. 3 b are another structural representations of the supervising device that system provided in an embodiment of the present invention is called;
Fig. 4 is the structural representation of terminal provided in an embodiment of the present invention.
Specific embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear, complete Site preparation is described, it is clear that described embodiment is only a part of embodiment of the invention, rather than the embodiment of whole.It is based on Embodiment in the present invention, the every other enforcement that those skilled in the art are obtained under the premise of creative work is not made Example, belongs to the scope of protection of the invention.
The embodiment of the present invention provides monitoring method and the device that a kind of system is called.
Wherein, the monitoring method that the system is called specifically goes for ARIXTRA (android) operating system (abbreviation ARIXTRA System) or other similar operating systems, and the supervising device that the system is called can specifically be integrated in terminal, such as mobile phone, In the equipment such as panel computer or notebook computer.
By taking Android system as an example, referring to Fig. 1 a, memory headroom can typically be divided into kernel spacing and user's space, its In, kernel spacing is different with the authority of user's space, and kernel spacing possesses higher authority, in the general only one of which of terminal Nuclear space, and for user's space relative interior space, authority is relatively low, there may be generally multiple user's spaces, these use Family space is mainly used in the operation of various application programs, and each application program can include multiple processes, in the embodiment of the present invention In, the corresponding process of these application programs is referred to as into consumer process;And system is called, it is in generally referring to kernel spacing System call function is called.For the monitoring for realizing calling system, can be when consumer process be created, just to the consumer process It is tracked, if tracked information indicates that the consumer process is carrying out system and calling, obtains system call information, and based on this System call information is controlled to the system call operation of the consumer process.
For example, as shown in Figure 1a, a tracking process can be started, when the startup that the tracking process receives consumer process please When asking, the mark of the consumer process that just can be started according to the needs carried in the startup request creates consumer process, such as, and can So that tracking process additional (attach) is extremely hatched into process (also referred to as couveuse), created (i.e. by hatching process such as zygote Hatching) a new process (i.e. subprocess), then the parameter preset in the subprocess is modified according to the mark, used Family process, at the same time, can be to arrange corresponding mark in the tracking process, for indicating to chase after consumer process Track, so, follow-up tracking process just can automatically be attached to the consumer process, interior when the consumer process carries out system to be called Nuclear space will return corresponding system call information to the process for being attached to the consumer process, i.e. the tracking process so that with Track process can be monitored based on the system call information to the system call operation of the consumer process.Such as, specifically can be with System call function (syscall) is read from the depositor of central processing unit (CPU, Central Processing Unit) Function number (syscall number), then, determined the need for calling the system call function according to the function number It is controlled, if desired, then the system call information is analyzed, and the system of the consumer process is adjusted based on analysis result With being controlled, otherwise, if need not be controlled to calling for the function, the consumer process, etc. is continued executing with.
It is described in detail individually below.It should be noted that, the sequence number of following examples is not as preferably suitable to embodiment The restriction of sequence.
Embodiment one,
In the present embodiment, the angle of the supervising device called from system is described, the monitoring dress that the system is called Put specifically can with it is integrated in the terminal, the terminal can include the equipment such as mobile phone, panel computer or notebook computer.
The monitoring method that a kind of system is called, including:The startup request of receive user process, carrying in the startup request needs The mark of the consumer process to be started;Consumer process is created according to the mark, and the consumer process is tracked, followed the trail of Information;When tracked information indicates that the consumer process is called in the system of carrying out, system call information is obtained;Called based on the system Information is monitored to the system call operation of the consumer process.
As shown in Figure 1 b, the idiographic flow of the monitoring method that the system is called can be as follows:
101st, the startup request of receive user process.
Wherein, carry the mark of the consumer process for needing to start in startup request, such as the title of the consumer process and/ Or the information such as numbering, further, it is also possible to carry other information, such as the value of parameter preset corresponding with the consumer process, etc. Deng.
Wherein, parameter preset is related to specific consumer process, is generally used for indicating the resource of the consumer process and calls Situations such as, the parameter preset corresponding to different consumer process may have differences, specifically can be according to the need of practical application Depending on asking, will not be described here.
Optionally, can pass through to arrange tracking process (or referred to as interception process) to perform the monitoring behaviour that the system is called Make the associative operation of method, i.e. step " the startup request of receive user process " to be specifically as follows:
By the startup request for following the trail of process receive user process.
If performing the associative operation of the policer operation method that the system is called by tracking process, perform first When, need to start the tracking process, you can choosing, before step " the startup request of receive user process ", the system is called Monitoring method can also include:
The monitoring request that reception system is called, according to the monitoring request start-up trace process.
Wherein, the tracking process specifically can be realized by ptrace (tracking) mechanism, such as, specifically can be in system Hook (the entry.s) (hook of hard coded is inserted in the routine of processing system call function (syscall) traps (entry.s) it is a kind of Hook Function), the syscall for enabling to intercept all tracked processes is called and recalled, so as to reach To the effect of a little security protections, such as inject and intercept, file is deleted and intercepted, and file modification is intercepted, file reading is intercepted and net Network communication interception, etc..
102nd, consumer process is created according to the mark, and the consumer process is tracked, obtain tracked information.
Wherein, the mode for creating consumer process according to the mark can have various, for example, can be as follows:
Tracking process additional (attach) is extremely hatched into process (also referred to as couveuse), is entered by hatching process creation Journey, the subprocess inherits the content of the hatching process, and the parameter preset in the subprocess is modified according to the mark, obtains Consumer process.
Such as, the parameter for needing to change in the subprocess, and corresponding parametric values can be determined according to the mark, then, The subprocess is modified according to the parameter of the needs modification, and corresponding parametric values, obtains consumer process.
It should be noted that, if having carried the value of parameter preset in the startup request of consumer process, at this point it is possible to The parameter changed, and corresponding parametric values are needed from the subprocess in the startup request;And if started in request not The value of the parameter preset is carried, is then repaiied at this point it is possible to get needed in the subprocess from other storage cells or data base The parameter for changing, and corresponding parametric values.
Wherein, the hatching process is specifically as follows zygote (hatching) processes or other and can realize and zygote process classes Like the process of function, specifically can be according to the demand of practical application depending on, will not be described here.
For example, so that the hatching process is specially zygote processes as an example, then can be additional (attach) by the tracking process To zygote processes, so, when receive need to start consumer process when, such as when user clicks on the icon of certain terminal applies When, then zygote processes can create (or referred to as hatching) new process with oneself as maternal, and the new process is inherited The all of content of zygote processes, that is to say, that now zygote processes are equivalent to parent process, and the new process is equivalent to son Process, therefore, in embodiments of the present invention, the new process is referred to as into subprocess, hereafter, the use that just can start as needed The mark of family process determines the parameter for needing to change in the subprocess, and corresponding parametric values, then according to the needs modification Parameter, and corresponding parametric values modify to the subprocess, obtain consumer process.
Additionally, when the tracking process is attached to into hatching process, can accordingly be marked with arranging in the tracking process Know, the mark is used to indicate to be tracked consumer process, so, if follow-up find there is the mark, just can be to consumer process It is tracked, or, it is also possible to a mark is set, is used to indicate whether to be tracked consumer process, such as table when value is " 1 " Showing needs to be tracked consumer process, be worth for " 0 " when represent and need to be tracked consumer process, vice versa, etc..I.e. Now, step " being tracked to the consumer process, obtain tracked information " can include:
When determining that the mark indicates to be tracked consumer process, the tracking process is attached to into the consumer process so that The tracking process is tracked to the consumer process, obtains tracked information.
Such as, specifically PTRACE_O_TRACEFORK can be set in tracking process, wherein, PTRACE_O_ TRACEFORK is a flag in PTRACE, by arranging it, can be caused when the process hatched by zygote processes is held When row is to FORK (a kind of function), it is attached to automatically on corresponding consumer process, so, follow-up tracking process just can be to the use Family process is tracked.
103rd, when tracked information indicates that the consumer process is called in the system of carrying out, system call information is obtained.
For example, when tracked information indicates that the consumer process is called in the system of carrying out, specifically can be connect by tracking process Receive the system call information from kernel spacing.
Such as, so that consumer process is the launching process using A as an example, then when this calls kernel empty using the launching process of A Between certain system call function (syscall) when, because syscall is in the realization of system bottom, therefore, it can be to additional (attach) to the consumer process process sending signal, i.e., can to follow the trail of process sending signal, wherein, the signal carrying system Recalls information.
Wherein, the system call information can be identified including system call function, such as title and/or call number (syscall number) etc., the time that can also be called including system and storage location etc..
104th, the system call operation of the consumer process is monitored based on the system call information.For example, specifically may be used With as follows:
(1) call number (syscall number) of system call function is read.
Such as, call number can be got by reading the depositor of CPU.
(2) determined according to the call number need to the function call be controlled when, the system call information is carried out Analysis, obtains analysis result.
For example, can preset a tables of data, the tables of data preserve call number, system call function (syscall) and Mapping relations between the information such as important level, wherein, important level is higher, required power when showing to call the syscall Limit higher grade, more needs to be controlled calling for the function.
So, after call number is got, just can determine that the call number institute is right by searching the preset data table Whether the function call answered is to need to be controlled, such as, represent that needs are carried out to calling for the function as " 1 " with important level As a example by control, then now, if it is " 1 " that call number is the important level corresponding to " 333 ", can need to call the function It is controlled, then, the system call information is analyzed, such as, it may be determined that whether the consumer process has is called this Authority of function, etc., so as to obtain analysis result.
If conversely, call number be " 333 " corresponding to important level be " 1 ", can be to the function Call and be controlled, thus it is possible to allow the consumer process to call the function.
(3) the system call operation of the consumer process is controlled according to the analysis result, such as, and can be as follows:
When determining that the consumer process has the authority for calling the function according to the analysis result, it is allowed to which the consumer process is called The function;
When determining that the consumer process does not have the authority for calling the function according to the analysis result, the consumer process is prevented to adjust Use the function.
From the foregoing, it will be observed that the present embodiment is taken when the startup for receiving consumer process is asked in being asked according to the startup The mark of the consumer process that the needs of band start creates consumer process, and the consumer process is tracked, and then, believes when following the trail of Breath indicates that the consumer process, when the system of carrying out is called, obtains system call information, and based on the system call information to the use The system call operation of family process is monitored;Because most of logic of the program is all completed in user's space, and without the need for right The data of kernel spacing are modified, therefore, realize relatively simple;It is additionally, since the program and is not necessarily based on system vulnerability, institute So that for currently existing scheme, suitability, stability and compatibility are also greatly improved.
Embodiment two,
Method according to described by embodiment one, is below described in further detail citing.
In the present embodiment, by the supervising device called with the system it is concrete it is integrated in the terminal, and the operation of the terminal System is to illustrate as a example by Android system.
As shown in Figure 2 a, a kind of monitoring method that system is called, idiographic flow can be as follows:
201st, the monitoring request that terminal reception system is called, according to the monitoring request start-up trace process.
Wherein, the tracking process specifically can be realized by ptrace (tracking) mechanism, such as, specifically can be in system Hook (the entry.s) (hook of hard coded is inserted in the routine of processing system call function (syscall) traps (entry.s) it is a kind of Hook Function), the syscall for enabling to intercept all tracked processes is called and recalled, so as to reach To the effect of a little security protections, such as inject and intercept, file is deleted and intercepted, and file modification is intercepted, file reading is intercepted and net Network communication interception, etc..
It should be noted that, in order to save flow process, efficiency being improved, the tracking process only need to start when running first, Subsequently can always continue to use, and all start once during without the need for being monitored to consumer process every time, i.e., step 201 is optional step Suddenly, if the tracking process in current system has been started up, the step can not be performed.
202nd, terminal is asked by the startup of tracking process receive user process.
Wherein, carry the mark of the consumer process for needing to start in startup request, such as the title of the consumer process and/ Or the information such as numbering, further, it is also possible to carry other information, such as the value of parameter preset corresponding with the consumer process, etc. Deng.
203rd, terminal will track process additional (attach) to the process of hatching, by the hatching process creation subprocess, should Subprocess inherits the content of the hatching process, and the parameter preset in the subprocess is modified according to the mark, obtains user Process.
Wherein, the hatching process is specifically as follows zygote (hatching) processes or other and can realize and zygote process classes Like the process of function, for example, zygote processes are specially with the hatching process, and the consumer process that the needs start is file A Deletion process as a example by, then as shown in Figure 2 b, specifically can be as follows:
Can by tracking process additional (attach) to zygote processes, so, when receive file A " delete into When the startup of journey " is asked, such as when the icon of user's click or slip file A is to delete this document A, zygote processes A new process will be created with oneself as maternal, obtain subprocess, wherein, the subprocess inherits the whole of zygote processes Content, then, the mark of " deletion process " that the needs for carrying in the startup request as needed start is determined in the subprocess The parameter of modification, and corresponding parametric values are needed, and according to the parameter of the needs modification, and corresponding parametric values are to the subprocess Modify, obtain the deletion process (i.e. consumer process) of this document A.
Additionally, when the tracking process is attached to into hatching process, can accordingly be marked with arranging in the tracking process Know, for indicating to be tracked consumer process, such as, referring to Fig. 2 b, PTRACE_O_ can be set in tracking process TRACEFORK, so, when zygote processes go to FORK functions, that is, creates a subprocess, to obtain during consumer process, with Track process just can automatically add (attach) to corresponding consumer process, the i.e. deletion process of file A, so that subsequently The tracking process can be tracked to the deletion process of this document A.
Wherein, the partial code for following the trail of process can be as follows:
204th, terminal determines whether the consumer process calls in the system of carrying out according to tracked information, if not in the system of carrying out tune With, then can ignore, if calling in the system of carrying out, the system call information from kernel spacing is received by tracking process.
For example, or by taking deletion process of the consumer process for file A as an example, then call when the deletion process of this document A in During certain syscall of nuclear space, such as function " sys_getpid ", kernel spacing can to additional (attach) delete to this into The process sending signal of journey, i.e., can such as send stop sig to process sending signal is followed the trail of, referring to Fig. 2 b, wherein, the signal Carrying system recalls information, therefore, now, tracking process can receive the system call information from kernel spacing.
Wherein, the system call information can be identified including system call function, such as title and/or call number (syscall number) etc., additionally, the time that can also call including system of the system call information and storage location etc. Information, will not be described here.
205th, terminal reads the call number (syscall number) of system call function, that is, read calling for syscall Number.
Such as, because the depositor of CPU typically preserves calling for the syscall that the process being currently running is called Number, therefore, it can get the call number by reading the depositor of CPU.
206th, terminal determined according to the call number need to the function call be controlled when, to the system call information It is analyzed, obtains analysis result.
For example, after call number is got, can determine the need for calling this by searching preset data table Calling for function corresponding to number is controlled, such as, or by taking call function " sys_getpid " as an example, due to function Call number corresponding to " sys_getpid " is " 20 ", therefore, it can be searched in the preset data table call number for " 20 " The relative recording of function, to determine the need for being controlled calling for function " sys_getpid ", if desired, then now may be used To be analyzed to the system call information for receiving, analysis result is obtained;Otherwise, if not needing, this can directly be allowed Consumer process calls the function " sys_getpid ", by that analogy, etc..
207th, terminal determines whether the consumer process has the authority for calling the function according to the analysis result, if so, then The consumer process is allowed to call the function;If it is not, then preventing the consumer process from calling the function.
From the foregoing, it will be observed that the present embodiment by the way that tracking process is attached to into hatching process, and can be arranged in tracking process The corresponding mark for being used to indicate to be tracked consumer process so that when process creation consumer process is hatched, this follow the trail of into Journey can be automatically attached on the consumer process, and consumer process is tracked so as to reach, to get corresponding system tune With information, and the system call operation of the consumer process is monitored purpose based on the system call information;Due to the party Most of logic of case is all completed in user's space, and is modified without the need for the data to kernel spacing, therefore, realize more letter It is single;Be additionally, since the program and be not necessarily based on system vulnerability, so, for currently existing scheme, suitability, stability and Compatibility is also greatly improved;Sum it up, the present embodiment can improve suitable while safeguards system calls safety With property, stability and compatibility, and, realize it is relatively simple, can simple development difficulty and cost significantly.
Embodiment three,
In order to preferably implement above method, the embodiment of the present invention also provides the supervising device that a kind of system is called, and such as schemes Shown in 3a, the supervising device that the system is called can include that receiving unit 301, creating unit 302, tracing unit 303, acquisition are single Unit 304 and monitoring unit 305, it is as follows:
(1) receiving unit 301;
Receiving unit 301, the startup for receive user process is asked, and in the startup request user for needing to start is carried The mark of process.
Wherein, the mark of the consumer process can include the information such as the title and/or numbering of consumer process.
Additionally, the startup request can also carry other information, such as parameter preset corresponding with the consumer process Value, etc..
Wherein, parameter preset is related to specific consumer process, is generally used for indicating the resource of the consumer process and calls Situations such as, the parameter preset corresponding to different consumer process may have differences, specifically can be according to the need of practical application Depending on asking, will not be described here.
Optionally, can pass through to arrange tracking process (or referred to as interception process) to perform the monitoring behaviour that the system is called Make the associative operation of method, i.e., as shown in Figure 3 b, the supervising device that the system is called can also include start unit 306, as follows:
Receiving unit 301, can be also used for the monitoring request that reception system is called;
Then now, start unit 306, can be used for according to the monitoring request start-up trace process.
Wherein, the tracking process specifically can be realized by ptrace mechanism, such as, specifically can be in system processing system The hook (entry.s) of hard coded is inserted in the routine of system call function (syscall) traps, enables to intercept all quilts The syscall of tracking process is called and recalled.
(2) creating unit 302;
Creating unit 302, for creating consumer process according to the mark;
For example, the creating unit 302, specifically can be used for for tracking process being attached to hatching process;By this hatch into Journey creates subprocess, and the subprocess inherits the content of the hatching process;The parameter preset in the subprocess is entered according to the mark Row modification, obtains consumer process.
Such as, the parameter for needing to change in the subprocess, and corresponding parametric values can be determined according to the mark, then, The subprocess is modified according to the parameter of the needs modification, and corresponding parametric values, obtains consumer process.
It should be noted that, if having carried the value of parameter preset in the startup request of consumer process, at this point it is possible to The parameter changed, and corresponding parametric values are needed from the subprocess in the startup request;And if started in request not The value of the parameter preset is carried, is then repaiied at this point it is possible to get needed in the subprocess from other storage cells or data base The parameter for changing, and corresponding parametric values.
Wherein, the hatching process is specifically as follows zygote processes or other and can realize and zygote process similar functions Process, specifically can be according to the demand of practical application depending on, will not be described here.
Additionally, when the tracking process is attached to into hatching process, can be used to refer to arrange one in the tracking process Show the mark being tracked to consumer process, so, if follow-up find there is the mark, just consumer process can be tracked, I.e.:
The creating unit 302, can be also used for when the tracking process is attached to into hatching process, in the tracking process Corresponding mark is set, and the mark is used to indicate whether to be tracked subprocess.
(3) tracing unit 303;
Tracing unit 303, for being tracked to the consumer process, obtains tracked information;
For example, the tracing unit 303, when being specifically determined for the mark and indicating to be tracked consumer process, will The tracking process is attached to the consumer process so that the tracking process is tracked to the consumer process, obtains tracked information, etc. Deng.
(4) acquiring unit 304;
Acquiring unit 304, for when tracked information indicates that the consumer process is called in the system of carrying out, acquisition system to be called Information;
For example, the acquiring unit 304, specifically can be used for when tracked information indicates that the consumer process is called in the system of carrying out When, by tracking system call information of the process reception from kernel spacing.
Such as, by taking consumer process K as an example, then when consumer process K calls certain syscall of kernel spacing, kernel is empty Between will to additional (attach) to process sending signal of consumer process K, i.e., can to following the trail of process sending signal, wherein, The signal carrying system recalls information.
Wherein, the system call information can be identified including system call function, such as title and/or call number etc., also The time that can be called including system and storage location etc..
(5) monitoring unit 305;
Monitoring unit 305, for being monitored to the system call operation of the consumer process based on the system call information.
For example, the monitoring unit 305 can include reading subelement, analysis subelement and control subelement, as follows:
Subelement is read, for reading the function number of system call function.
Such as, the reading subelement, can be used for reading the function number of system call function from the depositor of CPU, etc. Deng.
Analysis subelement, for determined according to the function number need to the function call be controlled when, to the system Recalls information is analyzed, and obtains analysis result.
Control subelement, for being controlled to the system call operation of the consumer process according to the analysis result, for example, Can be as follows:
Control subelement, specifically for determining that the consumer process has the authority for calling the function according to the analysis result When, it is allowed to the consumer process calls the function;The function is called determining that the consumer process does not have according to the analysis result During authority, the consumer process is prevented to call the function.
When being embodied as, above unit can be realized as independent entity, it is also possible to carry out combination in any, be made Realize for same or several entities, being embodied as of above unit can be found in embodiment of the method above, and here is not Repeat again.
The supervising device that the system is called specifically can with it is integrated in the terminal, the terminal can include mobile phone, panel computer Or the equipment such as notebook computer.
