CN107480029B - A kind of monitoring method and device of function call time - Google Patents
A kind of monitoring method and device of function call time Download PDFInfo
- Publication number
- CN107480029B CN107480029B CN201710651465.7A CN201710651465A CN107480029B CN 107480029 B CN107480029 B CN 107480029B CN 201710651465 A CN201710651465 A CN 201710651465A CN 107480029 B CN107480029 B CN 107480029B
- Authority
- CN
- China
- Prior art keywords
- function
- time
- monitoring
- calling
- functional blocks
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000012544 monitoring process Methods 0.000 title claims abstract description 162
- 238000000034 method Methods 0.000 title claims abstract description 63
- 230000006870 function Effects 0.000 claims abstract description 409
- 238000004458 analytical method Methods 0.000 claims abstract description 44
- 238000013507 mapping Methods 0.000 claims description 41
- 230000008569 process Effects 0.000 claims description 27
- 230000001681 protective effect Effects 0.000 claims description 23
- 238000003860 storage Methods 0.000 claims description 18
- 238000012806 monitoring device Methods 0.000 claims description 8
- 238000010586 diagram Methods 0.000 description 10
- 238000004590 computer program Methods 0.000 description 8
- 238000012545 processing Methods 0.000 description 6
- 238000012546 transfer Methods 0.000 description 5
- 230000008901 benefit Effects 0.000 description 3
- 235000013399 edible fruits Nutrition 0.000 description 3
- 238000011156 evaluation Methods 0.000 description 3
- 238000002347 injection Methods 0.000 description 3
- 239000007924 injection Substances 0.000 description 3
- 238000004321 preservation Methods 0.000 description 3
- 241001269238 Data Species 0.000 description 2
- 230000006399 behavior Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 238000000151 deposition Methods 0.000 description 2
- 238000009434 installation Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000005457 optimization Methods 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000013467 fragmentation Methods 0.000 description 1
- 238000006062 fragmentation reaction Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000000630 rising effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3003—Monitoring arrangements specially adapted to the computing system or computing system component being monitored
- G06F11/302—Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system component is a software system
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/34—Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment
- G06F11/3409—Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment for performance assessment
- G06F11/3419—Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment for performance assessment by assessing time
- G06F11/3423—Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment for performance assessment by assessing time where the assessed time is active or idle time
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
- G06F21/14—Protecting executable software against software analysis or reverse engineering, e.g. by obfuscation
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/54—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by adding security routines or objects to programs
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2201/00—Indexing scheme relating to error detection, to error correction, and to monitoring
- G06F2201/865—Monitoring of software
Abstract
The invention discloses the monitoring methods and device of a kind of function call time, are related to computer security technical field, and main purpose is that by the monitoring of function call time, to more preferably understand whether function needs plus protect.It include the dynamic memory of preset capacity in the monitoring process the described method includes: creating monitoring process by way of hang-up;The presupposition analysis code for being used to monitor the function call time is loaded into the dynamic memory;Start the monitoring process, needs to be injected into the dynamic link library of the monitoring process according to presupposition analysis code load;The called initial time and end time of the calling function is monitored according to the monitoring functional blocks in the dynamic link library, obtains the allocating time for calling function.Present invention is mainly used for the analyses of the allocating time of function.
Description
Technical field
The present invention relates to computer safety field, the especially a kind of monitoring method and device of function call time.
Background technique
In function protection, if the allocating time to function does not recognize clearly, shell adding blindly is carried out to function
Protection, such as code fragmentation, code virtualization, code migrating or Code obfuscation, for adding the function after protection, if called
Time is larger with the gap after protection before protection, then explanation plus protection significantly impact the runing time of function, it should cancel
Protection to function illustrates if allocating time is little with the gap after protection before protection plus protection does not produce function
Raw very big influence, without cancelling the protection to function, therefore, in the uncomprehending situation of allocating time to function, it is easy to
The function for the calling for being not intended to plus protecting in system function or operation is protected unintentionally, not only affects add in this way
The volume of program after shell, while can also reduce the operational efficiency of program after shell adding.
If developer protects the excessive function being not intended to plus protect in program operation process, can to protect
The volume of executable program afterwards increases, while can reduce the operational efficiency of the executable program after protection.
Summary of the invention
In view of the above problems, it proposes on the present invention overcomes the above problem or at least be partially solved in order to provide one kind
The monitoring method and device for stating a kind of function call time of problem, can be realized the monitoring of function call time, thus more preferably
Understand whether function needs plus protect.
The one side of the embodiment of the present invention, the present invention provides the monitoring methods of function call time a kind of, comprising:
Monitoring process is created by way of hang-up, includes the dynamic memory of preset capacity in the monitoring process;
The presupposition analysis code for being used to monitor the function call time is loaded into the dynamic memory;
Start the monitoring process, needs to be injected into the dynamic of the monitoring process according to presupposition analysis code load
Chained library;
The called initial time and knot of the calling function is monitored according to the monitoring functional blocks in the dynamic link library
The beam time obtains the allocating time for calling function.
Further, before the starting monitoring process, the method also includes:
Memory Mapping File and time statistical result event are created, is stored with calling function in the Memory Mapping File
Function information;
The identification information for transmitting the monitoring process loads the Memory Mapping File according to the identification information with timely
Between statistical result event;
The initial address that program executes is added in the presupposition analysis code according to the Memory Mapping File, when opening
The initial address of program execution is jumped to when moving the monitoring process.
Further, the monitoring functional blocks according in the dynamic link library monitor what the calling function was called
Initial time and end time, the allocating time for obtaining calling function include:
Start the function hook in the dynamic link library by the functional blocks of protective program as monitoring functional blocks;
According to the function hook by the functional blocks of protective program monitor the called initial time of the calling function and
End time obtains the allocating time for calling function.
Further, the function hook in the starting dynamic link library is by the functional blocks of protective program as prison
Before controlling functional blocks, the method also includes:
The type function for calling function is obtained according to the function information for calling function;
When the type function for calling function is directly to execute function, dynamic link is loaded by module handle
Library;
When the type function for calling function is not directly to execute function, dynamic link is loaded by loading module
Library.
Further, described to be called according to the function hook by the functional blocks monitoring calling function of protective program
Initial time and the end time, obtain it is described call function allocating time include:
When calling function called, the calling function is obtained by the functional blocks of protective program by the function hook
Initial address;
From the address values read in designated memory space in storehouse, the designated memory space is returned for storage function
Go back to address;
Search the pointed address of the pointed upper instruction instructed of the address values;
Judge whether the pointed address of a upper instruction is identical as the calling initial address of function, if phase
Together, then the calling function called initial time and end time are monitored, the allocating time for calling function is obtained.
Another aspect according to an embodiment of the present invention, the embodiment of the invention provides a kind of monitoring of function call time dresses
It sets, comprising:
First creating unit includes default in the monitoring process for creating monitoring process by way of hang-up
The dynamic memory of capacity;
It is loaded into unit, the presupposition analysis code for that will be used to monitor the function call time is loaded into the dynamic memory;
Start unit needs to be injected into described for starting the monitoring process according to presupposition analysis code load
The dynamic link library of monitoring process;
Monitoring unit, for monitoring what the calling function was called according to the monitoring functional blocks in the dynamic link library
Initial time and end time obtain the allocating time for calling function.
Further, described device further include:
Second creating unit, for creating Memory Mapping File and time statistical result event, the memory mapping text
The function information for calling function is stored in part;
Loading unit loads the memory according to the identification information for transmitting the identification information of the monitoring process
Mapped file and time statistical result event;
Adding unit, for the initial address that program executes to be added to described default point according to the Memory Mapping File
It analyses in code, the initial address of program execution is jumped to when starting the monitoring process.
Further, the monitoring unit includes:
Starting module, for starting the function hook in the dynamic link library by the functional blocks of protective program as monitoring
Functional blocks;
Monitoring module is called for monitoring the calling function by the functional blocks of protective program according to the function hook
Initial time and the end time, obtain it is described call function allocating time.
Further, the starting module, the function hook being also used in the starting dynamic link library are protected
The functional blocks of program are protected as before monitoring functional blocks, the calling function is obtained according to the function information for calling function
Type function;When the type function for calling function is directly to execute function, dynamic link is loaded by module handle
Library;When the type function for calling function is not directly to execute function, dynamic link library is loaded by loading module.
Further, the monitoring module is also used to be protected when calling function called by the function hook
The functional blocks of program obtain the initial address for calling function;From in storehouse read designated memory space in address values,
The designated memory space is for storage function return address;Search the pointed upper finger instructed of the address values
Enable pointed address;Judge the pointed address of a upper instruction whether with the initial address phase for calling function
Together, if it is identical, the calling function called initial time and end time are monitored, when obtaining calling the calling of function
Between.
By above-mentioned technical proposal, a kind of monitoring method and device of function call time provided by the invention, pass through by
Presupposition analysis code for monitoring the function call time is loaded into monitoring process, in order to go to the calling function in program
When, according to the monitoring functional blocks monitoring calling function in dynamic link library called initial time and end time, Neng Goushi
When monitoring call function allocating time.Compared with the monitoring method of the function call time of the prior art, the embodiment of the present invention
By being monitored in program operation process to the allocating time for calling function, function in program process can be obtained
Allocating time, and then the gap before function is protected with allocating time after protection can be understood by the allocating time of function,
And then more preferably understand whether function needs plus protect, user experience is improved, in addition, can be right in real time according to the allocating time of function
The function module of program optimizes, and improves the operational efficiency of executable program, dramatically saves the time of technical staff.
The above description is only an overview of the technical scheme of the present invention, in order to better understand the technical means of the present invention,
And it can be implemented in accordance with the contents of the specification, and in order to allow above and other objects of the present invention, feature and advantage can
It is clearer and more comprehensible, the followings are specific embodiments of the present invention.
Detailed description of the invention
By reading the following detailed description of the preferred embodiment, various other advantages and benefits are common for this field
Technical staff will become clear.The drawings are only for the purpose of illustrating a preferred embodiment, and is not considered as to the present invention
Limitation.And throughout the drawings, the same reference numbers will be used to refer to the same parts.In the accompanying drawings:
Fig. 1 shows the monitoring method flow diagram of function call time provided in an embodiment of the present invention a kind of;
Fig. 2 shows the monitoring method flow diagrams of another function call time provided in an embodiment of the present invention;
Fig. 3 shows the monitoring device structural schematic diagram of function call time provided in an embodiment of the present invention a kind of;
Fig. 4 shows the monitoring device structural schematic diagram of another function call time provided in an embodiment of the present invention.
Specific embodiment
Exemplary embodiments of the present disclosure are described in more detail below with reference to accompanying drawings.Although showing the disclosure in attached drawing
Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure without should be by embodiments set forth here
It is limited.On the contrary, these embodiments are provided to facilitate a more thoroughly understanding of the present invention, and can be by the scope of the present disclosure
It is fully disclosed to those skilled in the art.
The embodiment of the invention provides the monitoring methods of function call time a kind of, as shown in Figure 1, this method mainly passes through
Pre-set code is monitored the allocating time for calling function, and specific steps include:
101, monitoring process is created by way of hang-up.
Wherein, allocating time of the monitoring process for function in monitoring programme execution, in addition, being required due to executing program
Certain memory is applied for the dynamic memory of preset capacity in monitoring process, can be used to store in order to facilitate the use of process
Presupposition analysis code or other program operation datas, such as code segment or data segment, the embodiment of the present invention is to application dynamic memory
Amount of capacity without limiting, memory size actually required can be run according to application and be applied.
It should be noted that user observes and analyze monitoring process for convenience here, prison is created by way of hang-up
Control process, the monitoring process remains static at this time, to facilitate, user modifies to program or other are operated.
