CN107798240A - A kind of method and device for being used to monitor PC ends operation mobile device - Google Patents
A kind of method and device for being used to monitor PC ends operation mobile device Download PDFInfo
- Publication number
- CN107798240A CN107798240A CN201610806113.XA CN201610806113A CN107798240A CN 107798240 A CN107798240 A CN 107798240A CN 201610806113 A CN201610806113 A CN 201610806113A CN 107798240 A CN107798240 A CN 107798240A
- Authority
- CN
- China
- Prior art keywords
- thread
- message
- file
- reading
- parameter
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention discloses a kind of monitoring method for being used to monitor PC ends operation mobile device, the characteristics of make use of PC ends to be interacted when accessing mobile terminal using the adbd processes in ADB orders and android system, the operation of reading USB device file in mobile device end monitors all threads of adbd processes, to obtain the content of parameter of the operation, then content of parameter is combined into message, message is combined into ADB orders, to obtain the order sent when PC ends access mobile terminal, so as to reach the purpose of monitoring.This method is not influenceed by PC end ring border, easy to use, and monitoring effect is good.The invention also discloses a kind of supervising device for being used to monitor PC ends operation mobile device.
Description
Technical field
The present invention relates to field of computer technology, more particularly to a kind of method for being used to monitor PC ends operation mobile device and
Device.
Background technology
At present, PC ends are often connected to realize that PC ends are controlled mobile terminal by user with mobile terminal, such as peace of application
Loading/unloading carries, system root etc..If PC ends have been infected malicious code, when the Malicious Code Detection at PC ends is to mobile terminal
When being connected into PC ends, malicious code can connect the mobile terminals such as mobile phone automatically and carry out some malicious operations, such as obtain root power
Limit, the application in unloading mobile terminal, malicious application, the file for obtaining mobile terminal and information etc. are installed automatically.Also, PC ends
Generally by USB(USB)Mobile terminal is accessed, the mobile terminal for using android system, its
Matter is to use ADB(Android Debug Bridge, Android debugging bridgers)The corresponding command of command-line tool.ADB is ordered
Make row instrument be made up of 3 parts, do a little introductions to it below:
(1)ADB clients, the command-line tool run in PC ends, installation application, to obtain the operations such as file be by the life
Row instrument is made to provide.
(2)ADB service ends, the service processes run in PC ends, management PC ends are directly connected with mobile phone and data interaction.
The operation that ADB clients are initiated is sent to ADB service ends first, is then sent to mobile phone by ADB service ends.
(3)ADB mobile phone terminal processes, it is entitled adbd process in android system, receives and perform ADB clothes
The instruction that business end is sent.The process is interacted by reading and writing the USB device file in android system with ADB service ends, adbd
Process can open 2 threads to operate USB device file, be respectively used to read and write.
Adbd processes have specific message format, have document to enter in Android source code when being interacted with ADB service ends
Row description.ADB orders can include a series of message, and every message contains message header and the part of message data 2 again, and this is
The message of row is identified by same ID number(ID number is located in message header), and generally started by OPEN, CLOSE endings.
Message header form is shown in Fig. 1, wherein each field is 4 byte-sizeds.Command is the mark of order.Arg0, Arg1 order for message
The parameter of order, Arg0 are the ID number being mentioned herein.The message header of each OPEN orders has a new Arg0 value.Data_
Length is the length of message data behind message header.
Conventional ADB command operations have:
(1)Software, adb.exe install [options] abc.apk are installed
(2)Uninstall, adb.exe uninstall packageName
(3)File transmits, and comprising adb.exe push and adb.exe pull orders, push is that local file is transferred into mobile phone
Middle specified path, pull are to locally by file copy in mobile phone.
(4)Order performs, adb.exe shell cmd [options].Android system be based on linux system,
Adb can perform some Linux commands by shell parameters.File adb shell rm filepath are such as deleted, unloading is soft
Part adb shell pm uninstall packageName, obtain system property adb shell getprop etc..
Although the existing antivirus software of mobile terminal and protection capacity of safety protection software can scan and analyze application program, can not
The operation of ADB orders is analyzed, if so mobile terminal is connected into the PC ends for having infected malicious code, mobile end may be caused
End is mounted malicious application, information leakage.This programme can monitor the operation of ADB orders on mobile terminals, if finding, malice is pacified
The behavior of dress and malicious operation then can be prevented and alarmed, and ensure terminal security.
The content of the invention
It is an object of the invention to provide a kind of monitoring method and device for being used to monitor PC ends operation mobile device, its energy
User is helped not influenceed in operation of the mobile terminal monitored PC ends to mobile terminal, the monitoring by PC end ring border directly, user
Just, monitoring effect is good.
To achieve these goals, the invention discloses it is a kind of be used for monitor PC ends operation mobile device monitoring method,
Comprise the following steps:
The thread number of all threads in acquisition for mobile terminal adbd processes and the adbd processes;
Each thread is monitored respectively according to all thread numbers of acquisition, finds out thread and the acquisition for wherein reading USB device file
The current thread number for reading thread;
According to the reading file operation in the current thread number monitoring thread for reading thread, the content of parameter for reading file operation, institute are obtained
Stating content of parameter includes message header or message data;
When the content of parameter of the first reading file operation monitored is message data, then preserve in all parameters of acquisition
Hold;
All content of parameter of preservation are combined into corresponding message, wherein, a message header and a corresponding message data
It can be combined to a piece of news;
Obtained message is combined into corresponding ADB orders, wherein, an ADB order includes at least one message, belongs to same
The message of order possesses identical ID number, and the ID number is located in the message header;
Whether the ADB orders for judging to obtain according to default rule can produce malicious act.
Further, each thread is monitored according to the default time and finds the corresponding behaviour for reading USB device file
Make, if not found within the period, monitor next thread immediately.
Further, after finding out whole thread numbers, each thread is monitored one by one, if current thread, which performs, reads text
Part operates, and the thread number for being USB device file, then obtaining current thread that first parameter is pointed to.
Further, can again after terminal does not connect USB or searches the thread failure for reading USB device file
Whole thread numbers are obtained, and search whether to read the thread of USB device file.
Further, if judging, ADB orders can produce malicious act, change current ADB orders, resistance malicious act
Occur.
Further, if judging, ADB orders can produce malicious act, produce user's alarm.
To achieve these goals, the invention also discloses a kind of monitoring dress for being used to monitor PC ends operation mobile device
Put, in mobile terminal, the supervising device includes guarding module, monitoring module, detection module, wherein:
When PC ends access mobile terminal, the module of guarding is used to obtain all threads in adbd processes and the adbd processes
Thread number;Each thread is monitored respectively according to all thread numbers of acquisition, is found out and is wherein read the thread of USB device file simultaneously
Obtain the current thread number for reading thread and be sent to the monitoring module;
The monitoring module is used to read the reading file operation in thread according to the current thread number monitoring for reading thread, obtains and reads file
The content of parameter of operation, the content of parameter include message header or message data, when judge to monitor first reads file behaviour
When the content of parameter of work is message data, then all content of parameter of acquisition are preserved;
The detection module is used to all content of parameter of preservation being combined into corresponding message, wherein, a message header with it is right
The message data answered can be combined to a piece of news;Obtained message is combined into corresponding ADB orders, wherein, an ADB
Order includes at least one message, and the message for belonging to same order possesses identical ID number, and the ID number is located at the message header
It is interior;The detection module is additionally operable to preserve default malicious commands sentence, by the ADB orders of acquisition and the default malicious commands
Sentence is compared, and judges whether that malicious act can be produced.
Further, the monitoring module is used to be monitored each thread according to the default time the corresponding reading of searching
The operation of USB device file, if not found within the period, next thread is monitored immediately.
Further, it is described to keep after terminal does not connect USB or searches the thread failure for reading USB device file
Shield module can obtain whole thread numbers again, and search whether to read the thread of USB device file.
Further, after whole thread numbers are found out, the monitoring module is monitored to each thread one by one, if worked as
Preceding thread, which performs, reads file operation, and the thread for being USB device file, then obtaining current thread that first parameter is pointed to
Number.If not finding the thread number for reading USB device file, whole thread numbers are obtained again, and continue to scan on thread.
Further, if judging, ADB orders can produce malicious act, and the detection module changes current ADB orders, resistance
It is worth malicious act.
Further, if judging, ADB orders can produce malicious act, and the detection module produces user's alarm.
Compared with the prior art, the invention has the advantages that:Used when accessing mobile terminal present invention utilizes PC ends
The characteristics of ADB orders interact with the adbd processes in android system, in mobile device end monitoring adbd processes, institute is wired
The operation of reading USB device file in journey, to obtain the content of parameter of the operation, is then combined into message by content of parameter, will
Message is combined into ADB orders, to obtain the order sent when PC ends access mobile terminal, so as to reach the purpose of monitoring.The prison
Control is not influenceed by PC end ring border, and easy to use, monitoring effect is good.
Brief description of the drawings
Fig. 1 is the form schematic diagram of ADB command messages heads.
Fig. 2 is a kind of flow chart for being used to monitor the monitoring method that PC ends operate mobile device of the present invention.
Fig. 3 is a kind of structural representation for being used to monitor the supervising device that PC ends operate mobile device of the present invention.
Embodiment
In order that the object, technical solutions and advantages of the present invention are clearer, the present invention is made below in conjunction with accompanying drawing into
One step it is described in detail.
Although the step in the present invention is arranged with label, it is not used to limit the precedence of step, unless
It specify that the order of step or based on the execution of certain step needs other steps, otherwise the relative rank of step is
It is adjustable.
Entered when accessing mobile terminal present invention utilizes PC ends using ADB orders and the adbd processes in android system
The characteristics of row interaction, in certain embodiments, as shown in Fig. 2 a kind of monitoring method for being used to monitor PC ends operation mobile device
Comprise the following steps:
S01, the thread number of all threads in adbd processes and the adbd processes is obtained in the terminal.
The ps orders that system offer can be used directly obtain whole thread numbers of adbd processes, also can be by checking/proc
File system.Each process has a corresponding catalogue/proc/ [process number] under/proc in Linux, under the catalogue
Cmdline files save command name, and whole thread numbers of process are have recorded under task subdirectories(No. PID is designated as hereinafter).
S02, each thread is monitored respectively according to all thread numbers of acquisition, find out the line for wherein reading USB device file
Journey, and obtain the current thread number for reading thread.
Find out after whole thread numbers, it is necessary to judge wherein to read the thread of USB device file.Called using ptrace systems
(It is to allow a process to track and control another process that it, which is acted on,), each thread is monitored one by one.It is available
The system that ptrace PTRACE_SYSCALL carrys out monitoring thread is called.If current thread, which performs, reads file operation, and the
What one parameter was pointed to is USB device file, then obtains No. PID of current thread.Can also directly it be looked into using strace instruments
See in the system calling that each thread is carried out whether there is the operation for reading USB device file.
The USB device file path of different editions android system can be variant, specifically needs to refer to source code, such as
The USB device file of the versions of Android 4.4 acquiescence is /dev/android_adb.
Preferably, the judgement to each thread can continue a bit of time, and each thread is entered according to the default time
Row monitoring, corresponding reading file operation is found, if not found within the period, then it represents that current thread is not required to monitor
Thread, monitor next thread immediately.
It should be understood that due to the possibility of restarting of adbd processes be present, therefore be also required to monitor opening again for adbd processes
Move, be required for obtaining No. PID of its respective thread after restarting again every time.Read when terminal does not connect USB or searched
After the thread failure of USB device file, whole thread numbers can be obtained again, and search whether to read the line of USB device file
Journey.
S03, the reading file operation in thread is read according to the current thread number monitoring for reading thread, obtains the ginseng for reading file operation
Number content, the content of parameter include message header or message data.
After obtaining current read thread No. PID, method can be used in ptrace to obtain ginseng when reading file system call
Number, read document method and only have 3 parameters, be by register transmission during transmission, therefore use ptrace PTRACE_
GETREGS obtains register value and can obtain parameter.Wherein, the parameter of data storage is a memory address, reads file operation
At the end of, the content of reading is stored in the internal memory of memory address sensing, can use ptrace PTRACE_PEEKTEXT
Method comes out the data copy in address.
S04, when the content of parameter of the first reading file operation monitored is message data, then preserve all of acquisition
Content of parameter.
Per a piece of news, message header and message data two parts are generally comprised, therefore once file operation acquisition is read in monitoring
To be probably that message header is also likely to be message data.Whether the content of parameter for first determining whether to copy out is message content, is pressed
Described according to the message format in ADB, there are magic fields in message content, determine whether message header by checking the field.
If message header, then what next reading file operation was got is exactly message data, and the length of message data is stored in message header
In.If start to get is not message header, current message data is abandoned, reading file operation next time is got just inevitable
It is message header.
S05, all content of parameter of preservation are combined into corresponding message.
It should be understood that the message header and message data of a piece of news are relative with the parameter for reading file operation twice in succession
Should, therefore be that can obtain a piece of news reading file operation content getparms twice to merge.
S06, obtained message is combined into corresponding ADB orders, wherein, an ADB order includes at least one message,
The message for belonging to same order possesses identical ID number, and the ID number is located in the message header.
One of ordinary skill in the art will appreciate that, the order of an ADB client executing is to be converted into multiple messages
It is sent to adbd processes.Such as the push operations of file, contained (OPEN, sync) in the message for reading file acquisition --
> (WRTE, STAT) --> (WRTE, filepath) --> (WRTE, SEND) --> WRTE(filepath +
content) --> (WRTE, QUIT) -->(CLOSE), represent that one disappears with the tuple including 2 element contents here
Breath, Part I are the order of message header, and Part II is message data, and such as (OPEN, sync) represents to proceed by sync
Operation,(WRTE, SEND)Expression can carry out data transmission;Therefore be may determine that by this series of message as one
Push file operations, by filepath it is known that the place of file storage.The order of other ADB clients is also similar
's.A series of message corresponding to every ADB Client command possess same ID number, therefore can will possess disappearing for identical ID number
Breath is combined into corresponding ADB orders.
Whether S07, the ADB orders for judging to obtain according to default rule can produce malicious act.
Default malicious commands sentence is preserved in mobile terminal, by the ADB orders being combined into and default malicious commands
Sentence is compared, if the ADB orders being combined into are default malicious commands sentence, the ADB orders for judging to obtain have malice
Behavior.
Entered when accessing mobile terminal present invention utilizes PC ends using ADB orders and the adbd processes in android system
The characteristics of row interaction, the reading file operation in mobile device end monitors all threads of adbd processes, to obtain reading file operation
Content of parameter, content of parameter is then combined into message, message is combined into ADB orders, with obtain PC ends access it is mobile eventually
The order sent during end, so as to reach the purpose of monitoring.The monitoring is not influenceed by PC end ring border, easy to use, and monitoring effect is good.
Preferably, if judging, ADB orders can produce malicious act, such as file copy, using install and uninstall, port is opened
Open, then the present invention also carries out respective handling to avoid causing user to lose to ADB orders.
Several frequently seen malicious commands sentence and the more excellent solution for the order is described below:
(1)Sample installation order, in ADB service ends, the order is decomposed into following two steps progress, is file transmission first(adb
push filename.apk /data/local/tmp/filename.apk), followed by perform installation order(adb shell
pm install /data/local/tmp/filename.apk).Refer to when can transmit by scanning file and either perform and install
Fixed file path carrys out the malicious of judgement sample installation order.
If judging there is sample installation order, command context can be directly changed, such as the bag name in order is replaced with into sky
Character string, so that installation is invalid.
(2)The transmission order of file, including incoming mobile terminal order(adb push)With outflow mobile terminal order
(adb pull).Push operations can be by being scanned to judge to transmission file, and pull operations need to judge that transmission file is
No is sensitive document(Such as contact database)., can be by the way that file path be set into empty string etc. if transmission file is sensitive document
Mode makes order invalid.
(3)The execution of shell-command, i.e., the operation that adb shell modes perform.As adb shell getprop are obtained
System property, adb shell am orders can send broadcast, and adb shell pm orders can unload application.Need according to specific
Order is malicious to judge, such as whether unloading is that crucial application can be judged by the bag name specified in pm orders;Such as
Fruit order is to delete file then to can determine whether file path is system file path.Malicious commands can be by changing in order
The mode of appearance is handled.
Being mentioned in the processing method of above-mentioned three classes malicious commands can be handled by changing command context, specifically be repaiied
The mode of changing is described as follows:The content of order is stored in message data and read in the internal memory of parameter sensing of file operation, due to
The saved parameter for reading file operation, therefore internal memory where order can be changed using ptrace PTRACE_POKETEXT
In content, can also use ptrace PTRACE_SETREGS modification read file operation parameter be null pointer, make parameter
It is invalid to be worth.
Preferably, if judging, ADB orders can produce malicious act, produce user's alarm.
Specifically, can by directly produce user alarm or by the content of the ADB orders by process communication in a manner of pass
To conventional social class or game class application, such application can carry out user's alarm in a manner of pop-up alerts.
As shown in figure 3, the invention also discloses a kind of supervising device for being used to monitor PC ends operation mobile device, for moving
In dynamic terminal, the supervising device includes guarding module 10, monitoring module 20, detection module 30, wherein:
When PC ends access mobile terminal, it is described guard module 10 be used to obtaining in adbd processes and the adbd processes institute it is wired
The thread number of journey;Each thread is monitored respectively according to all thread numbers of acquisition, finds out the thread for wherein reading USB device file
And obtain the current thread number for reading thread and be sent to the monitoring module 20.
The ps orders that system offer can be used directly obtain whole thread numbers of adbd processes, also can be by checking/proc
File system.Each process has a corresponding catalogue/proc/ [process number] under/proc in Linux, under the catalogue
Cmdline files save command name, and No. PID of whole threads of process is have recorded under task subdirectories.
After finding out whole No. PID, called using ptrace systems(It is that one process of permission is another to track and control that it, which is acted on,
An outer process), each thread is monitored one by one, can be come monitoring thread using ptrace PTRACE_SYSCALL
System calls.If the reading file operation of current thread calling system, and what first parameter pointed to is USB device file, then
Obtain No. PID of current thread.Can also be directly viewable using strace instruments during the system that each thread is carried out is called whether
There is the operation for reading USB device file.
Preferably, the judgement to each thread can continue a bit of time, and each thread is entered according to the default time
Row monitoring, corresponding reading file operation is found, if not found within the period, then it represents that current thread is not required to monitor
Thread, monitor next thread immediately.
It should be understood that due to the possibility of restarting of adbd processes be present, therefore be also required to monitor opening again for adbd processes
Move, be required for obtaining No. PID of its respective thread after restarting again every time.Read when terminal does not connect USB or searched
After the thread failure of USB device file, whole thread numbers can be obtained again, and search whether to read the line of USB device file
Journey.
The monitoring module 20 is used to read the reading file operation in thread according to the current thread number monitoring for reading thread, obtains
The content of parameter of file operation is read, and judge to monitor first reads the content of parameter of file operation as message header or message count
According to then preserving all content of parameter of acquisition if message data, the content of parameter includes message header or message data.
After obtaining current read thread No. PID, method can be used in ptrace to obtain parameter when system is called, read text
The system call method of part operation only has 3 parameters, is by register transmission during transmission, therefore uses ptrace's
PTRACE_GETREGS obtains register value and can obtain parameter.For preserving the parameter of data storage location for an internal memory
Location, ptrace PTRACE_PEEKTEXT methods can be used to come out the data copy in address.
Per a piece of news, message header and message data two parts are generally comprised, therefore once file operation acquisition is read in monitoring
To be probably that message header is also likely to be message data.Whether the content of parameter for first determining whether to copy out is message content, is pressed
Described according to the message format in ADB, there are magic fields in message content, determine whether message header by checking the field.
If message header, then what next reading file operation was got is exactly message data, and the length of message data is stored in message header
In.If start to get is not message header, current message data is abandoned, reading file operation next time is got just inevitable
It is message header.
The detection module 30 is used to all content of parameter of preservation being combined into corresponding message, wherein, a message
Head can be combined to a piece of news with a corresponding message data;Obtained message is combined into corresponding ADB orders, wherein,
One ADB orders include at least one message, and the message for belonging to same order possesses identical ID number, and the ID number is positioned at described
In message header;The detection module 30 is additionally operable to preserve default malicious commands sentence, and ADB orders and this of acquisition is default
Malicious commands sentence is compared, and judges whether that malicious act can be produced.
One of ordinary skill in the art will appreciate that, the message header and message data of a piece of news with reading text twice in succession
The parameter of part operation is corresponding, therefore the content for the parameter for reading file operation twice is merged and can obtain a piece of news.One
The order of ADB client executings is converted into multiple messages and is sent to adbd processes.Such as the push operations of file, reading
Contained in the thread of USB device file (OPEN, sync) --> (WRTE, STAT) --> (WRTE, filepath)
--> (WRTE, SEND) --> WRTE(filepath + content) --> (WRTE, QUIT) -->(CLOSE), this
In with the tuple including 2 element contents represent a message, Part I is the order of message header, and Part II is message
Data, such as (OPEN, sync) represent that to proceed by sync operates,(WRTE, SEND)Expression can carry out data transmission;Therefore
It is may determine that by this series of message as a push file operation, by filepath it is known that file storage
Place.The order of other ADB clients is also similar.A series of message corresponding to every ADB Client command possess together
One ID number, therefore the message for possessing identical ID number can be combined into corresponding ADB orders.
Default malicious commands sentence is preserved in mobile terminal, by the ADB orders being combined into and default malicious commands
Sentence is compared, and the ADB orders for judging to obtain if the ADB orders being combined into are default malicious commands sentence have malice row
For.
Entered when accessing mobile terminal present invention utilizes PC ends using ADB orders and the adbd processes in android system
The characteristics of row interaction, the reading file operation in USB device file thread is read during mobile device end monitors adbd processes, to obtain
The content of parameter for reading file operation is taken, content of parameter is then combined into message, message is combined into ADB orders, to obtain PC
End accesses the order sent during mobile terminal, so as to reach the purpose of monitoring.The monitoring is not influenceed by PC end ring border, user
Just, monitoring effect is good.
Preferably, the detection module 30 is additionally operable to, when judging that ADB orders have malicious act, enter the ADB orders
Row respective handling is to avoid causing user to lose.
Several frequently seen malicious commands sentence and the more excellent solution for the order is described below:
(1)Sample installation order, in ADB service ends, the order is decomposed into following two steps progress, is file transmission first(adb
push filename.apk /data/local/tmp/filename.apk), followed by perform installation order(adb shell
pm install /data/local/tmp/filename.apk).Refer to when can transmit by scanning file and either perform and install
Fixed file path carrys out the malicious of judgement sample installation order.
If judging there is sample installation order, command context can be directly changed, such as the bag name in order is replaced with into sky
Character string, so that installation is invalid.
(2)The transmission order of file, including incoming mobile terminal order(adb push)With outflow mobile terminal order
(adb pull).Push operations can be by being scanned to judge to transmission file, and pull operations need to judge that transmission file is
No is sensitive document(Such as contact database)., can be by the way that file path be set into empty string etc. if transmission file is sensitive document
Mode makes order invalid.
(3)The execution of shell-command, i.e., the operation that adb shell modes perform.As adb shell getprop are obtained
System property, adb shell am orders can send broadcast, and adb shell pm orders can unload application.Need according to specific
Order is malicious to judge, such as whether unloading is that crucial application can be judged by the bag name specified in pm orders;Such as
Fruit order is to delete file then to can determine whether file path is system file path.Malicious commands can be by changing in order
The mode of appearance is handled.
Being mentioned in the processing method of above-mentioned three classes malicious commands can be handled by changing command context, specifically be repaiied
The mode of changing is described as follows:The content of order is stored in the internal memory for the parameter sensing for reading file operation, due to saved reading
The parameter of file operation, therefore the content in the internal memory of order place can be changed using ptrace PTRACE_POKETEXT,
The parameter that ptrace PTRACE_SETREGS modification reading file operations can also be used is null pointer, makes parameter value invalid.
The detection module 30 is additionally operable to the side for producing user's alarm or the content of the ADB orders being passed through into process communication
Formula passes conventional social class or game class application, and such application can carry out user's alarm in a manner of pop-up alerts.
Some embodiments of the present invention have shown and described in described above, but as previously described, it should be understood that the present invention is not
Form disclosed herein is confined to, is not to be taken as the exclusion to other embodiment, and available for various other combinations, modification
And environment, and can be carried out in the scope of the invention is set forth herein by the technology or knowledge of above-mentioned teaching or association area
Change., then all should be in institute of the present invention and the change and change that those skilled in the art are carried out do not depart from the spirit and scope of the present invention
In attached scope of the claims.
Claims (10)
1. a kind of monitoring method for being used to monitor PC ends operation mobile device, it is characterised in that the monitoring method includes following
Step:
The thread number of all threads in acquisition for mobile terminal adbd processes and the adbd processes;
Each thread is monitored respectively according to all thread numbers of acquisition, finds out thread and the acquisition for wherein reading USB device file
The current thread number for reading thread;
The reading file operation in the thread is monitored according to the current thread number for reading thread, obtains the content of parameter for reading file operation,
The content of parameter includes message header or message data;
When the content of parameter of the first reading file operation monitored is message data, then preserve in all parameters of acquisition
Hold;
All content of parameter of preservation are combined into corresponding message, wherein, a message header and a corresponding message data
It can be combined to a piece of news;
Obtained message is combined into corresponding ADB orders, wherein, an ADB order includes at least one message, belongs to same
The message of order possesses identical ID number, and the ID number is located in the message header;
Whether the ADB orders for judging to obtain according to default rule can produce malicious act.
2. monitoring method as claimed in claim 1, it is characterised in that be monitored and seek to each thread according to the default time
Corresponding reading file operation is looked for, if not found within the period, monitors next thread immediately.
3. monitoring method as claimed in claim 1, it is characterised in that after finding out whole thread numbers, enter one by one to each thread
Row monitoring, if current thread, which performs, reads file operation, and what first parameter pointed to is USB device file, then obtains and work as
The thread number of preceding thread.
4. monitoring method as claimed in claim 1, it is characterised in that set when terminal does not connect USB or searches reading USB
After the thread failure of standby file, whole thread numbers can be obtained again, and search whether to read the thread of USB device file.
5. monitoring method as claimed in claim 1, it is characterised in that ADB orders can produce malicious act if judging, press
Current ADB orders are changed according to default rule, prevent malicious act from occurring or/and produce user's alarm.
6. a kind of supervising device for being used to monitor PC ends operation mobile device, it is characterised in that the supervising device includes guarding
Module, monitoring module, detection module, when PC ends access mobile terminal:
The thread number guarded module and be used to obtain all threads in adbd processes and the adbd processes;According to the institute of acquisition
There is thread number to monitor each thread respectively, find out the thread for wherein reading USB device file and obtain the current thread for reading thread
Number it is sent to the monitoring module;
The monitoring module is used to read the reading file operation in thread according to the current thread number monitoring for reading thread, obtains and reads file
The content of parameter of operation, the content of parameter include message header or message data, when judge to monitor first reads file behaviour
When the content of parameter of work is message data, then all content of parameter of acquisition are preserved;
The detection module is used to all content of parameter of preservation being combined into corresponding message, wherein, a message header with it is right
The message data answered can be combined to a piece of news;Obtained message is combined into corresponding ADB orders, wherein, an ADB
Order includes at least one message, and the message for belonging to same order possesses identical ID number, and the ID number is located at the message header
It is interior;The detection module is additionally operable to preserve default malicious commands sentence, by the ADB orders of acquisition and the default malicious commands
Sentence is compared, and judges whether to produce malicious act.
7. supervising device as claimed in claim 6, it is characterised in that the monitoring module is used for according to the default time to every
Individual thread is monitored the corresponding reading file operation of searching, if not found within the period, monitors next line immediately
Journey.
8. supervising device as claimed in claim 6, it is characterised in that the monitoring module is supervised to each thread one by one
Control, if current thread, which performs, reads file operation, and what first parameter pointed to is USB device file, then obtains and work as front
The thread number of journey.
9. supervising device as claimed in claim 6, it is characterised in that set when terminal does not connect USB or searches reading USB
After the thread failure of standby file, the module of guarding can obtain whole thread numbers again, and search whether to read USB device text
The thread of part.
10. supervising device as claimed in claim 6, it is characterised in that ADB orders can produce malicious act, institute if judging
State detection module and change current ADB orders according to default rule, prevent malicious act from occurring or/and produce user's alarm.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610806113.XA CN107798240B (en) | 2016-09-07 | 2016-09-07 | A kind of method and device operating mobile device for monitoring the end PC |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610806113.XA CN107798240B (en) | 2016-09-07 | 2016-09-07 | A kind of method and device operating mobile device for monitoring the end PC |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107798240A true CN107798240A (en) | 2018-03-13 |
| CN107798240B CN107798240B (en) | 2019-10-18 |
Family
ID=61529963
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610806113.XA Active CN107798240B (en) | 2016-09-07 | 2016-09-07 | A kind of method and device operating mobile device for monitoring the end PC |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107798240B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114968456A (en) * | 2022-05-07 | 2022-08-30 | 麒麟合盛网络技术股份有限公司 | Method and device for controlling terminal |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102254113A (en) * | 2011-06-27 | 2011-11-23 | 深圳市安之天信息技术有限公司 | Method and system for detecting and intercepting malicious code of mobile terminal |
| CN103279706A (en) * | 2013-06-07 | 2013-09-04 | 北京奇虎科技有限公司 | Method and device for intercepting installation of Android application program in mobile terminal |
| US8935793B2 (en) * | 2012-02-29 | 2015-01-13 | The Mitre Corporation | Hygienic charging station for mobile device security |
| CN104978518A (en) * | 2014-10-31 | 2015-10-14 | 哈尔滨安天科技股份有限公司 | Method and system for preventing PC (Personal Computer) side from obtaining layout operation of mobile equipment screen |
-
2016
- 2016-09-07 CN CN201610806113.XA patent/CN107798240B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102254113A (en) * | 2011-06-27 | 2011-11-23 | 深圳市安之天信息技术有限公司 | Method and system for detecting and intercepting malicious code of mobile terminal |
| US8935793B2 (en) * | 2012-02-29 | 2015-01-13 | The Mitre Corporation | Hygienic charging station for mobile device security |
| CN103279706A (en) * | 2013-06-07 | 2013-09-04 | 北京奇虎科技有限公司 | Method and device for intercepting installation of Android application program in mobile terminal |
| CN104978518A (en) * | 2014-10-31 | 2015-10-14 | 哈尔滨安天科技股份有限公司 | Method and system for preventing PC (Personal Computer) side from obtaining layout operation of mobile equipment screen |
Non-Patent Citations (1)
| Title |
|---|
| 史杨: "Android手机和计算机连接后的安全控制策略研究", 《长春师范大学学报》 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114968456A (en) * | 2022-05-07 | 2022-08-30 | 麒麟合盛网络技术股份有限公司 | Method and device for controlling terminal |
| CN114968456B (en) * | 2022-05-07 | 2024-03-08 | 麒麟合盛网络技术股份有限公司 | Method and device for controlling terminal |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107798240B (en) | 2019-10-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8370931B1 (en) | Multi-behavior policy matching for malware detection | |
| CN109344616B (en) | Method and device for monitoring dynamic loading behavior of mobile application program | |
| US8844038B2 (en) | Malware detection | |
| CN110213207B (en) | Network security defense method and equipment based on log analysis | |
| KR101051722B1 (en) | Monitor program, monitoring method and computer program product for hardware related thereto | |
| US20150089652A1 (en) | Methods of detection of software exploitation | |
| US8640233B2 (en) | Environmental imaging | |
| CN105205413B (en) | A kind of guard method of data and device | |
| WO2020014663A1 (en) | Systems and methods for detecting obfuscated malware in obfuscated just-in-time (jit) compiled code | |
| CN103279707A (en) | Method, device and system for actively defending against malicious programs | |
| CN109639726A (en) | Intrusion detection method, device, system, equipment and storage medium | |
| US11822666B2 (en) | Malware detection | |
| US9842219B1 (en) | Systems and methods for curating file clusters for security analyses | |
| US9646157B1 (en) | Systems and methods for identifying repackaged files | |
| US9203850B1 (en) | Systems and methods for detecting private browsing mode | |
| CN107798240A (en) | A kind of method and device for being used to monitor PC ends operation mobile device | |
| CN114422274B (en) | Multi-scene vulnerability detection method and device based on cloud protogenesis and storage medium | |
| CN107169354A (en) | Multi-layer android system malicious act monitoring method | |
| US9692773B1 (en) | Systems and methods for identifying detection-evasion behaviors of files undergoing malware analyses | |
| KR102472523B1 (en) | Method and apparatus for determining document action based on reversing engine | |
| CN108197475B (en) | Malicious so module detection method and related device | |
| CN113839944B (en) | Method, device, electronic equipment and medium for coping with network attack | |
| CN114707144A (en) | Virtual machine escape behavior detection method and device | |
| CN114610577A (en) | Target resource locking method, device, equipment and medium | |
| CN114417349A (en) | Attack result determination method, device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: 430000 Hubei city Wuhan East Lake New Technology Development Zone 8 Huacheng Road 8 Wuhan software new town industry three phase C20 building Applicant after: Wuhan Antian Information Technology Co., Ltd. Address before: 430000 software industry, No. 1 East Road, software park, East Lake New Technology Development Zone, Hubei, Wuhan 4-1, B4 building, room 12, floor 01 Applicant before: Wuhan Antian Information Technology Co., Ltd. |
|
| CB02 | Change of applicant information | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |