CN106709325A - Method and device for monitoring program - Google Patents
Method and device for monitoring program Download PDFInfo
- Publication number
- CN106709325A CN106709325A CN201611043652.9A CN201611043652A CN106709325A CN 106709325 A CN106709325 A CN 106709325A CN 201611043652 A CN201611043652 A CN 201611043652A CN 106709325 A CN106709325 A CN 106709325A
- Authority
- CN
- China
- Prior art keywords
- dll
- api function
- function
- injection
- monitored program
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a method and device for monitoring a program and belongs to the technical field of computers. The method includes: loading a to-be-monitored program; during the operation of the to-be-monitored program, performing instrumentation on each application programming interface API function called by the to-be-monitored program; acquiring the function name of each API function; judging whether each API function satisfies preset judging logic or not according to the corresponding function name; if so, judging that the to-be-monitored program has dynamic-link library DLL injection; detecting the injection type of the DLL injection according to preset detecting logic; acquiring injection information. The method has the advantages that whether the to-be-monitored is injected with a DLL module or not and an injection manner can be judged effectively, only the information of the API functions conforming to the logic needs to be output and judged, other API functions are not processed and output, and accordingly monitoring efficiency is increased evidently.
Description
Technical field
The present invention relates to field of computer technology, more particularly to a kind of method and device of monitoring programme.
Background technology
In the prior art, for reasons of performance, the Initiative Defense module in equipment only checks the executable of program
Whether file (for example, exe files) can trust, without checking that (Dynamic Link Library are moved the DLL of program loading
State chained library) file.DLL injections refer to the address space that a DLL is put into certain process, allow it to turn into that process
A part.
The These characteristics of Initiative Defense are utilized by some rogue programs in the prior art, and rogue program is injected using DLL
With white program trusty be packaged with wooden horse DLL by technology, and when white program is performed, wooden horse DLL will be loaded, from
And realize being broken through using white program the purpose of Initiative Defense.
There is the extraction to suspect program DLL injecting codes using the realization of pitching pile instrument in prior art, with the proviso that to have
DLL injecting codes, in most cases, we only have the i.e. monitored process of normal procedure, and such case detection mode is just
Do not work.Pitching pile be inserted in a program on the basis of the original logic integrality of tested program is ensured some probes (and
Referred to as " survey meter "), the characteristic run by the execution of probe and program of dishing out, by the analysis to these data, can
To obtain the controlling stream and traffic flow information of program, and then the multidate informations such as Logic coverage are obtained, so as to realize test purpose
Method.
In addition, prior art carries out pitching pile monitoring to each API that suspect program is performed, and a program API quantity
It is numerous, it is limited to the efficiency of pitching pile instrument, the method efficiency and low, Practical Performance is too poor.Wherein, API (Application
Programming Interface, application programming interface) it is some pre-defined functions.
The content of the invention
The invention provides a kind of method and apparatus of monitoring programme, at least to solve do not obtaining injecting codes in advance
On the premise of, whether occur in active monitoring programme DLL injection, and judge injection type and whether be malice injection.
According to an aspect of the invention, there is provided a kind of method of monitoring programme, including:
It is determined that monitored program;
The monitored program of loading;
In the monitored program of operation, to each the application programming interface api function pitching pile for the routine call that is monitored;
Obtain the function name of the api function;
Function name according to the api function judges whether the api function meets default decision logic;
If so, then judging monitored program occurrence dynamics chained library DLL injections;
The injection type that the DLL according to default detection logic detection injects;
Acquisition is injected into the injection information of the DLL modules of monitored program;The injection information includes meeting default sentencing
The parameter of the api function of disconnected logic, function name, module title and stack information.
According to another aspect of the present invention, there is provided a kind of device of monitoring programme, including:
Determining module, for determining monitored program;
Load-on module, for loading monitored program;
Pitching pile module, in the monitored program of operation, to each application programming for the routine call that is monitored
Interface api function pitching pile;
Function name acquisition module, the function name for obtaining the api function;
Injection judge module, it is default for judging whether the api function meets according to the function name of the api function
Decision logic;If so, then judging monitored program occurrence dynamics chained library DLL injections;
Injection type acquisition module, for the injection type that the DLL according to default detection logic detection injects;
Injection data obtaining module, the injection information for obtaining the DLL modules for being injected into monitored program;The injection
Information includes parameter, function name, module title and the stack information of the api function for meeting default decision logic.
The method and device of a kind of monitoring programme of the invention, by determining monitored program;The monitored journey of loading
Sequence;In the monitored program of operation, to each the application programming interface api function pitching pile for the routine call that is monitored;Obtain
The function name of the api function;Function name according to the api function judges whether the api function meets default judgement
Logic;If so, then judging monitored program occurrence dynamics chained library DLL injections;The DLL according to default detection logic detection
The injection type of injection;Acquisition is injected into the injection information of the DLL modules of monitored program;The injection information includes meeting pre-
If the parameter of api function of decision logic, function name, module title and stack information.The present invention can effectively judge to be supervised
Whether control program is injected into DLL modules, when is injected into, and injection mode, realizes extraction and injection to injecting codes
The judgement of type.Using default decision logic of the invention, the present invention is only needed in the DLL modules that output is consistent with decision logic
The information of api function, and other api functions are not processed then and exported, so as to significantly improve monitoring efficiency.In addition,
In the present invention, pitching pile instrument can be monitored to large batch of program automatically simultaneously, and code injection is extracted, and export large quantities of days
Will file, reduces manual intervention, improves efficiency.
Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art and advantage, below will be to implementing
Example or the accompanying drawing to be used needed for description of the prior art are briefly described, it should be apparent that, drawings in the following description are only
Only it is some embodiments of the present invention, for those of ordinary skill in the art, on the premise of not paying creative work,
Other accompanying drawings can also be obtained according to these accompanying drawings.
Fig. 1 is the hardware block diagram of the terminal of the method for monitoring programme according to embodiments of the present invention;
Fig. 2 is the flow chart of the method for according to embodiments of the present invention 1 monitoring programme;
The flow chart of the step of Fig. 3 is according to embodiments of the present invention 1 S208;
Fig. 4 is the another flow chart of according to embodiments of the present invention 1 method;
The flow chart of the step of Fig. 5 is according to embodiments of the present invention 1 S209;
The another flow chart of the step of Fig. 6 is according to embodiments of the present invention 1 S209;
Fig. 7 is the block diagram of the device of according to embodiments of the present invention 2 monitoring programme;
Fig. 8 is the structured flowchart of terminal according to embodiments of the present invention.
Specific embodiment
In order that those skilled in the art more fully understand the present invention program, below in conjunction with the embodiment of the present invention
Accompanying drawing, is clearly and completely described to the technical scheme in the embodiment of the present invention, it is clear that described embodiment is only
The embodiment of a part of the invention, rather than whole embodiments.Based on the embodiment in the present invention, ordinary skill people
The every other embodiment that member is obtained under the premise of creative work is not made, should all belong to the model of present invention protection
Enclose.
It should be noted that term " first ", " in description and claims of this specification and above-mentioned accompanying drawing
Two " it is etc. for distinguishing similar object, without for describing specific order or precedence.It should be appreciated that so using
Data can exchange in the appropriate case, so as to embodiments of the invention described herein can with except illustrating herein or
Order beyond those of description is implemented.Additionally, term " comprising " and " having " and their any deformation, it is intended that cover
Lid is non-exclusive to be included, for example, the process, method, system, product or the equipment that contain series of steps or unit are not necessarily limited to
Those steps or unit clearly listed, but may include not list clearly or for these processes, method, product
Or other intrinsic steps of equipment or unit.
Embodiment 1
According to embodiments of the present invention, there is provided a kind of embodiment of the method for monitoring programme, it is necessary to explanation, in accompanying drawing
Flow can be performed in the such as one group computer system of computer executable instructions the step of illustrate, and, although
Show logical order in flow charts, but in some cases, can with different from order herein perform it is shown or
The step of description.
The embodiment of the method that the embodiment of the present application 1 is provided can be in mobile terminal, terminal or similar fortune
Calculate execution in device.As a example by running on computer terminals, Fig. 1 is the method for monitoring programme according to embodiments of the present invention
The hardware block diagram of terminal.As shown in figure 1, terminal 100 (can only show including one or more in figure
One) (processor 102 can include but is not limited to the place of Micro-processor MCV or PLD FPGA etc. to processor 102
Reason device), the memory 104 for data storage and the transmitting device 106 for communication function.Ordinary skill
Personnel are appreciated that the structure shown in Fig. 1 is only to illustrate, and it does not cause to limit to the structure of above-mentioned electronic installation.For example, meter
Calculation machine terminal 100 may also include components more more than shown in Fig. 2 or less, or with the configuration different from shown in Fig. 1.
Memory 104 can be used to store the software program and module of application software, such as monitoring in the embodiment of the present invention
Corresponding programmed instruction/the module of method of program, processor 102 by run software program of the storage in memory 104 with
And module, so that perform various function application and data processing, that is, the method for realizing above-mentioned monitoring programme.Memory 104
May include high speed random access memory, may also include nonvolatile memory, such as one or more magnetic storage device, flash memory,
Or other non-volatile solid state memories.In some instances, memory 104 can be further included relative to processor 102
Remotely located memory, these remote memories can be by network connection to terminal 10.The example of above-mentioned network
Including but not limited to internet, intranet, LAN, mobile radio communication and combinations thereof.
Transmitting device 106 is used to that data to be received or sent via a network.Above-mentioned network instantiation may include
The wireless network that the communication providerses of terminal 100 are provided.In an example, transmitting device 106 includes a network
Adapter (Network Interface Controller, referred to as NIC), it can be connected by base station with other network equipments
So as to be communicated with internet.In an example, transmitting device 106 can be radio frequency (Radio Frequency, letter
Referred to as RF) module, it is used to wirelessly be communicated with internet.
Under above-mentioned running environment, this application provides the method for monitoring programme as shown in Figure 2.The method can be applied
In terminal, it is also possible to be applied in intelligent terminal, by the computing device in intelligent terminal, intelligence is eventually
End equipment can be smart mobile phone, panel computer etc..At least one application program is installed, the present invention is real in intelligent terminal
The species of example not defining application is applied, can be system class application program, or software class application program.
Fig. 2 is the flow chart of the method for monitoring programme according to embodiments of the present invention.As shown in Fig. 2 the monitoring programme
A kind of optional scheme of method comprises the following steps:
Step S201, it is determined that monitored program.
Monitored program in the application can be that EXE (executable file) can also be DLL (dynamic link library), refer to
Random procedure.
For Windows operating system, monitored program is PE files, and the full name of PE files is Portable
Executable, means transplantable executable file, and common EXE, DLL, OCX, SYS, COM is PE files, PE texts
Part is the program file (being probably to be performed indirectly, such as DLL) in Microsoft's Windows operating system.
Step S202, the monitored program of loading.
The monitored program of loading described herein refers to by the binary system monitored program of dynamic pitching pile tool loads.
Binary system pitching pile refers in the case of the source code of the program of not needing, directly target program to be decoded, corresponding
Position carry out pitching pile work, due to comparatively laborious, many pitching pile instruments are all packaged this process, directly will
Interface is user-friendly to.Binary system pitching pile occurs to be called static pitching pile before program operation, occurs in program operation, cries
Do dynamic pitching pile.
Binary system dynamic pitching pile instrument refers in program process, according to the rule being previously set, to program
Instruction or other features carry out pitching pile filtering etc..
Step S203, in the monitored program of operation, to each application programming interface API of the routine call that is monitored
Function pitching pile.
API (Application Programming Interface, application programming interface) is that some are pre-defined
Function, it is therefore an objective to provide that application program and developer are based on certain software or hardware is able to access one group of ability of routine, and
Source code, or the details for understanding internal work mechanism need not be accessed again.In Windows operating system, api function is included in
In Dynamic_link Library DLL file under Windows system directories.
Pitching pile is to insert some probes in a program on the basis of the original logic integrality of tested program is ensured (to be also called
" survey meter "), probe is also referred to as monitor code or pitching pile code, the characteristic run by the execution of probe and program of dishing out
According to, by the analysis to these data, the controlling stream and traffic flow information of program can be obtained, and then it is dynamic to obtain Logic coverage etc.