102, the presupposition analysis code for being used to monitor the function call time is loaded into the dynamic memory.
Here presupposition analysis code be mainly used for call function allocating time analyze, can specifically include into
Journey identifies multiple moulds such as transfer module, program origin adding module, the injection module of dynamic link library, information preservation module
Block can communicate news between modules, and will not influence between each other, wherein process identification (PID) transfer module is for passing
The identification information of monitoring process is passed, so that program loads Memory Mapping File and time statistical result thing according to the identification information
Part is stored with the function information for calling function in Memory Mapping File here, such as the title of function, the relative virtual of function
Information, the program origins such as the initial address that the number and program of location RVA, the relative virtual address RVA of function execute add
Initial address of the module for executing program in Memory Mapping File is added to be added in presupposition analysis code, so as to when calling letter
Number jumps to the initial address of presupposition analysis code execution when called, the injection module of dynamic link library for load monitor into
The dynamic link library of journey supervises the function information for calling function according to the analytic function block of the storage in dynamic link library
Control obtains the allocating time for calling function, program more easily can be applied to each mould used here as dynamic link library
Block, and the other parts of the program are not influenced, also facilitate modify to monitoring process in this way, when such as needing to function call
Between in content be updated, can be by modifying to dynamic link library, to facilitate the update of program, information is protected
Storing module is for saving recalls information into Memory Mapping File according to time statistical result event, so as to subsequent to function tune
With the analysis of time, it can also be shown in display interface, to more intuitively show user.
Specifically, when program execute to call function when, by the modules in presupposition analysis code to call function
It is analyzed, transmits the identification information of monitoring process by process identification (PID) transfer module first, according in identification information load
Mapped file and time statistical result event are deposited, then passes through program origin adding module for Memory Mapping File intermediate range
The initial address that sequence executes is added in presupposition analysis code, and the prison in dynamic link library is further loaded by dynamic link library
Control functional blocks obtain the allocating time of function, finally by information preservation module by the tune of function to calling function to be monitored
It is saved in real time into Memory Mapping File with the time.
103, start the monitoring process, need to be injected into the monitoring process according to presupposition analysis code load
Dynamic link library.
Specifically, start monitoring process after, when monitor program execute to call function when, by presupposition analysis code
Modules to call function analyze, first by process identification (PID) transfer module transmit monitoring process identification information,
Memory Mapping File and time statistical result event are loaded according to the identification information, mould is then added by program origin
The initial address that program in Memory Mapping File executes is added in presupposition analysis code by block, further passes through dynamic link library
The monitoring functional blocks in dynamic link library are loaded, the monitoring to function is called is further realized.
104, the called initial time of the calling function is monitored according to the monitoring functional blocks in the dynamic link library
And the end time, obtain the allocating time for calling function.
Wherein, the analytic function block for monitoring the function call time is stored in dynamic link library, it may further root
The function information for calling function is obtained according to Memory Mapping File, then by function hook in starting dynamic link library by protection journey
The functional blocks of sequence monitor the initial time for calling function called and knot to calling function to be monitored as monitoring functional blocks
The beam time may further be protected by the way that the end time is subtracted the allocating time that initial time obtains calling function by information
Storing module saves the allocating time of function into Memory Mapping File in real time.
It should be noted that the allocating time of the function obtained here can be shown according to user's actual need, such as
Interface display function the last time called allocating time can be set in user, and all calling can be shown with set interface
The allocating time etc. that function is called every time, certainly can be with the called initial time of explicit function and end time, this hair
Bright embodiment is to the content of analysis result shown on interface without limiting.
It can be seen that the monitoring side of function call time provided in an embodiment of the present invention a kind of in conjunction with above-mentioned implementation
Method is loaded into monitoring process, in order to go in program by the presupposition analysis code that will be used to monitor the function call time
When the calling function, the initial time for calling function called according to the monitoring functional blocks monitoring in dynamic link library is at the end of
Between, the allocating time for calling function can be monitored in real time.Compared with the monitoring method of the function call time of the prior art, this hair
Bright embodiment can obtain program process by being monitored in program operation process to the allocating time for calling function
The allocating time of middle function, so can by the allocating time of function understand function protection before and protection after allocating time
Gap, and then more preferably understand function whether need plus protection, improve user experience, in addition, the allocating time according to function can
To be optimized in real time to the function module of program, the operational efficiency of executable program is improved, technical staff is dramatically saved
Time.
Below in order to which the monitoring method of function call time proposed by the present invention a kind of is explained in more detail, especially exist
It the initial time for calling function called according to the monitoring functional blocks monitoring in dynamic link library and end time, obtains calling letter
The step of several allocating times, the embodiment of the invention also provides the monitoring methods of another function call time, such as Fig. 2 institute
Show, the specific steps of this method include:
201, monitoring process is created by way of hang-up.
Wherein, allocating time of the monitoring process for function in monitoring programme execution, in addition, being required due to executing program
Certain memory is applied for the dynamic memory of preset capacity in monitoring process, can be used to store in order to facilitate the use of process
Presupposition analysis code or other program operation datas, such as code segment or data segment, the embodiment of the present invention is to application dynamic memory
Amount of capacity without limiting, memory size actually required can be run according to application and be applied.
Allocating time progress for the embodiment of the present invention, by the monitoring process of creation to function is called in program execution
Monitoring, to understand the time that function is called in varied situations, to preferably be protected to program, usual situation
Under, for adding the function after protection to illustrate if allocating time is larger with the gap after protection before protection plus protection is very big
Affect the runing time of function, it should cancel protection to function, if allocating time before protection with the gap after protection
Less, then explanation plus protection do not produce a very large impact function, and without protection of the cancellation to function, the embodiment of the present invention can be with
It calls the allocating time of function that can more preferably understand function by monitoring whether to need plus protection, and then to needing function to be protected
It is protected.
It should be noted that can be carried out by analyzer to each sub thread in process before creating monitoring process
Performance evaluation, performance evaluation here mainly pass through statistics memory behaviour in service detect Memory Leaks that may be present with
And determine the direction that memory optimization uses, to prevent interface card dead.
202, the presupposition analysis code for being used to monitor the function call time is loaded into the dynamic memory.
It here presets at analysis code to be used to monitor the allocating time for calling function, can specifically include process identification (PID) transmitting mould
Multiple modules such as block, program origin adding module, the injection module of dynamic link library, information preservation module, modules
Between can communicate news, and will not influence between each other.
It should be noted that presupposition analysis code here can be each to store by way of assembling shellcode
Then shellcode is written in the dynamic memory of application by module, compiling mould of the embodiment of the present invention to presupposition analysis code
Formula is without limiting.
203, Memory Mapping File and time statistical result event are created.
Wherein, the function information for calling function is stored in Memory Mapping File, for example, calling the title of function, calling
The initial address etc. that the relative virtual address RVA of function, the number of the relative virtual address RVA of calling function and program execute
Information, the time statistical result event are used to count the recalls information for calling function.
The embodiment of the present invention can be convenient by creating Memory Mapping File while start multiple performance evaluation moulds
Block, and realize the data communication between module, by creation time statistical result event, further facilitates and carried out between module
Message transmission.
204, the identification information for transmitting the monitoring process, according to the identification information load the Memory Mapping File with
And time statistical result event.
Wherein, the identification information of monitoring process is that the kernel of operating system is used for a numerical value of unique identification process, this
In identification information can be used as the parameters of many function calls, to priority, the control process behavior etc. for adjusting process.
In order to further obtain the function information and recalls information of calling function, according to the mark of the monitoring process of transmitting
Information loads Memory Mapping File and time statistical result event, and the letter of calling function is obtained by opening Memory Mapping File
Number information, the allocating time of function is called by time statistical result event statistics.
205, the initial address that program executes is added in the presupposition analysis code according to the Memory Mapping File,
The initial address of program execution is jumped to when starting the monitoring process.
It should be noted that the purpose for adding the initial address that program executes in presupposition analysis code here is to guarantee to work as
The initial address that program execution is jumped to when opening monitoring process, to be monitored to the calling function in program.
206, start the function hook in the dynamic link library by the functional blocks of protective program as monitoring functional blocks.
Wherein, the analytic function block for monitoring the function call time is stored in dynamic link library, it may further root
The function information for calling function is obtained according to Memory Mapping File, then by function hook in starting dynamic link library by protection journey
The functional blocks of sequence are monitored calling function as monitoring functional blocks.
It should be noted that being used as monitoring functional blocks pair by protection functional blocks by the function hook in dynamic link library
Before calling function to be monitored, dynamic chain can be loaded according to the difference for the type function for calling function in different ways
Library is connect, can specifically include but be not limited to following manner, first according to the function information acquisition calling function for calling function
Type function, if the type function of the calling function is dll type or exe type, when the type function of calling function is exe
When can directly execute function, then specification module had been loaded certainly, further got mould by GetModuleHandle
Block handle is loaded into dynamic link library by module handle;When the type function of calling function is that dll not directly executes function
When, then specification module, which may be loaded, not to be loaded, and be further loaded by loadlibrary loading module
Dynamic link library.
For the embodiment of the present invention, by loading dynamic link library in program process, taken by dynamic link library
The address of function must be called to carry out function call only to need to use in program without loading all codes at the beginning of program is run
Some just takes out from dynamic link library when calling function and calls function, reduces the volume of program.
207, when monitoring the called starting of the calling function by the functional blocks of protective program according to the function hook
Between and the end time, obtain it is described call function allocating time.
For the embodiment of the present invention, monitored according to the function hook stored in dynamic link library by the functional blocks of protective program
The initial time and the process of end time for calling function called can specifically include but are not limited to following implementations, when
When calling function called, the initial address for calling function is obtained by the protected functional blocks of function hook, calls letter here
Several initial addresses is to be stored in the relative virtual address that function is called in Memory Mapping File, is then read from storehouse specified
Address values in memory space, designated memory space here are temporarily saved in program process for storing letter
Number return address, for there are the calling functions of return address, the initial address for calling function can be found from storehouse,
For the calling function of return address is not present, the initial address for calling function can not be found from storehouse, is further searched for
The pointed address of the pointed upper instruction instructed of address values, judge address pointed by a upper instruction whether with tune
It is identical with the initial address of function, if identical, illustrate that there are return addresses for calling function, here in designated memory space
Address values are the return address ret for calling function, then record the called initial time of the calling function and end time, meter
The difference for calculating the end time and initial time of calling function called obtains the allocating time for calling function, such as currently adjusts
It is A with the initial time that function is called, end time B, then allocating time mutually should be B-A, only works as execute calling here
The initial time for calling function could be recorded when function, the end time for calling function could be recorded at the end of calling, and will
Allocating time is saved into Memory Mapping File.
It should be noted that for that may be recursive function there is no the calling function declaration of the return value calling function,
The calling function may jump to other when called and call in function, and the specified storage found from storehouse is empty
Between in address values be not call function return address, then can not accurately calculate the allocating time of the calling function, because
This, the embodiment of the present invention is for there is no the allocating times of the calling function of return value without calculating.
It should be noted that the embodiment of the present invention can also by one buffer area of creation come the allocating time of storage function,
Further the allocating time of function is saved to buffer area according to time statistical result event, the embodiment of the present invention is to function
The storage location of allocating time is without limiting.
Since in program operation process, the allocating time of different functions is different, during function protection, such as
Fruit adds the allocating time difference corresponding with unprotected function of the corresponding allocating time of function after protection larger, will lead to journey
Sort run inefficiency, while but also the executable program volume after protection is excessive, the embodiment of the present invention passes through to function tune
With the monitoring of time, the balance of program volume and efficiency is reached in the case where safety can be taken into account, when checking application program,
By analyzing the allocating time for calling function, it can further determine that whether the function needs plus protect, if called
Time is excessive compared to adding protection to increase before, then illustrates that the function does not need to add protection, in this way being capable of helper applications developer
It is subsequent to optimize the application program write, while the function for needing plus protecting is found during analyzing application program, thus right
Function carries out shell adding protection.
The concrete application scene of the embodiment of the present invention may include but be not limited to following implementations: when program executes it
Before, creation Memory Mapping File and time statistical result event, Memory Mapping File are used to store the letter for calling function first
Number information, time statistical result event are used to count the recalls information for calling function and then by way of hang-up, then create
Monitoring process, and apply in monitoring process the dynamic memory of preset capacity, and will be used to analyze and call default point of function
It analyses code to be loaded into dynamic memory, further starts monitoring process, the identification information of monitoring process is transmitted, according to monitoring process
Identification information loads Memory Mapping File and time statistical result event, when program, which is gone to, calls function, jumps to journey
Sequence execute initial address, the calling function in program process is analyzed, further load need inject monitor into
The dynamic link library of journey, according to the protected functional blocks of function hook in dynamic link library to calling function to be monitored, if working as
Preceding execution program needs to call v412_open function, and the address of v412_open function is further obtained by hook functional blocks,
From the address values read in designated memory space in storehouse, the pointed upper instruction institute instructed of the address values is searched
The address of direction;Judge whether the pointed address of a upper instruction is identical as the calling initial address of function, such as
Fruit is identical, then the calling function called initial time and end time is monitored, if return address illustrates the function not
It is recursive function, then calculates the difference of v412_open function called end time and initial time, obtain v412_open
The allocating time of function finally saves the allocating time of v412_open function into Memory Mapping File.
In order to which whether further analytic function needs plus protects and adds influence of the protection to function, the embodiment of the present invention is mentioned
The monitoring method of another function call time supplied, by being monitored to the allocating time for calling function, thus according to letter
Several allocating times comes whether decision function needs plus protection carries out shell adding guarantor to the function for the function for needing plus protecting
Shield cancels the protection to the function for the function for not needing plus protecting, and then improves the operational efficiency of program.
Further, the specific implementation as method shown in Fig. 1, the embodiment of the present invention provide a kind of function call time
Monitoring device, the Installation practice is corresponding with preceding method embodiment, and to be easy to read, the present apparatus is not implemented to preceding method
Detail content in example is repeated one by one, it should be understood that the device in the present embodiment, which can correspond to, realizes that preceding method is real
The full content in example is applied, as shown in figure 3, described device includes:
First creating unit 31 can be used for creating monitoring process by way of hang-up, include in the monitoring process
There is the dynamic memory of preset capacity;
It is loaded into unit 32, the presupposition analysis code that can be used for be used to monitor the function call time is loaded into the dynamic
In depositing;
Start unit 33 can be used for starting the monitoring process, need to inject according to presupposition analysis code load
To the dynamic link library of the monitoring process;
Monitoring unit 34 can be used for monitoring the calling function quilt according to the monitoring functional blocks in the dynamic link library
The initial time of calling and end time obtain the allocating time for calling function.
The monitoring device of a kind of function call time provided in an embodiment of the present invention, when by that will be used to monitor function call
Between presupposition analysis code be loaded into monitoring process, in order to when program goes to the calling function, according to dynamic link library
In the monitoring functional blocks monitoring initial time of calling function called and the end time, the tune for calling function can be monitored in real time
Use the time.Compared with the monitoring method of the function call time of the prior art, the embodiment of the present invention passes through in program operation process
In the allocating time for calling function is monitored, the allocating time of function in program process can be obtained, and then can be with
The gap before function is protected with allocating time after protection is understood by the allocating time of function, and then more preferably understands function to be
It is no to need plus protect, user experience is improved, in addition, the function module to program can carry out in real time according to the allocating time of function
Optimization, improves the operational efficiency of executable program, dramatically saves the time of technical staff.
Further, the specific implementation as method shown in Fig. 2, the embodiment of the invention provides when another function call
Between monitoring device, the Installation practice is corresponding with preceding method embodiment, and to be easy to read, the present apparatus is not to preceding method
Detail content in embodiment is repeated one by one, it should be understood that the device in the present embodiment, which can correspond to, realizes aforementioned side
Full content in method embodiment, as shown in figure 4, described device includes:
First creating unit 41 can be used for creating monitoring process by way of hang-up, include in the monitoring process
There is the dynamic memory of preset capacity;
It is loaded into unit 42, the presupposition analysis code that can be used for be used to monitor the function call time is loaded into the dynamic
In depositing;
Second creating unit 43 can be used for creating Memory Mapping File and time statistical result event, the memory
The function information for calling function is stored in mapped file;
Loading unit 44 can be used for transmitting the identification information of the monitoring process, load institute according to the identification information
State Memory Mapping File and time statistical result event;
Adding unit 45, it is described default for being added to the initial address that program executes according to the Memory Mapping File
It analyzes in code, the initial address of program execution is jumped to when starting the monitoring process.
Start unit 46 needs to be injected into institute according to presupposition analysis code load for starting the monitoring process
State the dynamic link library of monitoring process;
Monitoring unit 47, it is called for monitoring the calling function according to the monitoring functional blocks in the dynamic link library
Initial time and the end time, obtain call function allocating time.
Further, the monitoring unit 47 includes:
Starting module 471 can be used for starting the function hook in the dynamic link library by the functional blocks of protective program
As monitoring functional blocks;
Monitoring module 472 can be used for monitoring the calling letter by the functional blocks of protective program according to the function hook
The called initial time of number and end time obtain the allocating time for calling function.
Further, the starting module 471 can be also used for the function in the starting dynamic link library
Hook, as before monitoring functional blocks, obtains the tune according to the function information for calling function by the functional blocks of protective program
With the type function of function;When the type function for calling function is directly to execute function, it is loaded by module handle
Dynamic link library;When the type function for calling function is not directly to execute function, dynamic is loaded by loading module
Chained library.
Further, the monitoring module 472 can be also used for passing through the function when calling function called
Hook obtains the initial address for calling function by the functional blocks of protective program;It is read in designated memory space from storehouse
Address values, the designated memory space are for storage function return address;Search the pointed instruction of the address values
The pointed address of a upper instruction;Judge whether the pointed address of a upper instruction with described calls rising for function
Beginning address is identical, if identical, monitor the calling function called initial time and end time, obtains calling function
Allocating time.
Since in program operation process, the allocating time of different functions is different, during function protection, such as
Fruit adds the allocating time difference corresponding with unprotected function of the corresponding allocating time of function after protection larger, will lead to journey
Sort run inefficiency, while but also the executable program volume after protection is excessive, the embodiment of the present invention passes through to function tune
With the monitoring of time, the balance of program volume and efficiency is reached in the case where safety can be taken into account, when checking application program,
By analyzing the allocating time for calling function, it can further determine that whether the function needs plus protect, if called
Time is excessive compared to adding protection to increase before, then illustrates that the function does not need to add protection, in this way being capable of helper applications developer
It is subsequent to optimize the application program write, while the function for needing plus protecting is found during analyzing application program, thus right
Function carries out shell adding protection.
The monitoring device of another kind function call time provided in an embodiment of the present invention, when by the calling for calling function
Between be monitored, thus according to the allocating time of function come decision function whether need plus protect, for need plus protection letter
Number carries out shell adding protection to the function, for the function for not needing plus protecting, cancels the protection to the function, and then improve journey
The operational efficiency of sequence.
The monitoring device of the function call time includes processor and memory, and above-mentioned first creating unit 31 is loaded into
Unit 32, start unit 33 and monitoring unit 34 etc. store in memory as program unit, execute storage by processor
Above procedure unit in memory realizes corresponding function.
Include kernel in processor, is gone in memory to transfer corresponding program unit by kernel.Kernel can be set one
Or more, manpower is saved by adjusting kernel parameter, can be realized the monitoring of function call time, to more preferably understand function
Whether need plus protects.
Memory may include the non-volatile memory in computer-readable medium, random access memory (RAM) and/
Or the forms such as Nonvolatile memory, if read-only memory (ROM) or flash memory (flash RAM), memory include that at least one is deposited
Store up chip.
Present invention also provides a kind of computer program products, when executing on data processing equipment, are adapted for carrying out just
The program code of beginningization there are as below methods step: monitoring process is created by way of hang-up, includes in the monitoring process
The dynamic memory of preset capacity;The presupposition analysis code for being used to monitor the function call time is loaded into the dynamic memory;It opens
The monitoring process is moved, needs to be injected into the dynamic link library of the monitoring process according to presupposition analysis code load;Root
The called initial time and end time of the calling function is monitored according to the monitoring functional blocks in the dynamic link library, is obtained
Call the allocating time of function.
It should be understood by those skilled in the art that, embodiments herein can provide as method, system or computer program
Product.Therefore, complete hardware embodiment, complete software embodiment or reality combining software and hardware aspects can be used in the application
Apply the form of example.Moreover, it wherein includes the computer of computer usable program code that the application, which can be used in one or more,
The computer program implemented in usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) produces
The form of product.
The application is referring to method, the process of equipment (system) and computer program product according to the embodiment of the present application
Figure and/or block diagram describe.It should be understood that every one stream in flowchart and/or the block diagram can be realized by computer program instructions
The combination of process and/or box in journey and/or box and flowchart and/or the block diagram.It can provide these computer programs
Instruct the processor of general purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices to produce
A raw machine, so that being generated by the instruction that computer or the processor of other programmable data processing devices execute for real
The device for the function of being specified in present one or more flows of the flowchart and/or one or more blocks of the block diagram.
These computer program instructions, which may also be stored in, is able to guide computer or other programmable data processing devices with spy
Determine in the computer-readable memory that mode works, so that it includes referring to that instruction stored in the computer readable memory, which generates,
Enable the manufacture of device, the command device realize in one box of one or more flows of the flowchart and/or block diagram or
The function of being specified in multiple boxes.
These computer program instructions also can be loaded onto a computer or other programmable data processing device, so that counting
Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, thus in computer or
The instruction executed on other programmable devices is provided for realizing in one or more flows of the flowchart and/or block diagram one
The step of function of being specified in a box or multiple boxes.
In a typical configuration, calculating equipment includes one or more processors (CPU), input/output interface, net
Network interface and memory.
Memory may include the non-volatile memory in computer-readable medium, random access memory (RAM) and/
Or the forms such as Nonvolatile memory, such as read-only memory (ROM) or flash memory (flash RAM).Memory is computer-readable Jie
The example of matter.
Computer-readable medium includes permanent and non-permanent, removable and non-removable media can be by any method
Or technology come realize information store.Information can be computer readable instructions, data structure, the module of program or other data.
The example of the storage medium of computer includes, but are not limited to phase change memory (PRAM), static random access memory (SRAM), moves
State random access memory (DRAM), other kinds of random access memory (RAM), read-only memory (ROM), electric erasable
Programmable read only memory (EEPROM), flash memory or other memory techniques, read-only disc read only memory (CD-ROM) (CD-ROM),
Digital versatile disc (DVD) or other optical storage, magnetic cassettes, tape magnetic disk storage or other magnetic storage devices
Or any other non-transmission medium, can be used for storage can be accessed by a computing device information.As defined in this article, it calculates
Machine readable medium does not include temporary computer readable media (transitory media), such as the data-signal and carrier wave of modulation.
The above is only embodiments herein, are not intended to limit this application.To those skilled in the art,
Various changes and changes are possible in this application.It is all within the spirit and principles of the present application made by any modification, equivalent replacement,
Improve etc., it should be included within the scope of the claims of this application.
Claims (6)
1. a kind of monitoring method of function call time characterized by comprising
Monitoring process is created by way of hang-up, includes the dynamic memory of preset capacity in the monitoring process;
The presupposition analysis code for being used to monitor the function call time is loaded into the dynamic memory;
Start the monitoring process, needs to be injected into the dynamic link of the monitoring process according to presupposition analysis code load
Library;
The called initial time of the calling function is monitored at the end of according to the monitoring functional blocks in the dynamic link library
Between, obtain the allocating time for calling function;
Monitoring function-the block according in the dynamic link library monitor the called initial time of the calling function and
End time includes:
Start the function hook in the dynamic link library by the functional blocks of protective program as monitoring functional blocks;
The called initial time and end of the calling function is monitored by the functional blocks of protective program according to the function hook
Time obtains the allocating time for calling function;
It is described according to the function hook by the functional blocks of protective program monitor the called initial time of the calling function and
End time, obtaining the allocating time for calling function includes:
When calling function called, for calling function is obtained by the functional blocks of protective program by the function hook
Beginning address;
From the address values read in designated memory space in storehouse, the designated memory space is to return to ground for storage function
Location;
Search the pointed address of the pointed upper instruction instructed of the address values;
Judge whether the pointed address of a upper instruction is identical as the calling initial address of function, if identical,
The calling function called initial time and end time are then monitored, the allocating time for calling function is obtained.
2. the method according to claim 1, wherein before the starting monitoring process, the method
Further include:
Memory Mapping File and time statistical result event are created, the letter for calling function is stored in the Memory Mapping File
Number information;
The identification information for transmitting the monitoring process loads the Memory Mapping File according to the identification information and the time unites
Count result event;
The initial address that program executes is added in the presupposition analysis code according to the Memory Mapping File, when starting institute
The initial address of program execution is jumped to when stating monitoring process.
3. the method according to claim 1, wherein the function hook in the starting dynamic link library
Before being used as monitoring functional blocks by the functional blocks of protective program, the method also includes:
The type function for calling function is obtained according to the function information for calling function;
When the type function for calling function is directly to execute function, dynamic link library is loaded by module handle;
When the type function for calling function is not directly to execute function, dynamic link library is loaded by loading module.
4. a kind of monitoring device of function call time characterized by comprising
First creating unit includes preset capacity in the monitoring process for creating monitoring process by way of hang-up
Dynamic memory;
It is loaded into unit, the presupposition analysis code for that will be used to monitor the function call time is loaded into the dynamic memory;
Start unit needs to be injected into the monitoring according to presupposition analysis code load for starting the monitoring process
The dynamic link library of process;
Monitoring unit, for monitoring the called starting of the calling function according to the monitoring functional blocks in the dynamic link library
Time and end time obtain the allocating time for calling function;
The monitoring unit includes:
Starting module, for starting the function hook in the dynamic link library by the functional blocks of protective program as monitoring function
Block;
Monitoring module, for being monitored according to the function hook by the functional blocks of protective program, the calling function is called to be risen
Begin time and end time, obtains the allocating time for calling function;
The monitoring module is also used to when calling function called, by the function hook by the functional blocks of protective program
Obtain the initial address for calling function;From the address values read in storehouse in designated memory space, the specified storage
Space is for storage function return address;Search the pointed ground of the pointed upper instruction instructed of the address values
Location;Judge whether the pointed address of a upper instruction is identical as the calling initial address of function, if identical,
The calling function called initial time and end time are monitored, the allocating time for calling function is obtained.
5. device according to claim 4, which is characterized in that described device further include:
Second creating unit, for creating Memory Mapping File and time statistical result event, in the Memory Mapping File
It is stored with the function information for calling function;
Loading unit loads the memory according to the identification information and maps for transmitting the identification information of the monitoring process
File and time statistical result event;
Adding unit, for the initial address that program executes to be added to the presupposition analysis generation according to the Memory Mapping File
In code, the initial address of program execution is jumped to when starting the monitoring process.
6. device according to claim 4, which is characterized in that
The starting module is also used to the function hook in the starting dynamic link library by the functional blocks of protective program
Before monitoring functional blocks, the type function for calling function is obtained according to the function information for calling function;Work as institute
Stating and calling the type function of function is when can directly execute function, to be loaded into dynamic link library by module handle;When the calling
The type function of function is when not directly executing function, to be loaded into dynamic link library by loading module.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710651465.7A CN107480029B (en) | 2017-08-02 | 2017-08-02 | A kind of monitoring method and device of function call time |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710651465.7A CN107480029B (en) | 2017-08-02 | 2017-08-02 | A kind of monitoring method and device of function call time |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107480029A CN107480029A (en) | 2017-12-15 |
| CN107480029B true CN107480029B (en) | 2019-02-15 |
Family
ID=60597156
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710651465.7A Active CN107480029B (en) | 2017-08-02 | 2017-08-02 | A kind of monitoring method and device of function call time |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107480029B (en) |
Families Citing this family (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108345526B (en) * | 2017-12-20 | 2021-06-11 | 北京金山安全管理系统技术有限公司 | Hook processing method and device |
| CN108595319B (en) * | 2018-03-30 | 2020-08-04 | 阿里巴巴集团控股有限公司 | Function selection method and server |
| CN108664372A (en) * | 2018-05-08 | 2018-10-16 | 平安科技(深圳)有限公司 | Monitoring device, method and the computer readable storage medium of test process |
| CN109783161B (en) * | 2018-12-11 | 2020-08-04 | 北京三快在线科技有限公司 | Method and device for determining running information of application program in iOS system |
| CN112052078A (en) * | 2019-06-06 | 2020-12-08 | 阿里巴巴集团控股有限公司 | Time-consuming determination method and device |
| CN110781060A (en) * | 2019-09-20 | 2020-02-11 | 平安普惠企业管理有限公司 | Function monitoring method and device, computer equipment and storage medium |
| CN111708670B (en) * | 2020-06-10 | 2023-05-09 | 中国第一汽车股份有限公司 | Method and device for determining task time parameters in real-time operation system and vehicle |
| CN112328932A (en) * | 2020-07-30 | 2021-02-05 | 神州融安科技(北京)有限公司 | Operation execution method, electronic device and computer-readable storage medium |
| CN111884884B (en) * | 2020-07-31 | 2022-05-31 | 北京明朝万达科技股份有限公司 | Method, system and device for monitoring file transmission |
| US11422925B2 (en) * | 2020-09-22 | 2022-08-23 | Sap Se | Vendor assisted customer individualized testing |
| CN112948214B (en) * | 2021-03-02 | 2024-02-02 | 网宿科技股份有限公司 | Software overload warning method and device |
| CN113238800B (en) * | 2021-05-25 | 2022-06-28 | 上海安路信息科技股份有限公司 | Stack frame structure and function calling method and system |
| CN113535457B (en) * | 2021-09-14 | 2021-12-10 | 腾讯科技(深圳)有限公司 | Detection method, device, equipment and computer readable storage medium |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103544095A (en) * | 2012-07-12 | 2014-01-29 | 腾讯科技(深圳)有限公司 | Server program monitoring method and system of server program |
| CN106649084A (en) * | 2016-09-14 | 2017-05-10 | 腾讯科技(深圳)有限公司 | Function call information obtaining method and apparatus, and test device |
Family Cites Families (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7757215B1 (en) * | 2006-04-11 | 2010-07-13 | Oracle America, Inc. | Dynamic fault injection during code-testing using a dynamic tracing framework |
| CN103425565B (en) * | 2012-05-16 | 2016-01-06 | 腾讯科技(深圳)有限公司 | The method and system of acquisition program operation information |
| CN103077332B (en) * | 2012-12-28 | 2015-08-26 | 飞天诚信科技股份有限公司 | A kind of method and apparatus running the cryptor containing self checking |
| CN105630668A (en) * | 2014-12-01 | 2016-06-01 | 深圳市腾讯计算机系统有限公司 | Test method and apparatus |
| CN104680042B (en) * | 2015-03-10 | 2017-10-24 | 北京深思数盾科技股份有限公司 | A kind of method and system of virtual machine performance analysis |
| CN105550585B (en) * | 2016-03-02 | 2020-09-04 | 腾讯科技(深圳)有限公司 | Application program security testing method, device and system |
| CN105843640B (en) * | 2016-03-21 | 2017-11-14 | 武汉斗鱼网络科技有限公司 | The method for implanting and device of a kind of dynamic link library |
| CN106354644B (en) * | 2016-08-30 | 2018-12-14 | 北京深思数盾科技股份有限公司 | Application program capacity test method, device and system |
| CN107102944B (en) * | 2017-04-07 | 2020-01-24 | 北京深思数盾科技股份有限公司 | Analysis method and device for calling function |
-
2017
- 2017-08-02 CN CN201710651465.7A patent/CN107480029B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103544095A (en) * | 2012-07-12 | 2014-01-29 | 腾讯科技(深圳)有限公司 | Server program monitoring method and system of server program |
| CN106649084A (en) * | 2016-09-14 | 2017-05-10 | 腾讯科技(深圳)有限公司 | Function call information obtaining method and apparatus, and test device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107480029A (en) | 2017-12-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107480029B (en) | A kind of monitoring method and device of function call time | |
| CN107102944A (en) | The analysis method and device of a kind of call function | |
| US9465721B2 (en) | Snapshotting executing code with a modifiable snapshot definition | |
| CN104182255B (en) | A kind of the library file upgrade method and terminal of system application | |
| CN108345542A (en) | Abnormality eliminating method and device in a kind of application program | |
| US10050797B2 (en) | Inserting snapshot code into an application | |
| KR101740604B1 (en) | Generic unpacking of applications for malware detection | |
| CN103914637B (en) | A kind of executable program encryption method of Android platform | |
| US9021444B2 (en) | Combined performance tracer and snapshot debugging system | |
| CN103001947B (en) | A kind of program processing method and system | |
| CN103413073B (en) | A kind of method and apparatus protecting JAVA executable program | |
| KR101228899B1 (en) | Method and Apparatus for categorizing and analyzing Malicious Code Using Vector Calculation | |
| CN107977552B (en) | Android application reinforcing method and device | |
| US20170010952A1 (en) | Selecting application wrapper logic components for wrapping a mobile application based on wrapper performance feedback from user electronic devices | |
| US8527944B2 (en) | Method and apparatus for native method calls | |
| CN105574411A (en) | Dynamic unshelling method, device and equipment | |
| CN109062582A (en) | A kind of encryption method and device of application installation package | |
| CN109598107A (en) | A kind of code conversion method and device based on application installation package file | |
| WO2019047442A1 (en) | Method and system for bypassing function call chain detection in ios application | |
| CN105678168A (en) | Method and apparatus for detecting Shellcode based on stack frame abnormity | |
| CN108133126B (en) | Android application reinforcing method and device | |
| WO2015026391A1 (en) | Snapshotting executing code with a modifiable snapshot definition | |
| CN104252594A (en) | Virus detection method and device | |
| CN106775843B (en) | Dalvik byte code optimization method based on memory loading | |
| US9262301B2 (en) | Observability control with observability information file |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 100193 5th floor 510, No. 5 Building, East Yard, No. 10 Wangdong Road, Northwest Haidian District, Beijing Patentee after: Beijing Shendun Technology Co.,Ltd. Address before: 100193 5th floor 510, No. 5 Building, East Yard, No. 10 Wangdong Road, Northwest Haidian District, Beijing Patentee before: BEIJING SENSESHIELD TECHNOLOGY Co.,Ltd. |
|
| CP01 | Change in the name or title of a patent holder |