From the foregoing, it will be observed that the present embodiment is when the startup for receiving consumer process is asked, can be by creating unit 302 according to this The mark for starting the consumer process that the needs carried in request start creates consumer process, and by 303 couples of users of tracing unit Process is tracked, and then, when tracked information indicates that the consumer process is called in the system of carrying out, is obtained by acquiring unit 304 System call information, and by monitoring unit 305 the system call operation of the consumer process is carried out based on the system call information Monitoring;Because most of logic of the program is all completed in user's space, and modify without the need for the data to kernel spacing, because This, realizes relatively simple;It is additionally, since the program and is not necessarily based on system vulnerability, so, for currently existing scheme, fit Also greatly improved with property, stability and compatibility.
Example IV,
Accordingly, the embodiment of the present invention also provides a kind of terminal, as shown in figure 4, the terminal can include radio frequency (RF, Radio Frequency) circuit 401, include the memorizer 402 of one or more computer-readable recording mediums, defeated Enter unit 403, display unit 404, sensor 405, voicefrequency circuit 406, Wireless Fidelity (WiFi, Wireless Fidelity) Module 407, include the part such as or the processor 408 and power supply 409 of more than one processing core.This area skill Art personnel are appreciated that the restriction of the terminal structure illustrated in Fig. 4 not structure paired terminal, can include more more or more than illustrating Few part, or some parts are combined, or different part arrangements.Wherein:
RF circuits 401 can be used to receiving and sending messages or communication process in, the reception and transmission of signal, especially, by base station After downlink information is received, transfer to one or more than one processor 408 is processed;In addition, will be related to up data is activation to Base station.Generally, RF circuits 401 include but is not limited to antenna, at least one amplifier, tuner, one or more agitators, use Family identity module (SIM, Subscriber Identity Module) card, transceiver, bonder, low-noise amplifier (LNA, Low Noise Amplifier), duplexer etc..Additionally, RF circuits 401 can also by radio communication and network and its His equipment communication.The radio communication can be using arbitrary communication standard or agreement, including but not limited to global system for mobile telecommunications system System (GSM, Global System of Mobile communication), general packet radio service (GPRS, General Packet Radio Service), CDMA (CDMA, Code Division Multiple Access), wideband code division it is many Location (WCDMA, Wideband Code Division Multiple Access), Long Term Evolution (LTE, Long Term Evolution), Email, Short Message Service (SMS, Short Messaging Service) etc..
Memorizer 402 can be used to store software program and module, and processor 408 is stored in memorizer 402 by operation Software program and module, so as to perform various function application and data processing.Memorizer 402 can mainly include storage journey Sequence area and storage data field, wherein, the application program (ratio that storing program area can be needed for storage program area, at least one function Such as sound-playing function, image player function) etc.;Storage data field can be stored and use created data according to terminal (such as voice data, phone directory etc.) etc..Additionally, memorizer 402 can include high-speed random access memory, can also include Nonvolatile memory, for example, at least one disk memory, flush memory device or other volatile solid-state parts.Phase Ying Di, memorizer 402 can also include Memory Controller, to provide processor 408 and input block 403 to memorizer 402 Access.
Input block 403 can be used for the numeral or character information of receives input, and produce and user's setting and function The relevant keyboard of control, mouse, action bars, optics or trace ball signal input.Specifically, in a specific embodiment In, input block 403 may include Touch sensitive surface and other input equipments.Touch sensitive surface, also referred to as touch display screen or tactile Control plate, user can be collected thereon or neighbouring touch operation (such as user use any suitable objects such as finger, stylus or Operation of the adnexa on Touch sensitive surface or near Touch sensitive surface), and corresponding connection dress is driven according to formula set in advance Put.Optionally, Touch sensitive surface may include two parts of touch detecting apparatus and touch controller.Wherein, touch detecting apparatus inspection The touch orientation of user is surveyed, and detects the signal that touch operation brings, transmit a signal to touch controller;Touch controller from Touch information is received on touch detecting apparatus, and is converted into contact coordinate, then give processor 408, and can reception processing Order that device 408 is sent simultaneously is performed.Furthermore, it is possible to various using resistance-type, condenser type, infrared ray and surface acoustic wave etc. Type realizes Touch sensitive surface.Except Touch sensitive surface, input block 403 can also include other input equipments.Specifically, other are defeated Entering equipment can include but is not limited to physical keyboard, function key (such as volume control button, switch key etc.), trace ball, Mus One or more in mark, action bars etc..
Display unit 404 can be used for show by user input information or be supplied to user information and terminal it is various Graphical user interface, these graphical user interface can be made up of figure, text, icon, video and its combination in any.Show Unit 404 may include display floater, optionally, can using liquid crystal display (LCD, Liquid Crystal Display), The forms such as Organic Light Emitting Diode (OLED, Organic Light-Emitting Diode) are configuring display floater.Further , Touch sensitive surface can cover display floater, when Touch sensitive surface is detected thereon or after neighbouring touch operation, send process to Device 408 is provided on a display panel accordingly with preprocessor 408 with determining the type of touch event according to the type of touch event Visual output.Although in the diagram, Touch sensitive surface and display floater are realizing being input into and be input into as two independent parts Function, but in some embodiments it is possible to by Touch sensitive surface and display floater it is integrated and realize input and output function.
Terminal may also include at least one sensor 405, such as optical sensor, motion sensor and other sensors. Specifically, optical sensor may include ambient light sensor and proximity transducer, wherein, ambient light sensor can be according to ambient light Light and shade adjusting the brightness of display floater, proximity transducer can close display floater and/or the back of the body when terminal is moved in one's ear Light.As one kind of motion sensor, (generally three axles) acceleration in the detectable all directions of Gravity accelerometer Size, can detect that size and the direction of gravity when static, can be used for recognize mobile phone attitude application (such as horizontal/vertical screen switching, Dependent game, magnetometer pose calibrating), Vibration identification correlation function (such as pedometer, tap) etc.;Can also configure as terminal The other sensors such as gyroscope, barometer, drimeter, thermometer, infrared ray sensor, will not be described here.
Voicefrequency circuit 406, speaker, microphone can provide the audio interface between user and terminal.Voicefrequency circuit 406 can The signal of telecommunication after the voice data for receiving is changed, is transferred to speaker, and by speaker acoustical signal output is converted to;It is another The acoustical signal of collection is converted to the signal of telecommunication by aspect, microphone, and voice data is converted to after being received by voicefrequency circuit 406, then After voice data output processor 408 is processed, Jing RF circuits 401 being sent to such as another terminal, or by voice data Export to memorizer 402 so as to further process.Voicefrequency circuit 406 is also possible that earphone jack, with provide peripheral hardware earphone with The communication of terminal.
WiFi belongs to short range wireless transmission technology, and terminal can help user's transceiver electronicses postal by WiFi module 407 Part, browse webpage and access streaming video etc., it has provided the user wireless broadband internet and has accessed.Although Fig. 4 shows WiFi module 407, but it is understood that, it is simultaneously not belonging to must be configured into for terminal, can not change as needed completely Become in the essential scope of invention and omit.
Processor 408 is the control centre of terminal, using various interfaces and the various pieces of connection whole mobile phone, is led to Cross operation or perform the software program and/or module that are stored in memorizer 402, and call and be stored in memorizer 402 Data, perform the various functions and processing data of terminal, so as to carry out integral monitoring to mobile phone.Optionally, processor 408 can be wrapped Include one or more processing cores;Preferably, processor 408 can integrated application processor and modem processor, wherein, should Operating system, user interface and application program etc. are mainly processed with processor, modem processor mainly processes radio communication. It is understood that above-mentioned modem processor can not also be integrated in processor 408.
Terminal also includes the power supply 409 (such as battery) powered to all parts, it is preferred that power supply can pass through power supply pipe Reason system is logically contiguous with processor 408, so as to realize management charging, electric discharge and power managed by power-supply management system Etc. function.Power supply 409 can also include one or more direct current or alternating current power supply, recharging system, power failure inspection The random component such as slowdown monitoring circuit, power supply changeover device or inverter, power supply status indicator.
Although not shown, terminal can also include photographic head, bluetooth module etc., will not be described here.Specifically in this enforcement In example, the processor 408 in terminal can be corresponding by the process of one or more application program according to following instruction Executable file is loaded in memorizer 402, and the application program being stored in memorizer 402 is run by processor 408, from And realize various functions:
The startup request of receive user process, carries the mark of the consumer process for needing to start in the startup request;According to The mark creates consumer process, and the consumer process is tracked, and obtains tracked information;When tracked information indicates that the user enters Journey obtains system call information when the system of carrying out is called;The system of the consumer process is called based on the system call information Operation is monitored.
For example, the policer operation that the system is called can be performed by arranging tracking process (or referred to as interception process) The associative operation of method, i.e. processor 408 can perform following operation:
The monitoring request that reception system is called, according to the monitoring request start-up trace process.
So, subsequently just can be asked by the startup of the tracking process receive user process, and by this follow the trail of into Then journey such as, can pass through realizing the tracking to consumer process by tracking process additional (attach) to the process of hatching The hatching process creation subprocess (subprocess inherits the content of the hatching process), and according to the mark in the subprocess Parameter preset is modified, and obtains consumer process, at the same time, can be corresponding for indicating to arrange in the tracking process The mark that consumer process is tracked, such as PTRACE_O_TRACEFORK so that tracking process can automatically be attached to this On consumer process, then, when consumer process calls syscall, by following the trail of process the carrying system that kernel spacing sends is received The signal of system recalls information, so, tracking process just can be called based on the system call information to the system of the consumer process Operation is monitored, wherein, the mode of monitoring specifically can be as follows:
The call number of reading system call function, being determined according to the call number needs to be controlled calling for the function When, the system call information is analyzed, obtain analysis result the system of the consumer process is called according to the analysis result Operation is controlled, such as, if determining that the consumer process has the authority for calling the function according to the analysis result, allowing should Consumer process calls the function, if conversely, determining that the consumer process does not have according to the analysis result calls the authority of the function, The consumer process is then prevented to call the function, etc..
What above each was operated is embodied as can be found in embodiment above, will not be described here.
From the foregoing, it will be observed that the terminal of the present embodiment can be asked when the startup for receiving consumer process is asked according to the startup The mark for seeking the consumer process of the needs startup of middle carrying creates consumer process, and the consumer process is tracked, then, when Tracked information indicates the consumer process when the system of carrying out is called, and obtains system call information, and based on the system call information The system call operation of the consumer process is monitored;Because most of logic of the program is all completed in user's space, and Modify without the need for the data to kernel spacing, therefore, realize relatively simple;It is additionally, since the program and is not necessarily based on system leakage Hole, so, for currently existing scheme, suitability, stability and compatibility are also greatly improved.
One of ordinary skill in the art will appreciate that all or part of step in the various methods of above-described embodiment is can Completed with instructing the hardware of correlation by program, the program can be stored in a computer-readable recording medium, storage Medium can include:Read only memory (ROM, Read Only Memory), random access memory (RAM, Random Access Memory), disk or CD etc..
The monitoring method and device that a kind of system for being provided the embodiment of the present invention above is called is described in detail, Specific case used herein is set forth to the principle and embodiment of the present invention, and the explanation of above example is simply used Understand the method for the present invention and its core concept in help;Simultaneously for those skilled in the art, according to the think of of the present invention Think, will change in specific embodiments and applications, in sum, it is right that this specification content should not be construed as The restriction of the present invention.