State information, the method so as to realize test purpose.
In the prior art, for HOOK (hook) other processes, the purpose of control targe process is reached, will be usually prepared
Good function DLL (dynamic link library) is injected into target process, can thus hide all kinds of monitoring softwares, can not be to it
Detected.
Used as a kind of optional implementation method, the application is right by PIN (Pin API Record Tool) pitching pile instrument
Each api function of monitored routine call is monitored.
PIN is binary system dynamic pitching pile instrument widely used both at home and abroad at present, and it uses JIT (Just-In-Time) to compile
Translate, researched and developed by Intel Company and announced, the purpose being monitored to target process by inserting probe to realize in a program.Programming
Interface uses C/C++, supports multiple platforms (Window, Linux etc.), possesses multiple pitching pile granularity, small to arrive greatly to function pitching pile
Instruction pitching pile, the application is detected using the instrument and injects behavior to the DLL of the program that is monitored.
As a kind of optional embodiment, each in the monitored program of operation, to the routine call that is monitored
Application programming interface api function pitching pile, including:Each application programming for the program that is monitored is connect by pitching pile instrument
The head and afterbody insertion pitching pile code of mouth api function.That is, the porch of each api function to the program that is monitored
With insertion pitching pile code at return.
Because the API of a program is large number of, every instruction to each application programming interface api function is inserted
Stake efficiency is very low.The application only inserts pitching pile code in the head and afterbody of the api function of monitored program, that is, only carries out
Function pitching pile, rather than instruction pitching pile, can be greatly enhanced monitoring efficiency.
By taking PIN pitching pile instruments as an example, in the application, line function pitching pile (RTN_InsertCall) monitoring is entered to program.Insert
Stake code is as follows:
Step S204, the function name for obtaining the api function.
The application obtains the output valve of pitching pile code, pitching pile code in the api function dynamic pitching pile to the program that is monitored
Output valve for api function function name.However, it is noteworthy that the output valve of these pitching pile codes be only used for it is follow-up
Logic judgment during monitoring, only when default judgement is met, just the output valve to pitching pile code is exported, and is gone forward side by side
One step carries out pitching pile to related API, so as to drastically increase the monitoring treatment effeciency of program.
Step S205, judged according to the function name of the api function api function whether meet it is default judgement patrol
Volume.
If so, then performing step S206.If it is not, then judging that monitored program does not occur DLL injections.
Specifically, the default decision logic can be:
The default decision logic is:Detect to being called after monitored program internal memory write-in data
CreateRemoteThread functions and LoadLibrary functions;
Or, detect to called after monitored program internal memory write-in data CreateRemoteThreadEx functions and
LoadLibrary functions;
Or, detect and call in APC queues LoadLibrary functions, and the LoadLibrary function calls it
Before there are traps.
Meet this condition to can be determined that as DLL injects.
It should be noted that above-mentioned is only three kinds of exemplary decision logics, the decision logic in the application does not limit to
In above-mentioned three kinds of decision logics.
Step S206, judges monitored program occurrence dynamics chained library DLL injections.
Step S207, the injection type that the DLL according to default detection logic detection injects.
Used as a kind of optional embodiment, the above-mentioned steps S207 of the application includes:
Extraction meets the function name of the api function of default decision logic;
If detect to called after monitored program internal memory write-in data CreateRemoteThread functions and
LoadLibrary functions, or detect to calling CreateRemoteThreadEx after monitored program internal memory write-in data
Function and LoadLibrary functions, then the injection type for judging the DLL injections is Remote thread injecting;
If calling LoadLibrary functions in detecting APC queues, and it is performed in the LoadLibrary functions
Before there are traps, then the injection type for judging DLL injection is asynchronous call process APC injections.
Specifically, if detecting LoadLibrary functions in the calling sequence of api function, and described
There are traps in LoadLibrary functions, then the injection type for judging the DLL injections is asynchronous call process before performing
APC injects.
The present inventor is by Remote thread injecting and APC (Asynchronous Procedure Call)
Analysis and research, draw the decision logic for determining whether DLL injections and injection type.
Remote thread injecting mode after target process internal memory write-in data by that can call
Two functions of CreateRemoteThread functions (or CreateRemoteThreadEx functions) and LoadLibrary functions,
Complete DLL injections.So inside api function calling sequence, meet this condition it is determined that is DLL injections, and note
Enter mode for Remote thread injecting.
The mechanism that registration function when APC injection modes are using thread wakening in APC is performed, generally will
LoadLibrary functions insert the APC queues of thread.So inside calling sequence, LoadLibrary functions can be performed, and
Thread produced traps before this function, such as call SleepEx functions or WaitForSingleObjectEx letters
Number.The command sequence for meeting this condition can be determined that as DLL injects, and injection mode is APC injections.
There is patent utilization pitching pile instrument to realize the extraction to injecting codes at present, with the proviso that to have injecting codes, mostly
In the case of number, we only have the i.e. monitored process of normal procedure, and such case detection mode does not just work, the application
Aim to solve the problem that the injection without malicious code judges, usage range is more extensive.Also, the application is first according to the pitching pile code
Output valve obtain api function calling sequence;Secondly, judge whether the calling sequence of the api function meets default to sentence
Disconnected logic, if meeting, judges to send DLL injections, and determine whether to inject type.
It should be noted that being divided for two kinds of injection modes of Remote thread injecting and APC in current detection logic
Class, is only exemplary mode, and the present invention is not limited to above two detection logic, for further types of injection mode,
Detection logic of the invention can be added, so as to improve the detection to DLL injections.
Step S208, acquisition are injected into the injection information of the DLL modules of monitored program;The injection information includes meeting
The parameter of the api function of default decision logic, function name, module title and stack information.
As a kind of optional embodiment, as shown in figure 3, step S208 includes:
Step S301, extracts the information of the api function of output.
Step S301, acquisition meet parameter, function name, module title and the storehouse of the api function of default decision logic
Information.
Step S302, positioning are injected into the decanting point of the DLL modules of monitored program.
Positioning decanting point is specific bit LoadLibrary functions.
Step S303, the parameter according to the api function, function name, module title and stack information obtain the injection
The information of point.
Specifically, the information of the decanting point can include:The parameter of LoadLibrary functions, memory address, return
The module's address of value, stack information and place module.
After acquisition is injected into the contextual information of the decanting point information of the DLL modules of monitored program and the decanting point,
Can be stored in journal file.The relevant information that the application will only meet the api function of default decision logic (e.g., is joined
Number, title, module, storehouse etc.) it is stored in journal file, and the relevant information automatic fitration of the api function to non-DLL injections,
Do not export such that it is able to improve monitoring efficiency, and save system memory space.
The program that acquisition is injected into the injecting codes of the DLL modules of monitored program is as follows:
As a kind of optional embodiment, as shown in figure 4, also including after step S208:
Step S209, tracking performs the DLL modules for being injected into monitored program, extracts the API letters that the DLL modules are performed
Whether Number Sequence, be malicious process according to the DLL modules that the api function sequence judges to be injected into monitored program.
As a kind of optional embodiment, as shown in figure 5, step S209 includes:
Step S501, tracking performs the DLL modules for being injected into monitored program.
Step S502, the function name and the calling sequence of api function of the api function in the extraction DLL modules.
Step S502 include extract injection DLL code call api functions title, parameter and call order.
Detecting after monitored program injected by DLL, when the DLL modules of injection are performed, to every in the DLL modules
The monitor code (pitching pile code) for inserting end to end of individual api function, when the monitor code is performed, the monitor code can be right
Each api function is recorded, and the information such as parameter by function is stored in journal file.
When whether maliciously being screened to injection DLL modules, the injection DLL modules institute is extracted from the journal file
The api function sequence called, including:When running the monitoring programme, inject DLL code call api functions title, parameter with
And sequencing.
It is worth noting that, in above-mentioned steps S502, the calling sequence of the api function is complete in the DLL modules
The calling sequence of portion's api function composition;Or, the calling sequence of the api function is the part API letters in the DLL modules
Array into calling sequence.
The function that the calling sequence of different api functions can be realized is different, such as " movefile->
Shellexecute ", for copying execution file;" suspendthread- for another example>setthreadcontext->
Resumethread ... ", distance is performed for malicious code switching.
The calling sequence of the api function is searched in default malice sequence library, if finding, the DLL moulds is judged
Block is malicious process;If can not find, judge that the DLL modules are not malicious process.
Step S503, with the presence or absence of the calling sequence of the api function in the default malice sequence library of lookup.If so, then
Step S504 is performed, if it is not, then performing step S505.
Step S504, judges that the DLL modules are malicious process.
Step S505, judges that the DLL modules are not malicious process.
Whether there is record in default malice sequence library by the calling sequence for judging api function, API is judged if having
The sequence of function is illegal, if storehouse the inside does not have, api function sequence is legal.
The api function sequence that whole malicious codes may be called when being performed is record in default malice sequence library
Row.
Default malice sequence library can be Hubble's system of such as Tengxun, safeguarded by professional and technical personnel and updated, the evil
Be stored with malice api function sequence known to existing whole in meaning api function sequence library, for being destroyed to computer.Its
In, the malice api function sequence of the malice api function sequence library record is broadly divided into following a few classes:
(1) the api function sequence of edit the registry;
Such as:“RegOpenKeyEx->RegSetKeyValue…”.
(2) the api function sequence of malice connection is accessed, or for downloading the api function sequence of rogue program.
Such as:
“URLDownloadToFIleA->CreateFile (%temp%xxx.exe ...)->Winexec (%
Temp%/xxx.exe) ... ".
By above-mentioned steps S209, the api function calling sequence of present invention monitoring injection DLL is so conducive to injection
Code be analyzed, recognize whether malicious act, it is ensured that computer security.
As a kind of optional embodiment, as shown in fig. 6, also including after step S501:
S506, obtains the address space of the DLL modules and the address space of monitored program.
S507, the address space of address space and monitored program according to the DLL modules judges that the DLL modules are
No is injection DLL modules.
Using step S506 and step S507, can further verify whether the DLL modules are note by address space
Enter DLL modules.
A kind of method of monitoring programme of the invention, by pitching pile instrument to be monitored program each application program
DLL api function is monitored;Run the monitored program;Judge whether monitored api function meets default
Decision logic;If so, then judging monitored program occurrence dynamics chained library DLL injections;Output meets default decision logic
The information of api function;The injection type that the DLL according to default detection logic detection injects;According to the api function for exporting
Acquisition of information is injected into the injection information of the DLL modules of monitored program.Whether the present invention can effectively judge monitored program
DLL modules are injected into, when are injected into, and injection mode, realize the judgement of the extraction and injection type to injecting codes.
Using default decision logic of the invention, the present invention only needs the letter of the api function in the DLL modules that output is consistent with decision logic
Breath, and other api functions are not processed then and exported, so as to significantly improve monitoring efficiency.In addition, in the present invention,
Pitching pile instrument can be monitored to large batch of program automatically simultaneously, and code injection is extracted, and export large quantities of journal files, be reduced
Manual intervention, improves efficiency.
It should be noted that for foregoing each method embodiment, in order to be briefly described, therefore it is all expressed as a series of
Combination of actions, but those skilled in the art should know, the present invention not by described by sequence of movement limited because
According to the present invention, some steps can sequentially or simultaneously be carried out using other.Secondly, those skilled in the art should also know
Know, embodiment described in this description belongs to preferred embodiment, involved action and module is not necessarily of the invention
It is necessary.
Through the above description of the embodiments, those skilled in the art can be understood that according to above-mentioned implementation
The method of example can add the mode of required general hardware platform to realize by software, naturally it is also possible to by hardware, but a lot
In the case of the former be more preferably implementation method.Based on such understanding, technical scheme is substantially in other words to existing
The part that technology contributes can be embodied in the form of software product, and computer software product storage is in a storage
In medium (such as ROM/RAM, magnetic disc, CD), including some instructions are used to so that a station terminal equipment (can be mobile phone, calculate
Machine, server, or network equipment etc.) perform method described in each embodiment of the invention.
Embodiment 2
According to embodiments of the present invention, a kind of device for implementing the method for above-mentioned monitoring programme is additionally provided.Fig. 7 is root
According to the schematic diagram of the device of the monitoring programme of first embodiment of the invention, as shown in fig. 7, the device includes:
Determining module 701, for determining monitored program.
Load-on module 702, for loading monitored program.
Pitching pile module 703, in the monitored program of operation, each application program to the routine call that is monitored to be compiled
Journey interface api function pitching pile.
Function name acquisition module 704, the function name for obtaining the api function.
Injection judge module 705, it is pre- for judging whether the api function meets according to the function name of the api function
If decision logic;If so, then judging monitored program occurrence dynamics chained library DLL injections;
Injection type acquisition module 706, for the injection type that the DLL according to default detection logic detection injects;
Injection data obtaining module 707, the injection information for obtaining the DLL modules for being injected into monitored program;It is described
Injection information includes parameter, function name, module title and the stack information of the api function for meeting default decision logic.
Used as a kind of optional embodiment, device also includes:Malice injection judge module 708, injection is performed for tracking
To the DLL modules of monitored program, the api function sequence that the DLL modules are performed is extracted, sentenced according to the api function sequence
Whether the disconnected DLL modules for being injected into monitored program are malicious process.
Used as a kind of optional embodiment, the pitching pile module 703 also includes:Function pitching pile unit 7031, for quilt
Head and afterbody the insertion pitching pile code of each application programming interface api function of monitoring programme.
The default decision logic is:Detect to being called after monitored program internal memory write-in data
CreateRemoteThread functions and LoadLibrary functions, or call CreateRemoteThreadEx functions and
LoadLibrary functions;
Or, the default decision logic is:LoadLibrary functions are detected in the calling sequence of api function,
And there are traps before the LoadLibrary function calls.
Used as a kind of optional embodiment, the injection type acquisition module 706 includes:
First function extraction unit 7061, the function name for extracting the api function for meeting default decision logic.
First kind judging unit 7062, for being called after detecting to monitored program internal memory write-in data
CreateRemoteThread functions and LoadLibrary functions, or detect to after monitored program internal memory write-in data
CreateRemoteThreadEx functions and LoadLibrary functions are called, then judges the injection type of the DLL injections as remote
Journey thread injects.
Second Type judging unit 7063, for calling LoadLibrary functions in APC queues are detected, and in institute
State before LoadLibrary functions are performed and traps occurred, then the injection type for judging the DLL injections is asynchronous call mistake
Journey APC injects.
Used as a kind of optional embodiment, the injection data obtaining module 707 includes:
Function information acquisition module 7071, parameter, function for obtaining the api function for meeting default decision logic
Name, module title and stack information.
Decanting point locating module 7072, the decanting point for positioning the DLL modules for being injected into monitored program.
Decanting point data obtaining module 7073, for the parameter according to the api function, function name, module title and heap
The information of decanting point described in stack acquisition of information.
Used as a kind of optional embodiment, the malice injection judge module 708 includes:
Tracking cell 7081, the DLL modules for being injected into monitored program are performed for tracking;
Extraction unit 7082, for extracting the function name of api function and calling for api function in the DLL modules
Sequence;
Malice injection identifying unit 7083, sequence is called for search the api function in default malice sequence library
Row, if finding, judge that the DLL modules are malicious process;If can not find, judge that the DLL modules are not malicious process.
Used as a kind of optional embodiment, the malice injection judge module 708 also includes:
Address space acquiring unit 7084, for obtaining the address space of the DLL modules and the address of monitored program
Space;
Address space judging unit 7085, for the address space according to the DLL modules and the address of monitored program
Space judges whether the DLL modules are injection DLL modules.
A kind of device of monitoring programme of the invention,
By determining monitored program;The monitored program of loading;In the monitored program of operation, to the routine call that is monitored
Each application programming interface api function pitching pile;Obtain the function name of the api function;According to the letter of the api function
It is several to judge whether the api function meets default decision logic;If so, then judging monitored program occurrence dynamics chained library
DLL injects;The injection type that the DLL according to default detection logic detection injects;Acquisition is injected into the DLL of monitored program
The injection information of module;The injection information includes parameter, function name, the module of the api function for meeting default decision logic
Title and stack information.The present invention can effectively judge whether monitored program is injected into DLL modules, when be injected into, and
Injection mode, realizes the judgement of the extraction and injection type to injecting codes.Using default decision logic of the invention, this hair
The information of the api function in the bright DLL modules for only needing output to be consistent with decision logic, and other api functions are not located then
Reason and output, so as to significantly improve monitoring efficiency.In addition, in the present invention, pitching pile instrument can be simultaneously automatic to high-volume
Program be monitored, code injection is extracted, and exports large quantities of journal files, reduces manual intervention, improves efficiency.
Embodiment 3
Embodiments of the invention additionally provide a kind of storage medium.Alternatively, in the present embodiment, above-mentioned storage medium can
For preserving the program code performed by a kind of method of monitoring programme of above-described embodiment.
Alternatively, in the present embodiment, storage medium is arranged to storage for performing the program code of following steps:
The first step, it is determined that monitored program.
Second step, the monitored program of loading.
3rd step, in the monitored program of operation, to each application programming interface API letters of the routine call that is monitored
Number pitching pile.
4th step, obtains the function name of the api function.
5th step, the function name according to the api function judges whether the api function meets default decision logic.
6th step, if so, then judging monitored program occurrence dynamics chained library DLL injections.
7th step, the injection type that the DLL according to default detection logic detection injects.
8th step, acquisition is injected into the injection information of the DLL modules of monitored program;The injection information includes meeting pre-
If the parameter of api function of decision logic, function name, module title and stack information.
Alternatively, the specific example in the present embodiment may be referred to showing described in above-described embodiment 1 and embodiment 2
Example, the present embodiment will not be repeated here.
Alternatively, in the present embodiment, above-mentioned storage medium can be included but is not limited to:USB flash disk, read-only storage (ROM,
Read-Only Memory), random access memory (RAM, Random Access Memory), mobile hard disk, magnetic disc or
CD etc. is various can be with the medium of store program codes.
Embodiment 4
Embodiments of the invention also provide a kind of terminal, the terminal can be terminal group in
Any one computer terminal.The platform of pitching pile instrument is limited to, the present processes are mainly used in PC ends or service
Device end.
Alternatively, Fig. 8 is the structured flowchart of terminal according to embodiments of the present invention.As shown in figure 8, the computer
Terminal A can include:One or more (one is only shown in figure) processors 161 and memory 163.
Wherein, memory 163 can be used to store software program and module, such as monitoring programme in the embodiment of the present invention
Corresponding programmed instruction/the module of method and apparatus, processor 161 by run software program of the storage in memory 163 with
And module, so as to perform various function application and data processing, that is, realize above-mentioned monitoring programme.Memory 163 can be wrapped
Include high speed random access memory, can also include nonvolatile memory, such as one or more magnetic storage device, flash memory or
Person other non-volatile solid state memories.In some instances, memory 163 can further include remote relative to processor 161
The memory that journey is set, these remote memories can be by network connection to terminal A.
Wherein, specifically, memory 163 is used to store information, the Yi Jiying of deliberate action condition and default access user
Use program.
Processor 161 can call the information and application program of the storage of memory 163 by transmitting device, following to perform
Step:
Optionally, above-mentioned processor 161 can also carry out the program code of following steps:
The first step, it is determined that monitored program.
Second step, the monitored program of loading.
3rd step, in the monitored program of operation, to each application programming interface API letters of the routine call that is monitored
Number pitching pile.
4th step, obtains the function name of the api function.
5th step, the function name according to the api function judges whether the api function meets default decision logic.
6th step, if so, then judging monitored program occurrence dynamics chained library DLL injections.
7th step, the injection type that the DLL according to default detection logic detection injects.
8th step, acquisition is injected into the injection information of the DLL modules of monitored program;The injection information includes meeting pre-
If the parameter of api function of decision logic, function name, module title and stack information.
Alternatively, the specific example in the present embodiment may be referred to showing described in above-described embodiment 1 and embodiment 2
Example, the present embodiment will not be repeated here.
The embodiments of the present invention are for illustration only, and the quality of embodiment is not represented.
If integrated unit in above-described embodiment is to realize in the form of SFU software functional unit and as independent product
When selling or using, can store in the storage medium that above computer can read.Based on such understanding, skill of the invention
The part or all or part of the technical scheme that art scheme substantially contributes to prior art in other words can be with soft
The form of part product is embodied, and the computer software product is stored in storage medium, including some instructions are used to so that one
Platform or multiple stage computers equipment (can be personal computer, server or network equipment etc.) perform each embodiment institute of the invention
State all or part of step of method.
In the above embodiment of the present invention, the description to each embodiment all emphasizes particularly on different fields, and does not have in certain embodiment
The part of detailed description, may refer to the associated description of other embodiment.
In several embodiments provided herein, it should be understood that disclosed client, can be by other sides
Formula is realized.Wherein, device embodiment described above is only schematical, such as division of described unit, only one
Kind of division of logic function, can there is other dividing mode when actually realizing, such as multiple units or component can combine or
Another system is desirably integrated into, or some features can be ignored, or do not perform.It is another, it is shown or discussed it is mutual it
Between coupling or direct-coupling or communication connection can be the INDIRECT COUPLING or communication link of unit or module by some interfaces
Connect, can be electrical or other forms.
The unit that is illustrated as separating component can be or may not be it is physically separate, it is aobvious as unit
The part for showing can be or may not be physical location, you can with positioned at a place, or can also be distributed to multiple
On NE.Some or all of unit therein can be according to the actual needs selected to realize the mesh of this embodiment scheme
's.
In addition, during each functional unit in each embodiment of the invention can be integrated in a processing unit, it is also possible to
It is that unit is individually physically present, it is also possible to which two or more units are integrated in a unit.Above-mentioned integrated list
Unit can both be realized in the form of hardware, it would however also be possible to employ the form of SFU software functional unit is realized.
The above is only the preferred embodiment of the present invention, it is noted that for the ordinary skill people of the art
For member, under the premise without departing from the principles of the invention, some improvements and modifications can also be made, these improvements and modifications also should
It is considered as protection scope of the present invention.
Claims (13)
1. a kind of method of monitoring programme, it is characterised in that including:
It is determined that monitored program;
The monitored program of loading;
In the monitored program of operation, to each the application programming interface api function pitching pile for the routine call that is monitored;
Obtain the function name of the api function;
Function name according to the api function judges whether the api function meets default decision logic;
If so, then judging monitored program occurrence dynamics chained library DLL injections;
The injection type that the DLL according to default detection logic detection injects;
Acquisition is injected into the injection information of the DLL modules of monitored program;The injection information includes that meeting default judgement patrols
Volume the parameter of api function, function name, module title and stack information.
2. the method for monitoring programme according to claim 1, it is characterised in that the acquisition is injected into monitored program
After the injection information of DLL modules, also include:
Tracking performs the DLL modules for being injected into monitored program, extracts the api function sequence performed in the DLL modules, according to
Whether the DLL modules that the api function sequence judges to be injected into monitored program are malicious process.
3. the method for monitoring programme according to claim 1, it is characterised in that the default decision logic is:Detection
CreateRemoteThread functions and LoadLibrary functions are called to after to monitored program internal memory write-in data;
Or, detect to called after monitored program internal memory write-in data CreateRemoteThreadEx functions and
LoadLibrary functions;
Or, detect and call in APC queues LoadLibrary functions, and sent out before the LoadLibrary function calls
Gave birth to traps.
4. the method for monitoring programme according to claim 3, it is characterised in that described according to default detection logic detection
The injection type of the DLL injections, including:
Extraction meets the function name of the api function of default decision logic;
If detecting to calling CreateRemoteThread functions and LoadLibrary after monitored program internal memory write-in data
Function, or detect to called after monitored program internal memory write-in data CreateRemoteThreadEx functions and
LoadLibrary functions, then the injection type for judging the DLL injections is Remote thread injecting;
If calling LoadLibrary functions in detecting APC queues, and sent out before LoadLibrary functions execution
Traps were given birth to, then judged that the injection type of the DLL injections was injected as asynchronous call process APC.
5. the method for monitoring programme according to claim 1, it is characterised in that obtain the DLL for being injected into monitored program
The injection information of module includes:
Acquisition meets parameter, function name, module title and the stack information of the api function of default decision logic;
Positioning is injected into the decanting point of the DLL modules of monitored program;
Parameter, function name, module title and stack information according to the api function obtain the information of the decanting point.
6. the method for monitoring programme according to claim 2, it is characterised in that the tracking is performed and is injected into monitored journey
The DLL modules of sequence, extract the api function sequence that the DLL modules are performed, according to the api function sequence judge to be injected into by
Whether the DLL modules of monitoring programme are malicious process, including:
Tracking performs the DLL modules for being injected into monitored program;
Extract the function name and the calling sequence of api function of api function in the DLL modules;
The calling sequence of the api function is searched in default malice sequence library, if finding, judges that the DLL modules are
Malicious process;If can not find, judge that the DLL modules are not malicious process.
7. the method for monitoring programme according to claim 6, it is characterised in that the tracking is performed and is injected into monitored journey
After the DLL modules of sequence, also include:
Obtain the address space of the DLL modules and the address space of monitored program;
The address space of address space and monitored program according to the DLL modules judges whether the DLL modules are injection
DLL modules.
8. a kind of device of monitoring programme, it is characterised in that including:
Determining module, for determining monitored program;
Load-on module, for loading monitored program;
Pitching pile module, in the monitored program of operation, to each application programming interface for the routine call that is monitored
Api function pitching pile;
Function name acquisition module, the function name for obtaining the api function;
Injection judge module, for judging whether the api function meets default judgement according to the function name of the api function
Logic;If so, then judging monitored program occurrence dynamics chained library DLL injections;
Injection type acquisition module, for the injection type that the DLL according to default detection logic detection injects;
Injection data obtaining module, the injection information for obtaining the DLL modules for being injected into monitored program;The injection information
Parameter, function name, module title and stack information including meeting the api function of default decision logic.
9. the device of monitoring programme according to claim 8, it is characterised in that also include:Malice injection judge module, uses
The DLL modules for being injected into monitored program are performed in tracking, the api function sequence that the DLL modules are performed is extracted, according to described
Whether the DLL modules that api function sequence judges to be injected into monitored program are malicious process.
10. the device of monitoring programme according to claim 8, it is characterised in that the injection type acquisition module includes:
First function extraction unit, the function name for extracting the api function for meeting default decision logic;
First kind judging unit, for being called after detecting to monitored program internal memory write-in data
CreateRemoteThread functions and LoadLibrary functions, or detect to after monitored program internal memory write-in data
CreateRemoteThreadEx functions and LoadLibrary functions are called, then judges the injection type of the DLL injections as remote
Journey thread injects;
Second Type judging unit, for calling LoadLibrary functions in APC queues are detected, and described
There are traps in LoadLibrary functions, then the injection type for judging the DLL injections is asynchronous call process before performing
APC injects.
The device of 11. monitoring programmes according to claim 8, it is characterised in that the injection data obtaining module includes:
Function information acquisition module, parameter, function name, module name for obtaining the api function for meeting default decision logic
Claim and stack information;
Decanting point locating module, the decanting point for positioning the DLL modules for being injected into monitored program;
Decanting point data obtaining module, obtains for the parameter according to the api function, function name, module title and stack information
Take the information of the decanting point.
The device of 12. monitoring programmes according to claim 9, it is characterised in that the malice injection judge module includes:
Tracking cell, the DLL modules for being injected into monitored program are performed for tracking;
Extraction unit, function name and the calling sequence of api function for extracting the api function in the DLL modules;
Malice injection identifying unit, for searching the calling sequence of the api function in default malice sequence library, if looking for
Arrive, then judge that the DLL modules are malicious process;If can not find, judge that the DLL modules are not malicious process.
The device of 13. monitoring programmes according to claim 12, it is characterised in that the malice injection judge module is also wrapped
Include:
Address space acquiring unit, for obtaining the address space of the DLL modules and the address space of monitored program;
Address space judging unit, the address space for the address space according to the DLL modules and monitored program judges
Whether the DLL modules are injection DLL modules.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611043652.9A CN106709325B (en) | 2016-11-11 | 2016-11-11 | Method and device for monitoring program |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611043652.9A CN106709325B (en) | 2016-11-11 | 2016-11-11 | Method and device for monitoring program |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106709325A true CN106709325A (en) | 2017-05-24 |
| CN106709325B CN106709325B (en) | 2020-09-25 |
Family
ID=58933818
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201611043652.9A Active CN106709325B (en) | 2016-11-11 | 2016-11-11 | Method and device for monitoring program |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106709325B (en) |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107277019A (en) * | 2017-06-23 | 2017-10-20 | 武汉斗鱼网络科技有限公司 | Data clear text acquisition methods, device, electric terminal and readable storage medium storing program for executing |
| CN109408346A (en) * | 2018-09-26 | 2019-03-01 | 北京城市网邻信息技术有限公司 | Method of data capture, device, equipment and storage medium |
| CN109472135A (en) * | 2017-12-29 | 2019-03-15 | 北京安天网络安全技术有限公司 | A kind of method, apparatus and storage medium of detection procedure injection |
| CN109635565A (en) * | 2018-11-28 | 2019-04-16 | 江苏通付盾信息安全技术有限公司 | The detection method of rogue program, calculates equipment and computer storage medium at device |
| CN110308943A (en) * | 2018-03-20 | 2019-10-08 | 腾讯科技(深圳)有限公司 | Program operating method, calculates equipment and storage medium at device |
| CN110554932A (en) * | 2019-08-02 | 2019-12-10 | 恒鸿达科技有限公司 | Method for detecting abnormality of api module |
| CN110737892A (en) * | 2018-07-20 | 2020-01-31 | 武汉斗鱼网络科技有限公司 | detection method for APC injection and related device |
| CN110955894A (en) * | 2019-11-22 | 2020-04-03 | 深信服科技股份有限公司 | Malicious content detection method and device, electronic equipment and readable storage medium |
| CN111931166A (en) * | 2020-09-24 | 2020-11-13 | 中国人民解放军国防科技大学 | Application program anti-attack method and system based on code injection and behavior analysis |
| CN115549980A (en) * | 2022-09-13 | 2022-12-30 | 应急管理部大数据中心 | Network flow auditing device and method for protocol re-editing |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101005497A (en) * | 2006-11-27 | 2007-07-25 | 科博技术有限公司 | System and method for preventing vicious code attach |
| CN103559446A (en) * | 2013-11-13 | 2014-02-05 | 厦门市美亚柏科信息股份有限公司 | Dynamic virus detection method and device for equipment based on Android system |
| CN105373729A (en) * | 2015-12-24 | 2016-03-02 | 北京奇虎科技有限公司 | Information processing method and system |
| CN105574409A (en) * | 2015-12-10 | 2016-05-11 | 北京奇虎科技有限公司 | Injection code extraction method and device |
-
2016
- 2016-11-11 CN CN201611043652.9A patent/CN106709325B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101005497A (en) * | 2006-11-27 | 2007-07-25 | 科博技术有限公司 | System and method for preventing vicious code attach |
| CN103559446A (en) * | 2013-11-13 | 2014-02-05 | 厦门市美亚柏科信息股份有限公司 | Dynamic virus detection method and device for equipment based on Android system |
| CN105574409A (en) * | 2015-12-10 | 2016-05-11 | 北京奇虎科技有限公司 | Injection code extraction method and device |
| CN105373729A (en) * | 2015-12-24 | 2016-03-02 | 北京奇虎科技有限公司 | Information processing method and system |
Cited By (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107277019B (en) * | 2017-06-23 | 2020-05-12 | 武汉斗鱼网络科技有限公司 | Data plaintext acquisition method and device, electronic terminal and readable storage medium |
| CN107277019A (en) * | 2017-06-23 | 2017-10-20 | 武汉斗鱼网络科技有限公司 | Data clear text acquisition methods, device, electric terminal and readable storage medium storing program for executing |
| CN109472135A (en) * | 2017-12-29 | 2019-03-15 | 北京安天网络安全技术有限公司 | A kind of method, apparatus and storage medium of detection procedure injection |
| CN110308943A (en) * | 2018-03-20 | 2019-10-08 | 腾讯科技(深圳)有限公司 | Program operating method, calculates equipment and storage medium at device |
| CN110308943B (en) * | 2018-03-20 | 2021-10-19 | 腾讯科技(深圳)有限公司 | Program running method and device, computing equipment and storage medium |
| CN110737892B (en) * | 2018-07-20 | 2021-11-09 | 武汉斗鱼网络科技有限公司 | Detection method aiming at APC injection and related device |
| CN110737892A (en) * | 2018-07-20 | 2020-01-31 | 武汉斗鱼网络科技有限公司 | detection method for APC injection and related device |
| CN109408346A (en) * | 2018-09-26 | 2019-03-01 | 北京城市网邻信息技术有限公司 | Method of data capture, device, equipment and storage medium |
| CN109635565A (en) * | 2018-11-28 | 2019-04-16 | 江苏通付盾信息安全技术有限公司 | The detection method of rogue program, calculates equipment and computer storage medium at device |
| CN110554932A (en) * | 2019-08-02 | 2019-12-10 | 恒鸿达科技有限公司 | Method for detecting abnormality of api module |
| CN110955894A (en) * | 2019-11-22 | 2020-04-03 | 深信服科技股份有限公司 | Malicious content detection method and device, electronic equipment and readable storage medium |
| CN111931166A (en) * | 2020-09-24 | 2020-11-13 | 中国人民解放军国防科技大学 | Application program anti-attack method and system based on code injection and behavior analysis |
| CN111931166B (en) * | 2020-09-24 | 2021-06-22 | 中国人民解放军国防科技大学 | Application program anti-attack method and system based on code injection and behavior analysis |
| CN115549980A (en) * | 2022-09-13 | 2022-12-30 | 应急管理部大数据中心 | Network flow auditing device and method for protocol re-editing |
| CN115549980B (en) * | 2022-09-13 | 2023-04-18 | 应急管理部大数据中心 | Network flow auditing device and method for protocol re-editing |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106709325B (en) | 2020-09-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106709325A (en) | Method and device for monitoring program | |
| CN108304720B (en) | Android malicious program detection method based on machine learning | |
| US9349006B2 (en) | Method and device for program identification based on machine learning | |
| CN101593253B (en) | Method and device for judging malicious programs | |
| US20150356291A1 (en) | System and methods for detecting harmful files of different formats in vitual environment | |
| CN104182688A (en) | Android malicious code detection device and method based on dynamic activation and behavior monitoring | |
| CN112541022A (en) | Abnormal object detection method, abnormal object detection device, storage medium and electronic equipment | |
| CN110795732A (en) | SVM-based dynamic and static combination detection method for malicious codes of Android mobile network terminal | |
| CN108830084A (en) | Realize the handheld terminal and means of defence of computer information safe protection vulnerability scanning and protective reinforcing | |
| CN107247902A (en) | Malware categorizing system and method | |
| CN109614608A (en) | Electronic device, text information detection method and storage medium | |
| CN112632531A (en) | Malicious code identification method and device, computer equipment and medium | |
| CN116303290B (en) | Office document detection method, device, equipment and medium | |
| CN104252594B (en) | virus detection method and device | |
| CN111191243A (en) | Vulnerability detection method and device and storage medium | |
| CN103902900A (en) | External extraction type detecting device and method for mobile terminal malicious code | |
| US20230418943A1 (en) | Method and device for image-based malware detection, and artificial intelligence-based endpoint detection and response system using same | |
| CN110765000A (en) | Program testing method and device | |
| CN109388946A (en) | Malicious process detection method, device, electronic equipment and storage medium | |
| CN109727027A (en) | Account recognition methods, device, equipment and storage medium | |
| CN114692153A (en) | Malicious code detection method, equipment and storage medium based on JAVA program | |
| CN105631325A (en) | Malicious application detection method and apparatus | |
| CN115827610A (en) | Method and device for detecting effective load | |
| CN110135163B (en) | Security detection method, device and system based on target application | |
| CN113378161A (en) | Security detection method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |