CN107480029A - A kind of monitoring method and device of function call time - Google Patents
A kind of monitoring method and device of function call time Download PDFInfo
- Publication number
- CN107480029A CN107480029A CN201710651465.7A CN201710651465A CN107480029A CN 107480029 A CN107480029 A CN 107480029A CN 201710651465 A CN201710651465 A CN 201710651465A CN 107480029 A CN107480029 A CN 107480029A
- Authority
- CN
- China
- Prior art keywords
- function
- time
- call
- monitoring
- call function
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000012544 monitoring process Methods 0.000 title claims abstract description 168
- 238000000034 method Methods 0.000 title claims abstract description 64
- 238000004458 analytical method Methods 0.000 claims abstract description 46
- 230000006870 function Effects 0.000 claims description 404
- 238000013507 mapping Methods 0.000 claims description 41
- 230000008569 process Effects 0.000 claims description 26
- 238000003860 storage Methods 0.000 claims description 22
- 230000000630 rising effect Effects 0.000 claims 1
- 238000004590 computer program Methods 0.000 description 8
- 238000010586 diagram Methods 0.000 description 6
- 238000012545 processing Methods 0.000 description 6
- 238000012546 transfer Methods 0.000 description 5
- 238000000151 deposition Methods 0.000 description 4
- 238000002347 injection Methods 0.000 description 4
- 239000007924 injection Substances 0.000 description 4
- 230000008901 benefit Effects 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 3
- 235000013399 edible fruits Nutrition 0.000 description 3
- 238000011156 evaluation Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 241001269238 Data Species 0.000 description 2
- 230000006399 behavior Effects 0.000 description 2
- 230000003139 buffering effect Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000005457 optimization Methods 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 1
- 238000013467 fragmentation Methods 0.000 description 1
- 238000006062 fragmentation reaction Methods 0.000 description 1
- 230000014759 maintenance of location Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 239000000243 solution Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000007704 transition Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3003—Monitoring arrangements specially adapted to the computing system or computing system component being monitored
- G06F11/302—Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system component is a software system
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/34—Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment
- G06F11/3409—Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment for performance assessment
- G06F11/3419—Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment for performance assessment by assessing time
- G06F11/3423—Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment for performance assessment by assessing time where the assessed time is active or idle time
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
- G06F21/14—Protecting executable software against software analysis or reverse engineering, e.g. by obfuscation
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/54—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by adding security routines or objects to programs
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2201/00—Indexing scheme relating to error detection, to error correction, and to monitoring
- G06F2201/865—Monitoring of software
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Quality & Reliability (AREA)
- Computing Systems (AREA)
- Multimedia (AREA)
- Mathematical Physics (AREA)
- Technology Law (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a kind of monitoring method and device of function call time, it is related to computer security technique field, main purpose is that by the monitoring of function call time, so as to more preferably understand whether function needs to add protection.Methods described includes:Monitoring process is created by way of hang-up, the Dram of preset capacity is included in the monitoring process;It will be loaded into for the presupposition analysis code for monitoring the function call time in the Dram;Start the monitoring process, need to be injected into the dynamic link library of the monitoring process according to presupposition analysis code loading;Monitoring functional blocks in the dynamic link library monitor the called initial time of the call function and end time, obtain the allocating time of call function.Present invention is mainly used for the analysis of the allocating time of function.
Description
Technical field
The present invention relates to computer safety field, the especially a kind of monitoring method and device of function call time.
Background technology
In function protection, if do not recognized clearly the allocating time of function, shell adding blindly is carried out to function
Protection, such as code fragmentation, code virtualization, code migrating or Code obfuscation, for adding the function after protection, if called
Time is larger with the gap after protection before protection, then explanation plus protection significantly impacts the run time of function, it should cancels
Protection to function, if allocating time is little with the gap after protection before protection, illustrates plus protection is not produced to function
Raw very big influence, without cancelling the protection to function, therefore, in the case of uncomprehending to the allocating time of function, it is easy to
The function of the calling to being not intended to plus protecting in system function or operation is protected unintentionally, so not only be have impact on and is added
The volume of program after shell, while can also reduce the operational efficiency of program after shell adding.
If developer protects the excessive function for being not intended to plus protecting in program operation process, can to protect
The volume of executable program afterwards increases, while can reduce the operational efficiency of the executable program after protection.
The content of the invention
In view of the above problems, it is proposed that the present invention so as to provide one kind overcome above mentioned problem or at least in part solve on
The monitoring method and device of a kind of function call time of problem is stated, the monitoring of function call time can be realized, so as to more preferable
Understand whether function needs plus protect.
The one side of the embodiment of the present invention, the invention provides a kind of monitoring method of function call time, including:
Monitoring process is created by way of hang-up, the Dram of preset capacity is included in the monitoring process;
It will be loaded into for the presupposition analysis code for monitoring the function call time in the Dram;
Start the monitoring process, need to be injected into the dynamic of the monitoring process according to presupposition analysis code loading
Chained library;
Monitoring functional blocks in the dynamic link library monitor the called initial time of the call function and knot
The beam time, obtain the allocating time of call function.
Further, before the startup monitoring process, methods described also includes:
Memory Mapping File and time statistical result event are created, call function is stored with the Memory Mapping File
Function information;
The identification information of the monitoring process is transmitted, the Memory Mapping File is loaded with timely according to the identification information
Between statistical result event;
Initial address program performed according to the Memory Mapping File is added in the presupposition analysis code, when opening
The initial address of program execution is jumped to when moving the monitoring process.
Further, the monitoring functional blocks in the dynamic link library monitor what the call function was called
Initial time and end time, obtaining the allocating time of call function includes:
Start the function hook in the dynamic link library by the functional blocks of defence program as monitoring functional blocks;
According to the function hook by the functional blocks of defence program monitor the called initial time of the call function and
End time, obtain the allocating time of the call function.
Further, the function hook in the startup dynamic link library is used as prison by the functional blocks of defence program
Before controlling functional blocks, methods described also includes:
The type function of the call function is obtained according to the function information of the call function;
When the type function of the call function is directly can perform function, dynamic link is loaded into by module handle
Storehouse;
When the type function of the call function is not directly performs function, dynamic link is loaded into by load-on module
Storehouse.
Further, it is described to be called according to the function hook by the functional blocks monitoring call function of defence program
Initial time and the end time, obtaining the allocating time of the call function includes:
When call function is called, the call function is obtained by the functional blocks of defence program by the function hook
Initial address;
The address values in designated memory space are read from storehouse, the designated memory space is returned for storage function
Go back to address;
Search the pointed address of a upper instruction for the pointed instruction of the address values;
Judge whether the upper pointed address of an instruction is identical with the initial address of the call function, if phase
Together, then the called initial time of the call function and end time are monitored, obtains the allocating time of call function.
According to the another aspect of the embodiment of the present invention, the embodiments of the invention provide a kind of monitoring of function call time dress
Put, including:
First creating unit, for creating monitoring process by way of hang-up, include in the monitoring process default
The Dram of capacity;
Unit is loaded into, for will be loaded into for the presupposition analysis code for monitoring the function call time in the Dram;
Start unit, for starting the monitoring process, according to being injected into presupposition analysis code loading needs
The dynamic link library of monitoring process;
Monitoring unit, monitor what the call function was called for the monitoring functional blocks in the dynamic link library
Initial time and end time, obtain the allocating time of call function.
Further, described device also includes:
Second creating unit, for creating Memory Mapping File and time statistical result event, the internal memory mapping text
The function information of call function is stored with part;
Loading unit, for transmitting the identification information of the monitoring process, the internal memory is loaded according to the identification information
Mapped file and time statistical result event;
Adding device, the initial address for being performed program according to the Memory Mapping File are divided added to described preset
Analyse in code, the initial address of program execution is jumped to when starting the monitoring process.
Further, the monitoring unit includes:
Starting module, for starting the function hook in the dynamic link library by the functional blocks of defence program as monitoring
Functional blocks;
Monitoring module, it is called for monitoring the call function by the functional blocks of defence program according to the function hook
Initial time and the end time, obtain the allocating time of the call function.
Further, the starting module, the function hook being additionally operable in the startup dynamic link library are protected
The functional blocks of program are protected as before monitoring functional blocks, the call function is obtained according to the function information of the call function
Type function;When the type function of the call function is directly can perform function, dynamic link is loaded into by module handle
Storehouse;When the type function of the call function is not directly performs function, dynamic link library is loaded into by load-on module.
Further, the monitoring module, it is additionally operable to, when call function is called, be protected by the function hook
The functional blocks of program obtain the initial address of the call function;The address values in designated memory space are read from storehouse,
The designated memory space is for storage function return address;Search a upper finger for the pointed instruction of the address values
The pointed address of order;Judge the pointed address of a upper instruction whether the initial address phase with the call function
Together, it is if identical, the called initial time of the call function and end time are monitored, when obtaining the calling of call function
Between.
By above-mentioned technical proposal, a kind of monitoring method and device of function call time provided by the invention, pass through by
Presupposition analysis code for monitoring the function call time is loaded into monitoring process, in order to go to the call function in program
When, initial time and end time that the monitoring functional blocks monitoring call function in dynamic link library is called, Neng Goushi
When monitor call function allocating time.Compared with the monitoring method of the function call time of prior art, the embodiment of the present invention
By being monitored in program operation process to the allocating time of call function, function in program process can be obtained
Allocating time, and then the gap before function is protected with allocating time after protection can be understood by the allocating time of function,
And then whether more preferable understanding function needs plus protection, Consumer's Experience is improved, in addition, can be right in real time according to the allocating time of function
The function module of program optimizes, and improves the operational efficiency of executable program, dramatically saves on the time of technical staff.
Described above is only the general introduction of technical solution of the present invention, in order to better understand the technological means of the present invention,
And can be practiced according to the content of specification, and in order to allow above and other objects of the present invention, feature and advantage can
Become apparent, below especially exemplified by the embodiment of the present invention.
Brief description of the drawings
By reading the detailed description of hereafter preferred embodiment, it is various other the advantages of and benefit it is common for this area
Technical staff will be clear understanding.Accompanying drawing is only used for showing the purpose of preferred embodiment, and is not considered as to the present invention
Limitation.And in whole accompanying drawing, identical part is denoted by the same reference numerals.In the accompanying drawings:
Fig. 1 shows the monitoring method schematic flow sheet of function call time provided in an embodiment of the present invention a kind of;
Fig. 2 shows the monitoring method schematic flow sheet of another function call time provided in an embodiment of the present invention;
Fig. 3 shows the supervising device structural representation of function call time provided in an embodiment of the present invention a kind of;
Fig. 4 shows the supervising device structural representation of another function call time provided in an embodiment of the present invention.
Embodiment
The exemplary embodiment of the disclosure is more fully described below with reference to accompanying drawings.Although the disclosure is shown in accompanying drawing
Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure without should be by embodiments set forth here
Limited.On the contrary, these embodiments are provided to facilitate a more thoroughly understanding of the present invention, and can be by the scope of the present disclosure
Completely it is communicated to those skilled in the art.
The embodiments of the invention provide a kind of monitoring method of function call time, as shown in figure 1, this method mainly passes through
Pre-set code is monitored to the allocating time of call function, and specific steps include:
101st, monitoring process is created by way of hang-up.
Wherein, monitoring process is used for the allocating time of function during monitoring programme performs, further, since configuration processor is required for
Certain internal memory, in order to facilitate the use of process, apply for the Dram of preset capacity in monitoring process, can be used for depositing
Presupposition analysis code or other program service datas, such as code segment or data segment, the embodiment of the present invention is to applying for Dram
Amount of capacity without limiting, can be applied according to using the memory size that be actually needed of operation.
It should be noted that prison is created by way of hang-up in order to facilitate user's observation and analysis monitoring process here
Control process, now the monitoring process remain static, so as to facilitate user to modify program or other operation.
102nd, will be loaded into for the presupposition analysis code for monitoring the function call time in the Dram.
Here presupposition analysis code is mainly used in analyzing the allocating time of call function, can specifically include into
Multiple moulds such as journey mark transfer module, program origin add module, the injection module of dynamic link library, information preserving module
It block, can communicate news between modules, and not interfere between each other, wherein, process identification (PID) transfer module is used to pass
The identification information of monitoring process is passed, so as to which program loads Memory Mapping File and time statistical result thing according to the identification information
Part, the function information of call function is stored with Memory Mapping File here, such as the title of function, the relative virtual of function
Information, the program origins such as the initial address that location RVA, the relative virtual address RVA of function number and program perform add
The initial address for adding module to be used to perform Memory Mapping File Program is added in presupposition analysis code, so as to when calling letter
Number jumps to the initial address of presupposition analysis code execution when called, the injection module of dynamic link library for loading monitor into
The dynamic link library of journey, the analytic function block of the storage in dynamic link library are supervised to the function information of call function
Control, obtains the allocating time of call function, program more easily can be applied into each mould used here as dynamic link library
Block, and do not influence the other parts of the program, is so also convenient for modifying to monitoring process, during if desired for function call
Between in content be updated, can be by being modified to dynamic link library, so as to facilitate the renewal of program, information is protected
Storing module is used to be preserved recalls information into Memory Mapping File according to time statistical result event, subsequently to be adjusted to function
With the analysis of time, display interface can also be shown in, so as to more intuitively show user.
Specifically, when program is performed to call function, by the modules in presupposition analysis code to call function
Analyzed, transmit the identification information of monitoring process by process identification (PID) transfer module first, according in identification information loading
Mapped file and time statistical result event are deposited, then by program origin add module by Memory Mapping File intermediate range
The initial address that sequence performs is added in presupposition analysis code, further loads the prison in dynamic link library by dynamic link library
Control functional blocks are monitored to call function, obtain the allocating time of function, finally by information preserving module by the tune of function
Preserved in real time into Memory Mapping File with the time.
103rd, start the monitoring process, need to be injected into the monitoring process according to presupposition analysis code loading
Dynamic link library.
Specifically, after starting monitoring process, when monitoring program and performing to call function, by presupposition analysis code
Modules call function is analyzed, first by process identification (PID) transfer module transmit monitoring process identification information,
Memory Mapping File and time statistical result event are loaded according to the identification information, mould is then added by program origin
The initial address that block performs Memory Mapping File Program is added in presupposition analysis code, further passes through dynamic link library
The monitoring functional blocks in dynamic link library are loaded, further realize the monitoring to call function.
104th, the monitoring functional blocks in the dynamic link library monitor the called initial time of the call function
And the end time, obtain the allocating time of call function.
Wherein, the analytic function block for monitoring the function call time is stored with dynamic link library, further can root
The function information of call function is obtained according to Memory Mapping File, then by starting in dynamic link library function hook by protection journey
The functional blocks of sequence are monitored, the called initial time of monitoring call function and knot as monitoring functional blocks to call function
The beam time, the allocating time of call function is obtained by the way that the end time is subtracted into initial time, can further be protected by information
Storing module preserves the allocating time of function into Memory Mapping File in real time.
It should be noted that the allocating time of the function obtained here can be shown according to user's actual need, such as
User can set the last called allocating time of interface display function, can also set all calling of interface display
Allocating time that function is called every time etc., the initial time that can be called certainly with explicit function and end time, this hair
Bright embodiment is to the content shown on interface of analysis result without limiting.
The monitoring side of function call time provided in an embodiment of the present invention a kind of is can be seen that with reference to above-mentioned implementation
Method, by will be loaded into for the presupposition analysis code for monitoring the function call time in monitoring process, in order to be gone in program
During the call function, the initial time that the monitoring functional blocks monitoring call function in dynamic link library is called is with the end of
Between, the allocating time of call function can be monitored in real time.Compared with the monitoring method of the function call time of prior art, this hair
Bright embodiment can obtain program process by being monitored in program operation process to the allocating time of call function
The allocating time of middle function, and then can be understood by the allocating time of function before function protection and allocating time after protection
Gap, and then it is more preferable understand function and whether need plus protection, Consumer's Experience is improved, in addition, can according to the allocating time of function
To be optimized in real time to the function module of program, the operational efficiency of executable program is improved, dramatically saves on technical staff
Time.
Below in order to which the monitoring method of function call time proposed by the present invention a kind of is explained in more detail, particularly exist
The initial time and end time that monitoring functional blocks monitoring call function in dynamic link library is called, obtain calling letter
The step of several allocating time, the embodiment of the present invention additionally provides the monitoring method of another function call time, such as Fig. 2 institutes
Show, the specific steps of this method include:
201st, monitoring process is created by way of hang-up.
Wherein, monitoring process is used for the allocating time of function during monitoring programme performs, further, since configuration processor is required for
Certain internal memory, in order to facilitate the use of process, apply for the Dram of preset capacity in monitoring process, can be used for depositing
Presupposition analysis code or other program service datas, such as code segment or data segment, the embodiment of the present invention is to applying for Dram
Amount of capacity without limiting, can be applied according to using the memory size that be actually needed of operation.
For the embodiment of the present invention, the allocating time of call function is carried out in being performed by the monitoring process of establishment to program
Monitoring, to understand the time that function is called in varied situations, so as to preferably be protected to program, normal conditions
Under, for adding the function after protecting, if allocating time is larger with the gap after protection before protection, illustrates plus protection is very big
Have impact on the run time of function, it should cancel protection to function, if allocating time before protection with the gap after protection
Less, then explanation plus protection do not produce a very large impact to function, and without protection of the cancellation to function, the embodiment of the present invention can be with
Allocating time by monitoring call function can more preferably understand whether function needs plus protect, and then to needing function to be protected
Protected.
It should be noted that each sub-line journey in process can be carried out by analyzer before monitoring process is created
Performance evaluation, performance evaluation here mainly by count internal memory behaviour in service detect Memory Leaks that may be present with
And the direction that memory optimization uses is determined, to prevent that interface card is dead.
202nd, will be loaded into for the presupposition analysis code for monitoring the function call time in the Dram.
The allocating time that code analysis is used to monitor call function is here preset at, specifically can include process identification (PID) transmits mould
Multiple modules such as block, program origin add module, the injection module of dynamic link library, information preserving module, modules
Between can communicate news, and do not interfere between each other.
It should be noted that presupposition analysis code here can be stored by way of assembling shellcode it is each
Module, then shellcode is written in the Dram of application, compiling mould of the embodiment of the present invention to presupposition analysis code
Formula is without limiting.
203rd, Memory Mapping File and time statistical result event are created.
Wherein, the function information of call function is stored with Memory Mapping File, for example, the title of call function, calling
Initial address that the relative virtual address RVA of function, the relative virtual address RVA of call function number and program perform etc.
Information, the time statistical result event are used for the recalls information for counting call function.
For the embodiment of the present invention, by creating Memory Mapping File, multiple performance evaluation moulds conveniently can be started simultaneously
Block, and realize that the data between module communicate, by creation time statistical result event, further facilitate and carry out between module
Message transmission.
204th, transmit the identification information of the monitoring process, according to the identification information load the Memory Mapping File with
And time statistical result event.
Wherein, the identification information of monitoring process is used for a numerical value of unique mark process for the kernel of operating system, this
In identification information can be as the parameter of many function calls, to adjust the priority of process, control process behavior etc..
