CN107798240B - A kind of method and device operating mobile device for monitoring the end PC - Google Patents
A kind of method and device operating mobile device for monitoring the end PC Download PDFInfo
- Publication number
- CN107798240B CN107798240B CN201610806113.XA CN201610806113A CN107798240B CN 107798240 B CN107798240 B CN 107798240B CN 201610806113 A CN201610806113 A CN 201610806113A CN 107798240 B CN107798240 B CN 107798240B
- Authority
- CN
- China
- Prior art keywords
- thread
- monitoring
- message
- file
- reading
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention discloses a kind of for monitoring the monitoring method of the end PC operation mobile device, the characteristics of being interacted when the end PC access mobile terminal is utilized using the adbd process in ADB order and android system, the operation of reading USB device file in mobile device end monitoring all threads of adbd process, to obtain the content of parameter of the operation, then content of parameter is combined into message, message is combined into ADB order, to obtain the order sent when the access mobile terminal of the end PC, to achieve the purpose that monitoring.This method is not influenced by PC end ring border, easy to use, and monitoring effect is good.The invention also discloses a kind of for monitoring the monitoring device of the end PC operation mobile device.
Description
Technical field
The present invention relates to field of computer technology more particularly to it is a kind of for monitor the end PC operation mobile device method and
Device.
Background technique
Currently, the end PC is often connected to realize that the end PC controls mobile terminal by user with mobile terminal, such as peace of application
Loading/unloading carries, system root etc..If the end PC has been infected malicious code, when the Malicious Code Detection at the end PC is to mobile terminal
When being connected into the end PC, malicious code can connect the mobile terminals such as mobile phone automatically and carry out some malicious operations, such as obtain root power
Limit, the application in unloading mobile terminal, automatically installation malicious application, the file of acquisition mobile terminal and information etc..Also, the end PC
Generally by USB(universal serial bus) access mobile terminal, for using the mobile terminal of android system,
Matter is using ADB(Android Debug Bridge, and Android debugs bridge) the corresponding command of command-line tool.ADB life
It enables row tool be made of 3 parts, does a little introductions to it below:
(1) ADB client, the command-line tool run in the end PC, installation application obtain the operations such as file and pass through
The command-line tool provides.
(2) ADB server-side, the service processes run in the end PC, the management end PC is directly connect with mobile phone and data interaction.
The operation that ADB client is initiated is sent to ADB server-side first, is then sent to mobile phone by ADB server-side.
(3) ADB mobile phone terminal process is the process of an entitled adbd in android system, receives and executes ADB clothes
The instruction that business end is sent.The process is interacted by the USB device file in read-write android system with ADB server-side, adbd
Process can open 2 threads operating USB device file, being respectively used to read and writing.
Adbd process has specific message format when interacting with ADB server-side, have in the source code of Android document into
Row description.ADB order can include a series of message, and every message contains 2 part of message header and message data again, this is
The message of column is identified (ID number is located in message header) by the same ID number, and is usually started by OPEN, CLOSE ending.
Message header format is shown in Fig. 1, wherein each field is 4 byte-sizeds.Command is the mark of order.Arg0, Arg1 are message life
The parameter of order, Arg0 are the ID number being mentioned herein.The message header of each OPEN order has a new Arg0 value.Data_
Length is the length of message data behind message header.
Common ADB command operation has:
(1) software, adb.exe install [options] abc.apk are installed
(2) uninstall, adb.exe uninstall packageName
(3) file transmits, and includes adb.exe push and adb.exe pull order, push is to be transferred to local file
Specified path in mobile phone, pull are by file copy in mobile phone to locally.
(4) order executes, adb.exe shell cmd [options].Android system be based on linux system,
Adb can execute some Linux commands by shell parameter.File adb shell rm filepath is such as deleted, is unloaded soft
Part adb shell pm uninstall packageName obtains system property adb shell getprop etc..
Although the existing antivirus software of mobile terminal and protection capacity of safety protection software can scan and analyze application program, can not
The operation of ADB order is analyzed, so may cause mobile whole if mobile terminal is connected into the end PC for having infected malicious code
It holds and is mounted malicious application, information leakage.This programme can monitor the operation of ADB order on mobile terminals, if discovery malice is pacified
The behavior of dress and malicious operation then can be prevented and be alarmed, and ensure terminal security.