Claims (14)

1. the monitoring method that a kind of system is called, it is characterised in that include:
The startup request of receive user process, it is described to start the mark that the consumer process for needing to start is carried in request;
Consumer process is created according to the mark, and the consumer process is tracked, obtain tracked information;
When tracked information indicates that the consumer process is called in the system of carrying out, system call information is obtained;
The system call operation of the consumer process is monitored based on the system call information.
2. method according to claim 1, it is characterised in that described that consumer process is created according to the mark, including:
Tracking process is attached to into hatching process;
By the hatching process creation subprocess, the subprocess inherits the content of the hatching process;
The parameter preset in the subprocess is modified according to the mark, obtains consumer process.
3. method according to claim 2, it is characterised in that described when the tracking process is attached to into hatching process, Also include:
Corresponding mark is set in the tracking process, and the mark is used to indicate whether to be tracked consumer process;
It is described that the consumer process is tracked, tracked information is obtained, including:Determine that the mark indicates to enter consumer process When row is followed the trail of, the tracking process is attached to into the consumer process so that the tracking process is carried out to the consumer process Follow the trail of, obtain tracked information.
4. method according to claim 2, it is characterised in that before the startup request of the receive user process, also wrap Include:
The monitoring request that reception system is called;
According to the monitoring request start-up trace process.
5. the method according to any one of Claims 1-4, it is characterised in that described when tracked information indicates the user Process obtains system call information when the system of carrying out is called, including:
When tracked information indicates that the consumer process is called in the system of carrying out, received from kernel spacing by tracking process System call information.
6. the method according to any one of Claims 1-4, it is characterised in that described based on the system call information pair The system call operation of the consumer process is monitored, including:
The function number of reading system call function;
Determined according to the function number need to the function call be controlled when, the system call information is carried out point Analysis, obtains analysis result;
The system call operation of the consumer process is controlled according to the analysis result.
7. method according to claim 6, it is characterised in that it is described according to the analysis result to the consumer process System call operation is controlled, including:
When determining that the consumer process has the authority for calling the function according to the analysis result, it is allowed to the consumer process Call the function;
When determining that the consumer process does not have the authority for calling the function according to the analysis result, the user is prevented to enter Journey calls the function.
8. the supervising device that a kind of system is called, it is characterised in that include:
Receiving unit, the startup for receive user process is asked, and described startup carries the consumer process for needing to start in request Mark;
Creating unit, for creating consumer process according to the mark;
Tracing unit, for being tracked to the consumer process, obtains tracked information;
Acquiring unit, for when tracked information indicates that the consumer process is called in the system of carrying out, obtaining system call information;
Monitoring unit, for being monitored to the system call operation of the consumer process based on the system call information.
9. device according to claim 8, it is characterised in that
The creating unit, specifically for tracking process is attached to into hatching process;By the hatching process creation subprocess, The subprocess inherits the content of the hatching process;The parameter preset in the subprocess is repaiied according to the mark Change, obtain consumer process.
10. device according to claim 9, it is characterised in that
The creating unit, is additionally operable to when the tracking process is attached to into hatching process, arranges in the tracking process Corresponding mark, the mark is used to indicate whether to be tracked subprocess;
The tracing unit, during specifically for determining that the mark indicates to be tracked consumer process, by the tracking process It is attached to the consumer process so that the tracking process is tracked to the consumer process, obtains tracked information.
11. devices according to claim 9, it is characterised in that also including start unit;
The receiving unit, is additionally operable to the monitoring request that reception system is called;
The start unit, for according to the monitoring request start-up trace process.
12. devices according to any one of claim 8 to 11, it is characterised in that
The acquiring unit, specifically for when tracked information indicates that the consumer process is called in the system of carrying out, by tracking Process receives the system call information from kernel spacing.
13. devices according to any one of claim 8 to 11, it is characterised in that the monitoring unit includes:
Subelement is read, for reading the function number of system call function;
Analysis subelement, for according to the function number determine need to the function call be controlled when, to the system System recalls information is analyzed, and obtains analysis result;
Control subelement, for being controlled to the system call operation of the consumer process according to the analysis result.
14. devices according to claim 13, it is characterised in that the control subelement, specifically for:
When determining that the consumer process has the authority for calling the function according to the analysis result, it is allowed to the consumer process Call the function;
When determining that the consumer process does not have the authority for calling the function according to the analysis result, the user is prevented to enter Journey calls the function.
CN201610490064.3A 2016-06-28 2016-06-28 A kind of monitoring method and device of system calling Active CN106681884B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610490064.3A CN106681884B (en) 2016-06-28 2016-06-28 A kind of monitoring method and device of system calling