In order to further obtain the function information of call function and recalls information, according to the mark of the monitoring process of transmission
Information loads Memory Mapping File and time statistical result event, and the letter of call function is obtained by opening Memory Mapping File
Number information, the allocating time of passage time statistical result event statistics call function.
205th, the initial address for being performed program according to the Memory Mapping File is added in the presupposition analysis code,
The initial address of program execution is jumped to when starting the monitoring process.
It should be noted that the purpose for adding the initial address that program performs in presupposition analysis code here is to ensure to work as
The initial address of program execution is jumped to when opening monitoring process, so as to be monitored to the call function in program.
206th, the function hook in the dynamic link library is started by the functional blocks of defence program as monitoring functional blocks.
Wherein, the analytic function block for monitoring the function call time is stored with dynamic link library, further can root
The function information of call function is obtained according to Memory Mapping File, then by starting in dynamic link library function hook by protection journey
The functional blocks of sequence are monitored as monitoring functional blocks to call function.
It should be noted that the function hook in by dynamic link library is used as monitoring functional blocks pair by protection functional blocks
Before call function is monitored, dynamic chain can be loaded in different ways according to the difference of the type function of call function
Storehouse is connect, can specifically include but is not limited to following manner, call function is obtained according to the function information of call function first
Type function, if the type function of the call function is dll types or exe types, when the type function of call function is exe
When can directly perform function, then specification module had been loaded certainly, further got mould by GetModuleHandle
Block handle, dynamic link library is loaded into by module handle;When the type function of call function not directly performs function for dll
When, then specification module, which may be loaded, not to be loaded, and be further loaded into by loadlibrary load-on modules
Dynamic link library.
For the embodiment of the present invention, by loading dynamic link library in program process, taken by dynamic link library
The address for obtaining call function carries out function call, without loading all codes at the beginning of program is run, only needs to use in program
Call function is just taken out from dynamic link library during some call function, reduces the volume of program.
When the 207th, monitoring the called starting of the call function by the functional blocks of defence program according to the function hook
Between and the end time, obtain the allocating time of the call function.
For the embodiment of the present invention, monitored according to the function hook stored in dynamic link library by the functional blocks of defence program
The called initial time of call function and the process of end time can specifically include but is not limited to following implementations, when
When call function is called, the initial address of call function is obtained by the protected functional blocks of function hook, calls letter here
Several initial addresses is to be stored in the relative virtual address of call function in Memory Mapping File, then reads and specifies from storehouse
Address values in memory space, designated memory space here is preserved temporarily in program process for storing letter
Number return address, for the call function of return address be present, the initial address of call function can be found from storehouse,
For the call function in the absence of return address, the initial address of call function can not be found from storehouse, is further searched for
The pointed address of the upper instruction of the pointed instruction of address values, judge address pointed by a upper instruction whether with tune
It is identical with the initial address of function, if identical, illustrate that call function has return address, here in designated memory space
Address values are the return address ret of call function, then record the called initial time of the call function and end time, meter
The difference of call function called end time and initial time is calculated, obtains the allocating time of call function, such as current tune
The initial time being called with function is A, end time B, then allocating time mutually should be B-A, here only when performing calling
The initial time of call function could be recorded during function, the end time of call function could be recorded at the end of calling, and will
Allocating time is preserved into Memory Mapping File.
It should be noted that for illustrating that the call function may be recursive function in the absence of the call function of return value,
The call function may be jumped in other call functions when called, and the specified storage found from storehouse is empty
Between in address values be not call function return address, then can not accurately calculate the allocating time of the call function, because
This, the embodiment of the present invention for the call function in the absence of return value allocating time without calculate.
It should be noted that the embodiment of the present invention can also by creating a buffering area come the allocating time of storage function,
Further the allocating time of function is preserved to buffering area according to time statistical result event, the embodiment of the present invention is to function
The storage location of allocating time is without limiting.
Because in program operation process, the allocating time of different functions is different, during function is protected, such as
Fruit adds the allocating time difference corresponding with unprotected function of allocating time corresponding to the function after protection larger, can cause journey
Sort run efficiency is low, while also make it that the executable program volume after protection is excessive, and the embodiment of the present invention to function by adjusting
With the monitoring of time, the balance of program volume and efficiency is reached in the case of safety can be taken into account, when checking application program,
By analyzing the allocating time of call function, it can further determine that whether the function needs plus protect, if called
Time is excessive compared to adding protection to increase before, then illustrates that the function need not add protection, so being capable of helper applications developer
Subsequently optimize the application program write, while the function for needing plus protecting is found during application program is analyzed, so as to right
Function carries out shell adding protection.
The concrete application scene of the embodiment of the present invention can include but is not limited to following implementations:When program performs it
Before, Memory Mapping File and time statistical result event are created first, and Memory Mapping File is used for the letter for storing call function
Number information, time statistical result event are used to count the recalls information of call function and then by way of hang-up, then created
Monitoring process, and apply in monitoring process the Dram of preset capacity, and will be for analyzing default point of call function
Analyse code to be loaded into Dram, further start monitoring process, the identification information of monitoring process is transmitted, according to monitoring process
Identification information loads Memory Mapping File and time statistical result event, when program goes to call function, jumps to journey
Sequence perform initial address, the call function in program process is analyzed, further loading need injection monitor into
The dynamic link library of journey, call function is monitored according to the protected functional blocks of function hook in dynamic link library, if working as
Preceding configuration processor is needed to call v412_open functions, and the address of v412_open functions is further obtained by hook functional blocks,
The address values in designated memory space are read from storehouse, search the upper instruction institute of the pointed instruction of the address values
The address of sensing;Judge whether the upper pointed address of an instruction is identical with the initial address of the call function, such as
Fruit is identical, then the called initial time of the call function and end time is monitored, if return address illustrates the function not
It is recursive function, then calculates the difference of v412_open functions called end time and initial time, obtain v412_open
The allocating time of function, finally the allocating time of v412_open functions is preserved into Memory Mapping File.
In order to which whether further analytic function needs plus protects and adds influence of the protection to function, the embodiment of the present invention carries
The monitoring method of another function call time supplied, by being monitored to the allocating time of call function, so as to according to letter
Several allocating times comes whether decision function needs plus protect, and for the function for needing plus protecting, shell adding guarantor is carried out to the function
Shield, the function for protection need not be added, cancel the protection to the function, and then improve the operational efficiency of program.
Further, the specific implementation as method shown in Fig. 1, the embodiment of the present invention provide a kind of function call time
Supervising device, the device embodiment is corresponding with preceding method embodiment, and for ease of reading, the present apparatus is not implemented to preceding method
Detail content in example is repeated one by one, it should be understood that the device in the present embodiment, which can correspond to, realizes preceding method reality
The full content in example is applied, as shown in figure 3, described device includes:
First creating unit 31, it can be used for creating monitoring process by way of hang-up, included in the monitoring process
There is the Dram of preset capacity;
Unit 32 is loaded into, can be used for be loaded into the dynamic for the presupposition analysis code for monitoring the function call time
In depositing;
It start unit 33, can be used for starting the monitoring process, need to inject according to presupposition analysis code loading
To the dynamic link library of the monitoring process;
Monitoring unit 34, the monitoring functional blocks that can be used in the dynamic link library monitor the call function quilt
The initial time of calling and end time, obtain the allocating time of call function.
The supervising device of a kind of function call time provided in an embodiment of the present invention, during by that will be used to monitor function call
Between presupposition analysis code be loaded into monitoring process, in order to when program goes to the call function, according to dynamic link library
In the called initial time of monitoring functional blocks monitoring call function and the end time, the tune of call function can be monitored in real time
Use the time.Compared with the monitoring method of the function call time of prior art, the embodiment of the present invention passes through in program operation process
In the allocating time of call function is monitored, can obtain the allocating time of function in program process, and then can be with
Gap before function is protected with allocating time after protection is understood by the allocating time of function, and then more preferably understand function to be
It is no to need plus protect, Consumer's Experience is improved, in addition, can be carried out in real time to the function module of program according to the allocating time of function
Optimization, improves the operational efficiency of executable program, dramatically saves on the time of technical staff.
Further, the specific implementation as method shown in Fig. 2, the embodiments of the invention provide during another function call
Between supervising device, the device embodiment is corresponding with preceding method embodiment, for ease of read, the present apparatus is not to preceding method
Detail content in embodiment is repeated one by one, it should be understood that the device in the present embodiment, which can correspond to, realizes foregoing side
Full content in method embodiment, as shown in figure 4, described device includes:
First creating unit 41, it can be used for creating monitoring process by way of hang-up, included in the monitoring process
There is the Dram of preset capacity;
Unit 42 is loaded into, can be used for be loaded into the dynamic for the presupposition analysis code for monitoring the function call time
In depositing;
Second creating unit 43, it can be used for creating Memory Mapping File and time statistical result event, the internal memory
The function information of call function is stored with mapped file;
It loading unit 44, can be used for the identification information for transmitting the monitoring process, institute loaded according to the identification information
State Memory Mapping File and time statistical result event;
Adding device 45, the initial address for being performed program according to the Memory Mapping File are preset added to described
In code analysis, the initial address of program execution is jumped to when starting the monitoring process.
Start unit 46, for starting the monitoring process, need to be injected into institute according to presupposition analysis code loading
State the dynamic link library of monitoring process;
Monitoring unit 47, monitor the call function for the monitoring functional blocks in the dynamic link library and be called
Initial time and the end time, obtain the allocating time of call function.
Further, the monitoring unit 47 includes:
Starting module 471, it can be used for starting the function hook in the dynamic link library by the functional blocks of defence program
As monitoring functional blocks;
Monitoring module 472, it can be used for monitoring the calling letter by the functional blocks of defence program according to the function hook
The called initial time of number and end time, obtain the allocating time of the call function.
Further, the starting module 471, it can be also used for the function in the startup dynamic link library
Hook, as before monitoring functional blocks, the tune is obtained according to the function information of the call function by the functional blocks of defence program
With the type function of function;When the type function of the call function is directly can perform function, it is loaded into by module handle
Dynamic link library;When the type function of the call function is not directly performs function, dynamic is loaded into by load-on module
Chained library.
Further, the monitoring module 472, can be also used for, when call function is called, passing through the function
Hook is obtained the initial address of the call function by the functional blocks of defence program;Read from storehouse in designated memory space
Address values, the designated memory space are for storage function return address;Search the pointed instruction of the address values
The pointed address of a upper instruction;Judge whether a upper instruction pointed address rises with the call function
Beginning, address was identical, if identical, monitor the called initial time of the call function and end time, obtains call function
Allocating time.
Because in program operation process, the allocating time of different functions is different, during function is protected, such as
Fruit adds the allocating time difference corresponding with unprotected function of allocating time corresponding to the function after protection larger, can cause journey
Sort run efficiency is low, while also make it that the executable program volume after protection is excessive, and the embodiment of the present invention to function by adjusting
With the monitoring of time, the balance of program volume and efficiency is reached in the case of safety can be taken into account, when checking application program,
By analyzing the allocating time of call function, it can further determine that whether the function needs plus protect, if called
Time is excessive compared to adding protection to increase before, then illustrates that the function need not add protection, so being capable of helper applications developer
Subsequently optimize the application program write, while the function for needing plus protecting is found during application program is analyzed, so as to right
Function carries out shell adding protection.
The supervising device of another function call time provided in an embodiment of the present invention, during by the calling of call function
Between be monitored, so as to whether need plus protect come decision function according to the allocating time of function, for needing plus the letter of protection
Number, shell adding protection is carried out to the function, the function for protection need not be added, cancels the protection to the function, and then improve journey
The operational efficiency of sequence.
The supervising device of the function call time includes processor and memory, above-mentioned first creating unit 31, is loaded into
Unit 32, start unit 33 and monitoring unit 34 etc. in memory, are stored as program unit storage by computing device
Said procedure unit in memory realizes corresponding function.
Kernel is included in processor, is gone in memory to transfer corresponding program unit by kernel.Kernel can set one
Or more, manpower is saved by adjusting kernel parameter, the monitoring of function call time can be realized, so as to more preferably understand function
Whether need plus protect.
Memory may include computer-readable medium in volatile memory, random access memory (RAM) and/
Or the form such as Nonvolatile memory, such as read-only storage (ROM) or flash memory (flash RAM), memory includes at least one deposit
Store up chip.
Present invention also provides a kind of computer program product, when being performed on data processing equipment, is adapted for carrying out just
The program code of beginningization there are as below methods step:Monitoring process is created by way of hang-up, is included in the monitoring process
The Dram of preset capacity;It will be loaded into for the presupposition analysis code for monitoring the function call time in the Dram;Open
The monitoring process is moved, needs to be injected into the dynamic link library of the monitoring process according to presupposition analysis code loading;Root
The called initial time of the call function and end time are monitored according to the monitoring functional blocks in the dynamic link library, is obtained
The allocating time of call function.
It should be understood by those skilled in the art that, embodiments herein can be provided as method, system or computer program
Product.Therefore, the application can use the reality in terms of complete hardware embodiment, complete software embodiment or combination software and hardware
Apply the form of example.Moreover, the application can use the computer for wherein including computer usable program code in one or more
The computer program production that usable storage medium is implemented on (including but is not limited to magnetic disk storage, CD-ROM, optical memory etc.)
The form of product.
The application is with reference to the flow according to the method for the embodiment of the present application, equipment (system) and computer program product
Figure and/or block diagram describe.It should be understood that can be by every first-class in computer program instructions implementation process figure and/or block diagram
Journey and/or the flow in square frame and flow chart and/or block diagram and/or the combination of square frame.These computer programs can be provided
The processors of all-purpose computer, special-purpose computer, Embedded Processor or other programmable data processing devices is instructed to produce
A raw machine so that produced by the instruction of computer or the computing device of other programmable data processing devices for real
The device for the function of being specified in present one flow of flow chart or one square frame of multiple flows and/or block diagram or multiple square frames.
These computer program instructions, which may be alternatively stored in, can guide computer or other programmable data processing devices with spy
Determine in the computer-readable memory that mode works so that the instruction being stored in the computer-readable memory, which produces, to be included referring to
Make the manufacture of device, the command device realize in one flow of flow chart or multiple flows and/or one square frame of block diagram or
The function of being specified in multiple square frames.
These computer program instructions can be also loaded into computer or other programmable data processing devices so that counted
Series of operation steps is performed on calculation machine or other programmable devices to produce computer implemented processing, so as in computer or
The instruction performed on other programmable devices is provided for realizing in one flow of flow chart or multiple flows and/or block diagram one
The step of function of being specified in individual square frame or multiple square frames.
In a typical configuration, computing device includes one or more processors (CPU), input/output interface, net
Network interface and internal memory.
Memory may include computer-readable medium in volatile memory, random access memory (RAM) and/
Or the form such as Nonvolatile memory, such as read-only storage (ROM) or flash memory (flash RAM).Memory is computer-readable Jie
The example of matter.
Computer-readable medium includes permanent and non-permanent, removable and non-removable media can be by any method
Or technology come realize information store.Information can be computer-readable instruction, data structure, the module of program or other data.
The example of the storage medium of computer includes, but are not limited to phase transition internal memory (PRAM), static RAM (SRAM), moved
State random access memory (DRAM), other kinds of random access memory (RAM), read-only storage (ROM), electric erasable
Programmable read only memory (EEPROM), fast flash memory bank or other memory techniques, read-only optical disc read-only storage (CD-ROM),
Digital versatile disc (DVD) or other optical storages, magnetic cassette tape, the storage of tape magnetic rigid disk or other magnetic storage apparatus
Or any other non-transmission medium, the information that can be accessed by a computing device available for storage.Define, calculate according to herein
Machine computer-readable recording medium does not include temporary computer readable media (transitory media), such as data-signal and carrier wave of modulation.
Embodiments herein is these are only, is not limited to the application.To those skilled in the art,
The application can have various modifications and variations.All any modifications made within spirit herein and principle, equivalent substitution,
Improve etc., it should be included within the scope of claims hereof.
Claims (10)
- A kind of 1. monitoring method of function call time, it is characterised in that including:Monitoring process is created by way of hang-up, the Dram of preset capacity is included in the monitoring process;It will be loaded into for the presupposition analysis code for monitoring the function call time in the Dram;Start the monitoring process, need to be injected into the dynamic link of the monitoring process according to presupposition analysis code loading Storehouse;Monitoring functional blocks in the dynamic link library monitor the called initial time of the call function with the end of Between, obtain the allocating time of call function.
- 2. according to the method for claim 1, it is characterised in that before the startup monitoring process, methods described Also include:Memory Mapping File and time statistical result event are created, the letter of call function is stored with the Memory Mapping File Number information;The identification information of the monitoring process is transmitted, the Memory Mapping File is loaded according to the identification information and the time unites Count result event;The initial address for being performed program according to the Memory Mapping File is added in the presupposition analysis code, when startup institute The initial address of program execution is jumped to when stating monitoring process.
- 3. according to the method for claim 1, it is characterised in that the monitoring functional blocks in the dynamic link library The called initial time of the call function and end time are monitored, obtaining the allocating time of call function includes:Start the function hook in the dynamic link library by the functional blocks of defence program as monitoring functional blocks;The called initial time of the call function and end are monitored by the functional blocks of defence program according to the function hook Time, obtain the allocating time of the call function.
- 4. according to the method for claim 3, it is characterised in that the function hook in the startup dynamic link library By the functional blocks of defence program as before monitoring functional blocks, methods described also includes:The type function of the call function is obtained according to the function information of the call function;When the type function of the call function is directly can perform function, dynamic link library is loaded into by module handle;When the type function of the call function is not directly performs function, dynamic link library is loaded into by load-on module.
- 5. according to the method for claim 3, it is characterised in that it is described according to the function hook by the function of defence program Block monitors the called initial time of the call function and end time, and obtaining the allocating time of the call function includes:When call function is called, rising for the call function is obtained by the functional blocks of defence program by the function hook Beginning address;The address values in designated memory space are read from storehouse, the designated memory space is to be used to storage function return to ground Location;Search the pointed address of a upper instruction for the pointed instruction of the address values;Judge whether the upper pointed address of an instruction is identical with the initial address of the call function, if identical, The called initial time of the call function and end time are then monitored, obtains the allocating time of call function.
- A kind of 6. supervising device of function call time, it is characterised in that including:First creating unit, for creating monitoring process by way of hang-up, include preset capacity in the monitoring process Dram;Unit is loaded into, for will be loaded into for the presupposition analysis code for monitoring the function call time in the Dram;Start unit, for starting the monitoring process, need to be injected into the monitoring according to presupposition analysis code loading The dynamic link library of process;Monitoring unit, the called starting of the call function is monitored for the monitoring functional blocks in the dynamic link library Time and end time, obtain the allocating time of call function.
- 7. device according to claim 6, it is characterised in that described device also includes:Second creating unit, for creating Memory Mapping File and time statistical result event, in the Memory Mapping File It is stored with the function information of call function;Loading unit, for transmitting the identification information of the monitoring process, the internal memory is loaded according to the identification information and mapped File and time statistical result event;Adding device, the initial address for being performed program according to the Memory Mapping File are added to the presupposition analysis generation In code, the initial address of program execution is jumped to when starting the monitoring process.
- 8. device according to claim 6, it is characterised in that the monitoring unit includes:Starting module, for starting the function hook in the dynamic link library by the functional blocks of defence program as monitoring function Block;Monitoring module, for being monitored according to the function hook by the functional blocks of defence program, the call function is called to be risen Begin time and end time, obtain the allocating time of the call function.
- 9. device according to claim 8, it is characterised in thatThe starting module, the function hook in the startup dynamic link library is additionally operable to by the functional blocks of defence program Before monitoring functional blocks, the type function of the call function is obtained according to the function information of the call function;Work as institute The type function for stating call function is that when can directly perform function, dynamic link library is loaded into by module handle;When the calling When the type function of function is not directly performs function, dynamic link library is loaded into by load-on module.
- 10. device according to claim 8, it is characterised in thatThe monitoring module, it is additionally operable to when call function is called, by the function hook by the functional blocks of defence program Obtain the initial address of the call function;The address values in designated memory space, the specified storage are read from storehouse Space is for storage function return address;Search the pointed ground of a upper instruction for the pointed instruction of the address values Location;Judge whether the upper pointed address of an instruction is identical with the initial address of the call function, if identical, The called initial time of the call function and end time are monitored, obtains the allocating time of call function.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710651465.7A CN107480029B (en) | 2017-08-02 | 2017-08-02 | A kind of monitoring method and device of function call time |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710651465.7A CN107480029B (en) | 2017-08-02 | 2017-08-02 | A kind of monitoring method and device of function call time |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107480029A true CN107480029A (en) | 2017-12-15 |
| CN107480029B CN107480029B (en) | 2019-02-15 |
Family
ID=60597156
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710651465.7A Active CN107480029B (en) | 2017-08-02 | 2017-08-02 | A kind of monitoring method and device of function call time |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107480029B (en) |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108345526A (en) * | 2017-12-20 | 2018-07-31 | 北京金山安全管理系统技术有限公司 | Hook processing method and processing device |
| CN108595319A (en) * | 2018-03-30 | 2018-09-28 | 阿里巴巴集团控股有限公司 | Function choosing method and server |
| CN108664372A (en) * | 2018-05-08 | 2018-10-16 | 平安科技(深圳)有限公司 | Monitoring device, method and the computer readable storage medium of test process |
| CN109783161A (en) * | 2018-12-11 | 2019-05-21 | 北京三快在线科技有限公司 | The operation information of application program determines method, apparatus in iOS system |
| CN110781060A (en) * | 2019-09-20 | 2020-02-11 | 平安普惠企业管理有限公司 | Function monitoring method and device, computer equipment and storage medium |
| CN111708670A (en) * | 2020-06-10 | 2020-09-25 | 中国第一汽车股份有限公司 | Method and device for determining task time parameters in real-time operating system and vehicle |
| CN111884884A (en) * | 2020-07-31 | 2020-11-03 | 北京明朝万达科技股份有限公司 | Method, system and device for monitoring file transmission |
| CN112052078A (en) * | 2019-06-06 | 2020-12-08 | 阿里巴巴集团控股有限公司 | Time-consuming determination method and device |
| CN112328932A (en) * | 2020-07-30 | 2021-02-05 | 神州融安科技(北京)有限公司 | Operation execution method, electronic device and computer-readable storage medium |
| CN112948214A (en) * | 2021-03-02 | 2021-06-11 | 网宿科技股份有限公司 | Software overload warning method and device |
| CN113238800A (en) * | 2021-05-25 | 2021-08-10 | 上海安路信息科技股份有限公司 | Stack structure and function calling method and system |
| CN113535457A (en) * | 2021-09-14 | 2021-10-22 | 腾讯科技(深圳)有限公司 | Detection method, device, equipment and computer readable storage medium |
| US20220391305A1 (en) * | 2020-09-22 | 2022-12-08 | Sap Se | Vendor assisted customer individualized testing |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7757215B1 (en) * | 2006-04-11 | 2010-07-13 | Oracle America, Inc. | Dynamic fault injection during code-testing using a dynamic tracing framework |
| CN103077332A (en) * | 2012-12-28 | 2013-05-01 | 飞天诚信科技股份有限公司 | Method and device for running packer application with self-checking |
| CN103425565A (en) * | 2012-05-16 | 2013-12-04 | 腾讯科技(深圳)有限公司 | Method and system for acquiring running information of program |
| CN103544095A (en) * | 2012-07-12 | 2014-01-29 | 腾讯科技(深圳)有限公司 | Server program monitoring method and system of server program |
| CN104680042A (en) * | 2015-03-10 | 2015-06-03 | 北京深思数盾科技有限公司 | Method and system for analyzing performances of virtual machine |
| CN105550585A (en) * | 2016-03-02 | 2016-05-04 | 腾讯科技(深圳)有限公司 | Application security testing method, device and system |
| CN105630668A (en) * | 2014-12-01 | 2016-06-01 | 深圳市腾讯计算机系统有限公司 | Test method and apparatus |
| CN105843640A (en) * | 2016-03-21 | 2016-08-10 | 武汉斗鱼网络科技有限公司 | Dynamic link library injection method and apparatus |
| CN106354644A (en) * | 2016-08-30 | 2017-01-25 | 北京深思数盾科技股份有限公司 | Application program performance test method, device and system |
| CN106649084A (en) * | 2016-09-14 | 2017-05-10 | 腾讯科技(深圳)有限公司 | Function call information obtaining method and apparatus, and test device |
| CN107102944A (en) * | 2017-04-07 | 2017-08-29 | 北京深思数盾科技股份有限公司 | The analysis method and device of a kind of call function |
-
2017
- 2017-08-02 CN CN201710651465.7A patent/CN107480029B/en active Active
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7757215B1 (en) * | 2006-04-11 | 2010-07-13 | Oracle America, Inc. | Dynamic fault injection during code-testing using a dynamic tracing framework |
| CN103425565A (en) * | 2012-05-16 | 2013-12-04 | 腾讯科技(深圳)有限公司 | Method and system for acquiring running information of program |
| CN103544095A (en) * | 2012-07-12 | 2014-01-29 | 腾讯科技(深圳)有限公司 | Server program monitoring method and system of server program |
| CN103077332A (en) * | 2012-12-28 | 2013-05-01 | 飞天诚信科技股份有限公司 | Method and device for running packer application with self-checking |
| CN105630668A (en) * | 2014-12-01 | 2016-06-01 | 深圳市腾讯计算机系统有限公司 | Test method and apparatus |
| CN104680042A (en) * | 2015-03-10 | 2015-06-03 | 北京深思数盾科技有限公司 | Method and system for analyzing performances of virtual machine |
| CN105550585A (en) * | 2016-03-02 | 2016-05-04 | 腾讯科技(深圳)有限公司 | Application security testing method, device and system |
| CN105843640A (en) * | 2016-03-21 | 2016-08-10 | 武汉斗鱼网络科技有限公司 | Dynamic link library injection method and apparatus |
| CN106354644A (en) * | 2016-08-30 | 2017-01-25 | 北京深思数盾科技股份有限公司 | Application program performance test method, device and system |
| CN106649084A (en) * | 2016-09-14 | 2017-05-10 | 腾讯科技(深圳)有限公司 | Function call information obtaining method and apparatus, and test device |
| CN107102944A (en) * | 2017-04-07 | 2017-08-29 | 北京深思数盾科技股份有限公司 | The analysis method and device of a kind of call function |
Cited By (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108345526B (en) * | 2017-12-20 | 2021-06-11 | 北京金山安全管理系统技术有限公司 | Hook processing method and device |
| CN108345526A (en) * | 2017-12-20 | 2018-07-31 | 北京金山安全管理系统技术有限公司 | Hook processing method and processing device |
| CN108595319A (en) * | 2018-03-30 | 2018-09-28 | 阿里巴巴集团控股有限公司 | Function choosing method and server |
| CN108595319B (en) * | 2018-03-30 | 2020-08-04 | 阿里巴巴集团控股有限公司 | Function selection method and server |
| CN108664372A (en) * | 2018-05-08 | 2018-10-16 | 平安科技(深圳)有限公司 | Monitoring device, method and the computer readable storage medium of test process |
| CN109783161A (en) * | 2018-12-11 | 2019-05-21 | 北京三快在线科技有限公司 | The operation information of application program determines method, apparatus in iOS system |
| CN109783161B (en) * | 2018-12-11 | 2020-08-04 | 北京三快在线科技有限公司 | Method and device for determining running information of application program in iOS system |
| CN112052078A (en) * | 2019-06-06 | 2020-12-08 | 阿里巴巴集团控股有限公司 | Time-consuming determination method and device |
| CN110781060A (en) * | 2019-09-20 | 2020-02-11 | 平安普惠企业管理有限公司 | Function monitoring method and device, computer equipment and storage medium |
| CN111708670A (en) * | 2020-06-10 | 2020-09-25 | 中国第一汽车股份有限公司 | Method and device for determining task time parameters in real-time operating system and vehicle |
| CN112328932A (en) * | 2020-07-30 | 2021-02-05 | 神州融安科技(北京)有限公司 | Operation execution method, electronic device and computer-readable storage medium |
| CN111884884A (en) * | 2020-07-31 | 2020-11-03 | 北京明朝万达科技股份有限公司 | Method, system and device for monitoring file transmission |
| US20220391305A1 (en) * | 2020-09-22 | 2022-12-08 | Sap Se | Vendor assisted customer individualized testing |
| US11734160B2 (en) * | 2020-09-22 | 2023-08-22 | Sap Se | Vendor assisted customer individualized testing |
| CN112948214A (en) * | 2021-03-02 | 2021-06-11 | 网宿科技股份有限公司 | Software overload warning method and device |
| CN112948214B (en) * | 2021-03-02 | 2024-02-02 | 网宿科技股份有限公司 | Software overload warning method and device |
| CN113238800A (en) * | 2021-05-25 | 2021-08-10 | 上海安路信息科技股份有限公司 | Stack structure and function calling method and system |
| CN113535457A (en) * | 2021-09-14 | 2021-10-22 | 腾讯科技(深圳)有限公司 | Detection method, device, equipment and computer readable storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107480029B (en) | 2019-02-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107480029B (en) | A kind of monitoring method and device of function call time | |
| CN107102944A (en) | The analysis method and device of a kind of call function | |
| US9465721B2 (en) | Snapshotting executing code with a modifiable snapshot definition | |
| US8978141B2 (en) | System and method for detecting malicious software using malware trigger scenarios | |
| US9230106B2 (en) | System and method for detecting malicious software using malware trigger scenarios in a modified computer environment | |
| US10050797B2 (en) | Inserting snapshot code into an application | |
| US9021444B2 (en) | Combined performance tracer and snapshot debugging system | |
| KR101740604B1 (en) | Generic unpacking of applications for malware detection | |
| CN103001947B (en) | A kind of program processing method and system | |
| CN109818937A (en) | For the control method of Android permission, device and storage medium, electronic device | |
| CN103413073B (en) | A kind of method and apparatus protecting JAVA executable program | |
| CN103914637B (en) | A kind of executable program encryption method of Android platform | |
| KR101228899B1 (en) | Method and Apparatus for categorizing and analyzing Malicious Code Using Vector Calculation | |
| CN105574411A (en) | Dynamic unshelling method, device and equipment | |
| CN113138836B (en) | Escape prevention method using escape prevention system based on Docker container | |
| CN106897607A (en) | A kind of method for monitoring application program and device | |
| CN105678168A (en) | Method and apparatus for detecting Shellcode based on stack frame abnormity | |
| EP3036636A1 (en) | Snapshotting executing code with a modifiable snapshot definition | |
| CN104714831B (en) | A kind of method and apparatus of parasitic process in detection virtual machine | |
| CN103970574B (en) | The operation method and device of office programs, computer system | |
| CN108985096B (en) | Security enhancement and security operation method and device for Android SQLite database | |
| KR101557455B1 (en) | Application Code Analysis Apparatus and Method For Code Analysis Using The Same | |
| CN106775843B (en) | Dalvik byte code optimization method based on memory loading | |
| CN104537281A (en) | Systems and methods for mobile application protection | |
| CN113779578A (en) | Intelligent confusion method and system for mobile terminal application |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 100193 5th floor 510, No. 5 Building, East Yard, No. 10 Wangdong Road, Northwest Haidian District, Beijing Patentee after: Beijing Shendun Technology Co.,Ltd. Address before: 100193 5th floor 510, No. 5 Building, East Yard, No. 10 Wangdong Road, Northwest Haidian District, Beijing Patentee before: BEIJING SENSESHIELD TECHNOLOGY Co.,Ltd. |
|
| CP01 | Change in the name or title of a patent holder |