Summary of the invention
The purpose of the present invention is to provide a kind of for monitoring the monitoring method and device of the end PC operation mobile device, energy
Operation of the user directly at the mobile terminal monitored end PC to mobile terminal is helped, which is not influenced by PC end ring border, user
Just, monitoring effect is good.
To achieve the goals above, the invention discloses a kind of for monitoring the monitoring method of the end PC operation mobile device,
The following steps are included:
The thread number of all threads in acquisition for mobile terminal adbd process and the adbd process;
Per thread is monitored respectively according to all thread numbers of acquisition, is found out and is wherein read the thread of USB device file simultaneously
Obtain the current thread number for reading thread;
According to the reading file operation in the current thread number monitoring thread for reading thread, obtain in the parameter for reading file operation
Hold, the content of parameter includes message header or message data;
When the content of parameter of the first reading file operation monitored is message data, then all parameters of acquisition are saved
Content;
All content of parameter of preservation are combined into corresponding message, wherein a message header and a corresponding message
Data can be combined to a piece of news;
Obtained message is combined into corresponding ADB order, wherein an ADB order includes at least one message, is belonged to
The message of same order possesses identical ID number, and the ID number is located in the message header;
Judge whether the ADB order obtained can generate malicious act according to default rule.
Further, per thread is monitored according to the preset time and finds the corresponding behaviour for reading USB device file
Make, if not finding during this period of time, monitors next thread immediately.
Further, after finding out whole thread numbers, per thread is monitored one by one, if current thread, which executes, reads text
Part operation, and what first parameter be directed toward is USB device file, then obtains the thread number of current thread.
It further, can again after terminal does not connect USB or searches the thread failure for reading USB device file
Whole thread numbers are obtained, and search whether to read the thread of USB device file.
Further, if judging, ADB order can generate malicious act, modify current ADB order, resistance value malicious act
Occur.
Further, if judging, ADB order can generate malicious act, generate user's alarm.
To achieve the goals above, the invention also discloses a kind of for monitoring the monitoring dress of the end PC operation mobile device
It sets, in mobile terminal, the monitoring device to include guarding module, monitoring module, detection module, in which:
When the end PC accesses mobile terminal, the module of guarding owns for obtaining in adbd process and the adbd process
The thread number of thread;Per thread is monitored respectively according to all thread numbers of acquisition, finds out the line for wherein reading USB device file
The thread number that thread is currently read in journey and acquisition is sent to the monitoring module;
The monitoring module is used to read the reading file operation in thread according to the current thread number monitoring for reading thread, obtains and reads
The content of parameter of file operation, the content of parameter includes message header or message data, when first reading text that judgement monitors
When the content of parameter of part operation is message data, then all content of parameter of acquisition are saved;
The detection module is used to all content of parameter saved being combined into corresponding message, wherein a message header
It can be combined to a piece of news with a corresponding message data;Obtained message is combined into corresponding ADB order, wherein one
ADB order includes at least one message, and the message for belonging to same order possesses identical ID number, and the ID number is located at described disappear
It ceases in head;The detection module is also used to save preset malicious commands sentence, the ADB order that will acquire and the preset malice
Command statement is compared, and judges whether that malicious act can be generated.
Further, the monitoring module is used to be monitored the corresponding reading of searching to per thread according to the preset time
The operation of USB device file monitors next thread if not finding during this period of time immediately.
Further, described to keep after terminal does not connect USB or searches the thread failure for reading USB device file
Shield module can obtain whole thread numbers again, and search whether to read the thread of USB device file.
Further, after finding out whole thread numbers, the monitoring module is one by one monitored per thread, if worked as
Preceding thread, which executes, reads file operation, and what first parameter be directed toward is USB device file, then obtains the thread of current thread
Number.If not finding the thread number for reading USB device file, whole thread numbers are obtained again, and continue to scan on thread.
Further, if judging, ADB order can generate malicious act, and the detection module modifies current ADB order, resistance
It is worth malicious act.
Further, if judging, ADB order can generate malicious act, and the detection module generates user's alarm.
Compared with the prior art, the invention has the advantages that: present invention utilizes use when the end PC accesses mobile terminal
The characteristics of adbd process in ADB order and android system interacts, in mobile device end monitoring adbd process, institute is wired
Then content of parameter is combined into message to obtain the content of parameter of the operation by the operation of the reading USB device file in journey, will
Message is combined into ADB order, to obtain the order sent when the access mobile terminal of the end PC, to achieve the purpose that monitoring.The prison
Control is not influenced by PC end ring border, and easy to use, monitoring effect is good.
Detailed description of the invention
Fig. 1 is the form schematic diagram of ADB command messages head.
Fig. 2 is a kind of flow chart for operating the monitoring method of mobile device for monitoring the end PC of the present invention.
Fig. 3 is a kind of structural schematic diagram for operating the monitoring device of mobile device for monitoring the end PC of the present invention.
Specific embodiment
To make the objectives, technical solutions, and advantages of the present invention clearer, below in conjunction with attached drawing to the present invention make into
One step it is described in detail.
Although the step in the present invention is arranged with label, it is not used to limit the precedence of step, unless
Based on the execution of the order or certain step that specify step needs other steps, otherwise the relative rank of step is
It is adjustable.
When accessing mobile terminal present invention utilizes the end PC using the adbd process in ADB order and android system into
The feature of row interaction, in some embodiments, as shown in Fig. 2, a kind of for monitoring the monitoring method of the end PC operation mobile device
The following steps are included:
S01 obtains the thread number of all threads in adbd process and the adbd process in the terminal.
The ps order that system offer can be used directly obtains whole thread numbers of adbd process, can also be by checking/proc
File system.Each process has a corresponding catalogue/proc/ [process number] at/proc in Linux, under the catalogue
Cmdline file saves command name, and whole thread numbers (being denoted as No. PID hereinafter) of process are had recorded under task subdirectory.
S02 monitors per thread according to all thread numbers of acquisition respectively, finds out the line for wherein reading USB device file
Journey, and obtain the current thread number for reading thread.
After finding out whole thread numbers, need to judge wherein to read the thread of USB device file.It is called using ptrace system
(it is that a process is allowed to track and control another process that it, which is acted on), is one by one monitored per thread.It is available
The system that the PTRACE_SYSCALL of ptrace carrys out monitoring thread is called.If current thread, which executes, reads file operation, and the
What one parameter was directed toward is USB device file, then obtains No. PID of current thread.Also it can use strace tool directly to look into
Whether the system for seeing per thread progress has the operation for reading USB device file in calling.
The USB device file path of different editions android system can be variant, specifically needs to refer to source code, such as
The USB device file of 4.4 version of Android default is /dev/android_adb.
Preferably, can be continued to the judgement of per thread a bit of time, according to the preset time to per thread into
Row monitoring finds corresponding reading file operation, if not finding during this period of time, then it represents that current thread is not required to monitor
Thread, monitor next thread immediately.
It should be understood that being also required to opening again for monitoring adbd process due to restarting possibility there are adbd process
It is dynamic, No. PID that obtains respective thread again is required after restarting every time.It is read when terminal does not connect USB or searches
After the thread failure of USB device file, whole thread numbers can be obtained again, and search whether to read the line of USB device file
Journey.
S03 reads the reading file operation in thread according to the current thread number monitoring for reading thread, obtains the ginseng for reading file operation
Number content, the content of parameter includes message header or message data.
Ginseng after obtaining current No. PID for reading thread, when method in ptrace can be used to read file system call to obtain
Number reads document method and only has 3 parameters, and when transmitting is to be transmitted by register, therefore use the PTRACE_ of ptrace
GETREGS, which obtains register value, can be obtained parameter.Wherein, the parameter of data storage is a memory address, reads file operation
At the end of, the content of reading is stored in the memory of memory address direction, and the PTRACE_PEEKTEXT of ptrace can be used
Method comes out the data copy in address.
S04 then saves all of acquisition when the content of parameter of the first reading file operation monitored is message data
Content of parameter.
Each message generally comprises message header and message data two parts, therefore primary monitoring is read file operation and obtained
To may be message header be also likely to be message data.First determine whether the content of parameter copied out is message content, is pressed
According to the message format description in ADB, there is magic field in message content, by checking the field to determine whether for message header.
If it is message header, what next reading file operation was got is exactly message data, and the length of message data is stored in message header
In.If start to get is not message header, current message data is abandoned, reading file operation next time is got just inevitable
It is message header.
All content of parameter of preservation are combined into corresponding message by S05.
It should be understood that the message header and message data of a piece of news are opposite with the parameter of file operation is read twice in succession
It answers, therefore a piece of news can be obtained file operation content merging getparms is read twice.
Obtained message is combined into corresponding ADB order by S06, wherein and an ADB order includes at least one message,
The message for belonging to same order possesses identical ID number, and the ID number is located in the message header.
Those of ordinary skill in the art will appreciate that, the order of an ADB client executing is to be converted into multiple messages
It is sent to adbd process.Such as the push operation of file, (OPEN, sync) is contained in the message for reading file acquisition --
> (WRTE, STAT) --> (WRTE, filepath) --> (WRTE, SEND) --> WRTE(filepath +
Content) -- > (WRTE, QUIT) -- > (CLOSE) indicates that one disappears with including the tuple of 2 element contents here
Breath, first part are the order of message header, and second part is message data, and such as (OPEN, sync) expression will start to carry out sync
Operation, (WRTE, SEND) expression will do it data transmission;Therefore may determine that be one by this series of message
Push file operation, by filepath it is known that the place of file storage.The order of other ADB clients is also similar
's.A series of message corresponding to every ADB Client command possess the same ID number, therefore can will possess disappearing for identical ID number
Breath is combined into corresponding ADB order.
S07 judges whether the ADB order obtained can generate malicious act according to default rule.
Preset malicious commands sentence is preserved in mobile terminal, by the ADB order being combined into and preset malicious commands
Sentence is compared, if the ADB order being combined into is preset malicious commands sentence, judges that the ADB order obtained has malice
Behavior.
When accessing mobile terminal present invention utilizes the end PC using the adbd process in ADB order and android system into
The feature of row interaction, the reading file operation in mobile device end monitoring all threads of adbd process, to obtain reading file operation
Content of parameter, content of parameter is then combined into message, message is combined into ADB order, it is mobile eventually to obtain the access of the end PC
The order sent when end, to achieve the purpose that monitoring.The monitoring is not influenced by PC end ring border, easy to use, and monitoring effect is good.
Preferably, if judging, ADB order can generate malicious act, as file copy, using install and uninstall, port is opened
It opens, then the present invention also carries out respective handling to ADB order to avoid causing user to lose.
Several frequently seen malicious commands sentence and the more excellent solution for the order is described below:
(1) sample installation order, it is file transmission first that in ADB server-side, the order, which is decomposed into following two steps progress,
(adb push filename.apk/data/local/tmp/filename.apk), followed by execute installation order (adb
Shell pm install/data/local/tmp/filename.apk).Peace can be either executed by scanning file transmission
The file path specified when dress carrys out the malicious of judgement sample installation order.
If judging there is sample installation order, command context can be directly modified, such as the packet name in order is replaced with into sky
Character string, so that installation is invalid.
(2) the transmission order of file, including incoming mobile terminal order (adb push) and outflow mobile terminal order
(adb pull).Push operation can judge that pull operation needs to judge that transmission file is by being scanned to transmission file
No is sensitive document (such as contact database).If transmission file is sensitive document, can be by the way that file path is set as empty string etc.
Mode keeps order invalid.
(3) operation that the execution of shell-command, i.e. adb shell mode execute.As adb shell getprop is obtained
System property, adb shell am order can send broadcast, and adb shell pm order can unload application.It needs according to specific
Order is malicious to judge, such as whether unloading is that crucial application can be judged by the packet name specified in pm order;Such as
Fruit order is to delete file then to can determine whether file path is system file path.Malicious commands can be by modification order
The mode of appearance is handled.
Mentioning in the processing method of above-mentioned three classes malicious commands can be handled by modifying command context, specifically be repaired
The mode of changing is described as follows: the content of order is stored in message data and reads in the memory of parameter direction of file operation, due to
It is saved the parameter for reading file operation, therefore the PTRACE_POKETEXT of ptrace can be used to modify memory where order
In content, also can be used ptrace PTRACE_SETREGS modification read file operation parameter be null pointer, make parameter
Value is invalid.
Preferably, if judging, ADB order can generate malicious act, generate user's alarm.
Specifically, can by directly generate user alarm or by the content of the ADB order by process communication in a manner of pass
To common social category or game class application, such application can carry out user's alarm in such a way that pop-up alerts.
As shown in figure 3, the invention also discloses a kind of monitoring devices for operating mobile device for monitoring the end PC, for moving
In dynamic terminal, the monitoring device includes guarding module 10, monitoring module 20, detection module 30, in which:
When the end PC accesses mobile terminal, the module 10 of guarding is for obtaining institute in adbd process and the adbd process
There is the thread number of thread;Per thread is monitored respectively according to all thread numbers of acquisition, is found out and is wherein read USB device file
The thread number of thread and the current reading thread of acquisition is sent to the monitoring module 20.
The ps order that system offer can be used directly obtains whole thread numbers of adbd process, can also be by checking/proc
File system.Each process has a corresponding catalogue/proc/ [process number] at/proc in Linux, under the catalogue
Cmdline file saves command name, and No. PID of whole threads of process is had recorded under task subdirectory.
After finding out whole No. PID, using ptrace system calling, (it is that one process of permission is another to track and control that it, which is acted on,
An outer process), per thread is monitored one by one, can be come monitoring thread using the PTRACE_SYSCALL of ptrace
System calls.If the reading file operation of current thread calling system, and what first parameter be directed toward is USB device file, then
Obtain No. PID of current thread.Also can use strace tool be directly viewable per thread progress system call in whether
There is the operation for reading USB device file.
Preferably, can be continued to the judgement of per thread a bit of time, according to the preset time to per thread into
Row monitoring finds corresponding reading file operation, if not finding during this period of time, then it represents that current thread is not required to monitor
Thread, monitor next thread immediately.
It should be understood that being also required to opening again for monitoring adbd process due to restarting possibility there are adbd process
It is dynamic, No. PID that obtains respective thread again is required after restarting every time.It is read when terminal does not connect USB or searches
After the thread failure of USB device file, whole thread numbers can be obtained again, and search whether to read the line of USB device file
Journey.
The monitoring module 20 is used to read the reading file operation in thread according to the current thread number monitoring for reading thread, obtains
The content of parameter of file operation is read, and judges the content of parameter of monitor first reading file operation as message header or message count
According to then saving all content of parameter of acquisition if message data, the content of parameter includes message header or message data.
After obtaining current No. PID for reading thread, method can be used in ptrace to obtain parameter when system is called, read text
The system call method of part operation only has 3 parameters, and when transmitting is to be transmitted by register, therefore use ptrace's
PTRACE_GETREGS, which obtains register value, can be obtained parameter.For saving the parameter of data storage location for a memory
Location, the PTRACE_PEEKTEXT method that ptrace can be used come out the data copy in address.
Each message generally comprises message header and message data two parts, therefore primary monitoring is read file operation and obtained
To may be message header be also likely to be message data.First determine whether the content of parameter copied out is message content, is pressed
According to the message format description in ADB, there is magic field in message content, by checking the field to determine whether for message header.
If it is message header, what next reading file operation was got is exactly message data, and the length of message data is stored in message header
In.If start to get is not message header, current message data is abandoned, reading file operation next time is got just inevitable
It is message header.
The detection module 30 is used to all content of parameter saved being combined into corresponding message, wherein a message
Head can be combined to a piece of news with a corresponding message data;Obtained message is combined into corresponding ADB order, wherein
One ADB order includes at least one message, and the message for belonging to same order possesses identical ID number, and the ID number is located at described
In message header;The detection module 30 is also used to save preset malicious commands sentence, and the ADB order that will acquire is preset with this
Malicious commands sentence is compared, and judges whether that malicious act can be generated.
Those of ordinary skill in the art will appreciate that, the message header and message data of a piece of news and reading text twice in succession
The parameter of part operation is corresponding, therefore a piece of news can be obtained in the content merging for the parameter for reading file operation twice.One
The order of ADB client executing is converted into multiple messages and is sent to adbd process.Such as the push operation of file, it is reading
-- > (WRTE, STAT) -- > (WRTE, filepath) is contained (OPEN, sync) in the thread of USB device file
-- > (WRTE, SEND) -- > WRTE (filepath+content) -- > (WRTE, QUIT) -- > (CLOSE), this
In with including the tuple of 2 element contents indicate a message, first part is the order of message header, and second part is message
Data, such as (OPEN, sync) expression will start to carry out sync operation, and (WRTE, SEND) expression will do it data transmission;Therefore
It may determine that by this series of message as a push file operation, by filepath it is known that file storage
Place.The order of other ADB clients is also similar.A series of message corresponding to every ADB Client command possess together
One ID number, therefore the message for possessing identical ID number can be combined into corresponding ADB order.
Preset malicious commands sentence is preserved in mobile terminal, by the ADB order being combined into and preset malicious commands
Sentence is compared, and judges that the ADB order obtained has malice row if the ADB order being combined into is preset malicious commands sentence
For.
When accessing mobile terminal present invention utilizes the end PC using the adbd process in ADB order and android system into
The feature of row interaction reads the reading file operation in USB device file thread, in mobile device end monitoring adbd process to obtain
The content of parameter for reading file operation, is then combined into message for content of parameter, message is combined into ADB order, to obtain PC
The order sent when the access mobile terminal of end, to achieve the purpose that monitoring.The monitoring is not influenced by PC end ring border, user
Just, monitoring effect is good.
Preferably, the detection module 30 is also used to when judging that ADB order has malicious act, to the ADB order into
Row respective handling is lost to avoid causing user.
Several frequently seen malicious commands sentence and the more excellent solution for the order is described below:
(1) sample installation order, it is file transmission first that in ADB server-side, the order, which is decomposed into following two steps progress,
(adb push filename.apk/data/local/tmp/filename.apk), followed by execute installation order (adb
Shell pm install/data/local/tmp/filename.apk).Peace can be either executed by scanning file transmission
The file path specified when dress carrys out the malicious of judgement sample installation order.
If judging there is sample installation order, command context can be directly modified, such as the packet name in order is replaced with into sky
Character string, so that installation is invalid.
(2) the transmission order of file, including incoming mobile terminal order (adb push) and outflow mobile terminal order
(adb pull).Push operation can judge that pull operation needs to judge that transmission file is by being scanned to transmission file
No is sensitive document (such as contact database).If transmission file is sensitive document, can be by the way that file path is set as empty string etc.
Mode keeps order invalid.
(3) operation that the execution of shell-command, i.e. adb shell mode execute.As adb shell getprop is obtained
System property, adb shell am order can send broadcast, and adb shell pm order can unload application.It needs according to specific
Order is malicious to judge, such as whether unloading is that crucial application can be judged by the packet name specified in pm order;Such as
Fruit order is to delete file then to can determine whether file path is system file path.Malicious commands can be by modification order
The mode of appearance is handled.
Mentioning in the processing method of above-mentioned three classes malicious commands can be handled by modifying command context, specifically be repaired
The mode of changing is described as follows: the content of order is stored in the memory for the parameter direction for reading file operation, is read due to being saved
The parameter of file operation, thus can be used the PTRACE_POKETEXT of ptrace come modify order content in memory,
Also it is null pointer that the parameter of file operation is read in the PTRACE_SETREGS modification that ptrace can be used, and keeps parameter value invalid.
The side that the detection module 30 is also used to generate user's alarm or the content of the ADB order is passed through process communication
Formula passes common social category or game class application, such application can carry out user's alarm in such a way that pop-up alerts.
Above description has shown and described several embodiments of the invention, but as previously described, it should be understood that the present invention is not
It is confined to form disclosed herein, should not be regarded as an exclusion of other examples, and can be used for various other combinations, modification
And environment, and can be carried out within that scope of the inventive concept describe herein by the above teachings or related fields of technology or knowledge
Change.And changes and modifications made by those skilled in the art do not depart from the spirit and scope of the present invention, then it all should be in institute of the present invention
In attached scope of protection of the claims.
Claims (10)
1. a kind of for monitoring the monitoring method of the end PC operation mobile device, which is characterized in that the monitoring method includes following
Step:
The thread number of all threads in acquisition for mobile terminal adbd process and the adbd process;
Per thread is monitored respectively according to all thread numbers of acquisition, finds out thread and the acquisition for wherein reading USB device file
The current thread number for reading thread, the current thread of reading is the thread for reading USB device file that current monitor arrives;
The reading file operation in the thread is monitored according to the current thread number for reading thread, obtains the content of parameter for reading file operation,
The content of parameter includes message header or message data;
When the content of parameter of the first reading file operation monitored is message data, then save in all parameters of acquisition
Hold;
All content of parameter of preservation are combined into corresponding message, wherein a message header and a corresponding message data
It can be combined to a piece of news;
Obtained message is combined into corresponding ADB order, wherein an ADB order includes at least one message, is belonged to same
The message of order possesses identical ID number, and the ID number is located in the message header;
Judge whether the ADB order obtained can generate malicious act according to default rule.
2. monitoring method as described in claim 1, which is characterized in that be monitored and seek to per thread according to the preset time
Corresponding reading file operation is looked for monitor next thread immediately if not finding during this period of time.
3. monitoring method as described in claim 1, which is characterized in that after finding out whole thread numbers, one by one to per thread into
Row monitoring, if current thread, which executes, reads file operation, and what first parameter be directed toward is USB device file, then obtains and work as
The thread number of preceding thread.
4. monitoring method as described in claim 1, which is characterized in that set when terminal does not connect USB or searches reading USB
After the thread failure of standby file, whole thread numbers can be obtained again, and search whether to read the thread of USB device file.
5. monitoring method as described in claim 1, which is characterized in that if judging, ADB order can generate malicious act, press
Current ADB order is modified according to default rule, malicious act is prevented to occur or/and generate user's alarm.
6. a kind of for monitoring the monitoring device of the end PC operation mobile device, which is characterized in that the monitoring device includes guarding
Module, monitoring module, detection module, when the end PC accesses mobile terminal:
The module of guarding is for obtaining the thread number of all threads in adbd process and the adbd process;According to the institute of acquisition
There is thread number to monitor per thread respectively, find out the thread for wherein reading USB device file and obtains the current thread for reading thread
Number it is sent to the monitoring module, it is described current to read the thread that thread is the reading USB device file that current monitor arrives;
The monitoring module is used to read the reading file operation in thread according to the current thread number monitoring for reading thread, obtains and reads file
The content of parameter of operation, the content of parameter includes message header or message data, as first reading file behaviour that judgement monitors
When the content of parameter of work is message data, then all content of parameter of acquisition are saved;
The detection module be used for by save all content of parameter be combined into corresponding message, wherein a message header with it is right
The message data answered can be combined to a piece of news;Obtained message is combined into corresponding ADB order, wherein an ADB
Order includes at least one message, and the message for belonging to same order possesses identical ID number, and the ID number is located at the message header
It is interior;The detection module is also used to save preset malicious commands sentence, the ADB order that will acquire and the preset malicious commands
Sentence is compared, and judges whether to generate malicious act.
7. monitoring device as claimed in claim 6, which is characterized in that the monitoring module is used for according to the preset time to every
A thread is monitored the corresponding reading file operation of searching and monitors next line immediately if not finding during this period of time
Journey.
8. monitoring device as claimed in claim 6, which is characterized in that the monitoring module one by one supervises per thread
Control, if current thread, which executes, reads file operation, and what first parameter be directed toward is USB device file, then obtains and work as front
The thread number of journey.
9. monitoring device as claimed in claim 6, which is characterized in that set when terminal does not connect USB or searches reading USB
After the thread failure of standby file, the module of guarding can obtain whole thread numbers again, and search whether to read USB device text
The thread of part.
10. monitoring device as claimed in claim 6, which is characterized in that if judging, ADB order can generate malicious act, institute
It states detection module and modifies current ADB order according to default rule, malicious act is prevented to occur or/and generate user's alarm.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610806113.XA CN107798240B (en) | 2016-09-07 | 2016-09-07 | A kind of method and device operating mobile device for monitoring the end PC |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610806113.XA CN107798240B (en) | 2016-09-07 | 2016-09-07 | A kind of method and device operating mobile device for monitoring the end PC |
Publications (2)
Publication Number | Publication Date |
---|---|
CN107798240A CN107798240A (en) | 2018-03-13 |
CN107798240B true CN107798240B (en) | 2019-10-18 |
Family
ID=61529963
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610806113.XA Active CN107798240B (en) | 2016-09-07 | 2016-09-07 | A kind of method and device operating mobile device for monitoring the end PC |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107798240B (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114968456B (en) * | 2022-05-07 | 2024-03-08 | 麒麟合盛网络技术股份有限公司 | Method and device for controlling terminal |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102254113A (en) * | 2011-06-27 | 2011-11-23 | 深圳市安之天信息技术有限公司 | Method and system for detecting and intercepting malicious code of mobile terminal |
CN103279706A (en) * | 2013-06-07 | 2013-09-04 | 北京奇虎科技有限公司 | Method and device for intercepting installation of Android application program in mobile terminal |
US8935793B2 (en) * | 2012-02-29 | 2015-01-13 | The Mitre Corporation | Hygienic charging station for mobile device security |
CN104978518A (en) * | 2014-10-31 | 2015-10-14 | 哈尔滨安天科技股份有限公司 | Method and system for preventing PC (Personal Computer) side from obtaining layout operation of mobile equipment screen |
-
2016
- 2016-09-07 CN CN201610806113.XA patent/CN107798240B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102254113A (en) * | 2011-06-27 | 2011-11-23 | 深圳市安之天信息技术有限公司 | Method and system for detecting and intercepting malicious code of mobile terminal |
US8935793B2 (en) * | 2012-02-29 | 2015-01-13 | The Mitre Corporation | Hygienic charging station for mobile device security |
CN103279706A (en) * | 2013-06-07 | 2013-09-04 | 北京奇虎科技有限公司 | Method and device for intercepting installation of Android application program in mobile terminal |
CN104978518A (en) * | 2014-10-31 | 2015-10-14 | 哈尔滨安天科技股份有限公司 | Method and system for preventing PC (Personal Computer) side from obtaining layout operation of mobile equipment screen |
Non-Patent Citations (1)
Title |
---|
Android手机和计算机连接后的安全控制策略研究;史杨;《长春师范大学学报》;20151030;第34卷(第10期);第34-37页 * |
Also Published As
Publication number | Publication date |
---|---|
CN107798240A (en) | 2018-03-13 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107480527B (en) | Lesso software prevention method and system | |
CN109688097B (en) | Website protection method, website protection device, website protection equipment and storage medium | |
US10169585B1 (en) | System and methods for advanced malware detection through placement of transition events | |
US8370931B1 (en) | Multi-behavior policy matching for malware detection | |
US8844038B2 (en) | Malware detection | |
US8930915B2 (en) | System and method for mitigating repeated crashes of an application resulting from supplemental code | |
CN109344616B (en) | Method and device for monitoring dynamic loading behavior of mobile application program | |
KR101899589B1 (en) | System and method for authentication about safety software | |
CN110213207B (en) | Network security defense method and equipment based on log analysis | |
Eder et al. | Ananas-a framework for analyzing android applications | |
CN104932972B (en) | A kind of method and device of reaction state debugging utility | |
US11055416B2 (en) | Detecting vulnerabilities in applications during execution | |
KR20110128632A (en) | Method and device for detecting malicious action of application program for smartphone | |
US20130290898A1 (en) | Method for presenting prompt message, terminal and server | |
CN108763951A (en) | A kind of guard method of data and device | |
CN109783316B (en) | Method and device for identifying tampering behavior of system security log, storage medium and computer equipment | |
CN111062032A (en) | Anomaly detection method and system and computer-readable storage medium | |
CN104252594A (en) | Virus detection method and device | |
CN110851824B (en) | Detection method for malicious container | |
US9542535B1 (en) | Systems and methods for recognizing behavorial attributes of software in real-time | |
CN115840938A (en) | File monitoring method and device | |
CN109784054B (en) | Behavior stack information acquisition method and device | |
Kröll et al. | Aristoteles–dissecting apple’s baseband interface | |
CN107798240B (en) | A kind of method and device operating mobile device for monitoring the end PC | |
WO2021139139A1 (en) | Permission abnormality detection method and apparatus, computer device, and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
CB02 | Change of applicant information | ||
CB02 | Change of applicant information |
Address after: 430000 Hubei city Wuhan East Lake New Technology Development Zone 8 Huacheng Road 8 Wuhan software new town industry three phase C20 building Applicant after: Wuhan Antian Information Technology Co., Ltd. Address before: 430000 software industry, No. 1 East Road, software park, East Lake New Technology Development Zone, Hubei, Wuhan 4-1, B4 building, room 12, floor 01 Applicant before: Wuhan Antian Information Technology Co., Ltd. |
|
GR01 | Patent grant | ||
GR01 | Patent grant |