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610490064.3A CN106681884B (en) 2016-06-28 2016-06-28 A kind of monitoring method and device of system calling

Publications (2)

Publication Number Publication Date
CN106681884A true CN106681884A (en) 2017-05-17
CN106681884B CN106681884B (en) 2018-09-04

Family

ID=58839823

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610490064.3A Active CN106681884B (en) 2016-06-28 2016-06-28 A kind of monitoring method and device of system calling

Country Status (1)

Country Link
CN (1) CN106681884B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108228165A (en) * 2018-01-05 2018-06-29 武汉斗鱼网络科技有限公司 The method and electronic equipment of recalls information between a kind of logging program interface
CN110990874A (en) * 2019-12-04 2020-04-10 厦门安胜网络科技有限公司 Safety protection method and system for Android file
CN111858224A (en) * 2019-04-25 2020-10-30 珠海格力电器股份有限公司 Process monitoring method and device in android system
CN112269536A (en) * 2020-10-16 2021-01-26 苏州浪潮智能科技有限公司 Method and device for optimizing storage software system and computer readable storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103886249A (en) * 2012-12-20 2014-06-25 腾讯科技(深圳)有限公司 Method and device for executing processes under superuser right in system
CN104156298A (en) * 2014-08-19 2014-11-19 腾讯科技(深圳)有限公司 Application monitoring method and device
US20150033320A1 (en) * 2012-04-26 2015-01-29 Tencent Technology (Shenzhen) Company Limited Safety Protection Method, Firewall, Terminal Device and Computer-Readable Storage Medium
CN105373729A (en) * 2015-12-24 2016-03-02 北京奇虎科技有限公司 Information processing method and system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150033320A1 (en) * 2012-04-26 2015-01-29 Tencent Technology (Shenzhen) Company Limited Safety Protection Method, Firewall, Terminal Device and Computer-Readable Storage Medium
CN103886249A (en) * 2012-12-20 2014-06-25 腾讯科技(深圳)有限公司 Method and device for executing processes under superuser right in system
CN104156298A (en) * 2014-08-19 2014-11-19 腾讯科技(深圳)有限公司 Application monitoring method and device
CN105373729A (en) * 2015-12-24 2016-03-02 北京奇虎科技有限公司 Information processing method and system

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108228165A (en) * 2018-01-05 2018-06-29 武汉斗鱼网络科技有限公司 The method and electronic equipment of recalls information between a kind of logging program interface
CN111858224A (en) * 2019-04-25 2020-10-30 珠海格力电器股份有限公司 Process monitoring method and device in android system
CN110990874A (en) * 2019-12-04 2020-04-10 厦门安胜网络科技有限公司 Safety protection method and system for Android file
CN112269536A (en) * 2020-10-16 2021-01-26 苏州浪潮智能科技有限公司 Method and device for optimizing storage software system and computer readable storage medium

Also Published As

Publication number Publication date
CN106681884B (en) 2018-09-04

Similar Documents

Publication Publication Date Title
CN103942113B (en) The detection method of system reboot reason, device and terminal unit
EP3200487B1 (en) Message processing method and apparatus
CN104951212B (en) Desktop data processing method, the device and system of a kind of mobile terminal
CN104519485B (en) Communication means, device and system between a kind of terminal
CN103389863B (en) A kind of display control method and device
CN103473092B (en) A kind of download the processing method of application, device and terminal unit
CN104123120B (en) A kind of browser page data filtering method, device and system
CN104901805B (en) A kind of identification authentication methods, devices and systems
CN106502703A (en) A kind of function calling method and device
CN104123276B (en) The hold-up interception method of pop-up, device and system in a kind of browser
CN106570358A (en) Method and device for setting application permissions
CN106529312B (en) A kind of authority control method of mobile terminal, device and mobile terminal
CN104717341A (en) Message prompting method and terminal
CN106529332B (en) A kind of authority control method of mobile terminal, device and mobile terminal
CN106547844A (en) A kind for the treatment of method and apparatus of user interface
CN106681884A (en) System call monitoring method and device
CN105955597A (en) Method and device for displaying information
CN106713608A (en) Application function state modifying method and apparatus, and terminal
CN107104930A (en) It is a kind of that the methods, devices and systems for checking authority are set
CN103533139B (en) Data management method and device of multi-card user and mobile terminal
CN104348944A (en) Caller identification method and caller identification terminal
CN104391629A (en) Method for sending message in orientation manner, method for displaying message, server and terminal
CN103824003B (en) application program protecting method, device and terminal
CN105553718A (en) Method and device for displaying guidance information
CN105703808A (en) Method and device for transmitting data

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20230919

Address after: 100086 Beijing Haidian District Zhichun Road 49 No. 3 West 309

Patentee after: TENCENT CLOUD COMPUTING (BEIJING) Co.,Ltd.

Address before: 2, 518000, East 403 room, SEG science and Technology Park, Zhenxing Road, Shenzhen, Guangdong, Futian District

Patentee before: TENCENT TECHNOLOGY (SHENZHEN) Co.,Ltd.

TR01 Transfer of patent right