CN109388538B - Kernel-based file operation behavior monitoring method and device - Google Patents
Kernel-based file operation behavior monitoring method and device Download PDFInfo
- Publication number
- CN109388538B CN109388538B CN201811066041.5A CN201811066041A CN109388538B CN 109388538 B CN109388538 B CN 109388538B CN 201811066041 A CN201811066041 A CN 201811066041A CN 109388538 B CN109388538 B CN 109388538B
- Authority
- CN
- China
- Prior art keywords
- file
- monitoring
- path
- kernel
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3003—Monitoring arrangements specially adapted to the computing system or computing system component being monitored
- G06F11/302—Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system component is a software system
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3065—Monitoring arrangements determined by the means or processing involved in reporting the monitored data
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Quality & Reliability (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Mathematical Physics (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention provides a kernel-based file operation behavior monitoring method and device. The method comprises two modules of monitoring a specified path and monitoring the file operation behavior of a mobile application program; with the app as an input, the file operation behavior of the app can be monitored from the kernel and a log can be input; the file path is used as input to monitor the change of the files in the directory. The method and the device can be used for monitoring the operation behavior of the malicious app file.
Description
Technical Field
The invention belongs to the technical field of Android application program monitoring, and particularly relates to a kernel-based file operation behavior monitoring method and device.
Background
At that time, it was an indispensable era for mobile devices, and because of the convenience of mobile devices, many activities in people's lives were accomplished on mobile devices, such as payment, chatting, writing memos, and the like. According to the analysis report of IDC company, the Android operating system accounts for 86.8% of the market share of the smartphone by the third quarter of 2016. Due to the open source characteristic of the Android system, the Android development is much lower than that of other operating systems, so that the Android system has huge market occupation, and due to the fact that developers are unsmooth in quality, the Android devices of various manufacturers have many bugs. The open source characteristic and the development universality of the Android provide more research space for two parties of safety attack and defense. Security attacks on the Android system never stop.
Due to the Linux kernel adopted by the Android, researches on safety of the Linux kernel on the Android are started gradually at present, such as the research on Rootkit in the kernel and the research on file access control in the Android system, the researches refer to the existing defects of the Android system and propose some correction schemes, and an effective monitoring and defense means for malicious software behaviors is not proposed.
Because the most convenient way to discover the execution logic of the malware is to monitor the file operation behavior. According to the existing research on security problems such as privilege escalation, payment loopholes or lasso, a system capable of monitoring Root-level users is urgently needed in the aspect of security analysis at present. The invention provides a device for monitoring file operation behaviors based on an Android kernel.
Many security manufacturers, represented by 360 security, often monitor behavior of malware in order to guarantee security of users using mobile phones, so as to analyze execution logic of the malware and find a defense method. The most common method for analyzing the behavior of the malicious software is a sandbox technology, the sandbox redirects the behavior of the running program to a folder, and the program running in the sandbox cannot influence a real system. Sandboxes are commonly used to test untrusted applications or internet behavior. However, as the following two technologies mature, the traditional sandbox has not been able to perform the task of monitoring and analyzing malware.
1) By means of the escape technology, the malicious software can detect the running environment of the malicious software, and stop malicious behaviors of the malicious software when the malicious software is debugged or is in a sandbox, and only friendly behaviors are shown. Sandboxing systems are overwhelmed with such malware bundles. Based on this situation, malware must be monitored on the genuine machine.
2) The bottom layer attack can bypass the monitoring of the traditional sandbox for the current malicious behaviors of many malicious software at the level of the native userspace, so that a monitoring device is necessary to be established under the kernel level.
Disclosure of Invention
Based on the development trend of the existing malicious software, in order to overcome the defects of the prior art, the invention aims to provide a kernel-based file operation behavior monitoring method and device, and a lower-layer file operation monitoring device which cannot be discovered by the malicious software is used for monitoring the malicious software by using a Hook technology called by an Android kernel system and an inotify-based specified file path monitoring technology. According to the existing statistics on the behavior of the malicious software, selecting and monitoring: the method comprises the following steps of performing device channel management operation, opening and closing files, random access, deletion, file attribute modification, file owner modification, file or folder creation and file link operation to record the malicious software behaviors. The monitoring log is analyzed, the position of the malicious software and the equipment with the vulnerability can be quickly positioned, safety analysis personnel can be helped to find the running logic of the malicious software and further extract the feature codes of the malicious software, and the method has important significance for safety analysis and positioning of the equipment vulnerability. Meanwhile, since some malware may write malicious codes into a system file and execute their own malicious codes by means of a system process, the monitoring apparatus also needs a monitoring mode for monitoring a specified file path.
In order to achieve the purpose, the invention adopts the technical scheme that:
a kernel-based file operation behavior monitoring method comprises the following steps:
s1, starting the monitoring device;
s2, specifying an application program to be monitored;
s3, specifying a file path to be monitored;
s4, operating the monitored application program and triggering the function of the application program;
s5, recording the file operation behavior of the monitored application program in the kernel, and generating a monitoring log;
and S6, closing the monitoring device and outputting the log to a file.
The file path to be monitored refers to a system path or a user-defined path, and a monitoring result of the file path is complemented with a monitoring result of an application program, so that malicious behaviors of software are monitored more comprehensively, wherein the file operation behaviors include: the monitoring device comprises a linux driver, a monitoring application program and a uid driver, wherein the linux driver is used for providing an interactive interface, and the monitoring application program is uniquely specified through the uid.
In S5, at the kernel layer, the system call monitoring is combined with the system directory monitoring, which specifically includes:
s51, compiling corresponding monitoring functions according to different system calling functions in the kernel layer;
s52, replacing the function address of the original system calling function in the system calling table by the address of the monitoring function;
s53, executing a monitoring function according to the judgment condition;
s54, returning to the original system call without influencing the normal operation of the system;
and S55, monitoring the file operation behavior in the specified file path.
In S53, executing the monitoring function according to the determination condition means that the user interacts with the monitoring function through a driver provided by the monitoring device to specify the uid of the application program to be monitored. And when the monitoring function is called, the program judges whether the application program is the application program needing to be monitored, if so, the monitoring function is executed, and if not, the monitoring function is not executed.
And S6, outputting the monitoring result in the form of a file in the kernel, and adopting a circular double-buffering mode: writing the log into a memory buffer area, opening a log file when the log fills half of the buffer area, writing the log of the first half buffer area into the file, and simultaneously recording a new log into the second half of the buffer area; when the second half buffer is full, the log file is opened, the second half buffer log is written into the file, and simultaneously, a new log is recorded into the first half buffer.
The invention can appoint any file path in the system to monitor, and the monitoring range comprises all sub-directories and sub-files under the file path.
Monitoring under the specified file path: the file operation behavior monitoring module is used for monitoring file operations in the specified path, wherein the file operations comprise file opening operations, file closing operations, file reading and writing operations, file deleting operations, file permission changing operations and file transferring-in and transferring-out operations;
and monitoring the specified file path by using a monitoring mechanism embedded in Linux. According to the event returned by the monitoring mechanism, the monitoring of the relevant file operation under the file path includes but is not limited to: opening file operation, closing file operation, reading and writing file operation, deleting file operation, changing file authority operation and moving file in and out operation.
The invention also provides a device for monitoring the file operation behavior based on the Android kernel, which is characterized by comprising the following components:
the interactive interface is used for the user to specify the application program and the file path to be monitored;
the kernel monitoring unit is used for realizing the system call monitoring of the kernel layer;
the file path monitoring unit is used for monitoring the file operation behavior of the specified file path, and the monitored object comprises a subfile and a subfolder of the specified file path;
and the log output unit is used for outputting the log information to the disk in a file form at the kernel layer.
The interactive interface realizes interaction between the user layer and the kernel layer in a driving mode;
the kernel monitoring unit includes:
the system call table replacing module is used for replacing the system function into a monitoring function;
the file operation behavior monitoring module is used for calling and recording different monitoring information for different systems;
and the restoring module is used for eliminating the influence of the monitoring function on the execution of the original system calling function so as to ensure that the original system calling is normally executed.
The file path monitoring unit includes:
the file path traversing module is used for traversing the subfiles and the subfolders under the file path and monitoring the subfiles and the subfolders according to the requirement;
the file operation behavior monitoring module monitors the file operation behavior by using a monitoring mechanism embedded in Linux;
and the log output module is used for outputting the monitoring log to a magnetic disk for storage in a file form.
The file operation behavior monitoring module comprises:
the file operation behavior monitoring module of the mobile application program is responsible for monitoring the file operation behavior of the specified application program;
and the file operation behavior monitoring module of the specified file path is responsible for monitoring the file operation behavior of the specified file path.
The file operation behavior monitoring module of the mobile application program consists of 12 modules, the content of the 12 modules is to call the 12 file operation behavior modules to carry out Hook, and a monitoring function of the monitoring function is added before the original normal file operation, so that the required monitoring information is recorded without influencing the function of the original file operation.
The following three key technologies are provided in a file operation behavior monitoring module of a mobile application program:
the hijacking technology of the Android module call list is responsible for adding a monitoring function into the call of the original file operation module;
the file path conversion technology is responsible for converting the file descriptor and the file path descriptor in the kernel into a specific file path;
double buffer logging in kernel techniques.
Compared with the prior art, the invention has the beneficial effects that:
1) all file operation behaviors are monitored, all file operations above a kernel layer can be monitored, and a complete monitoring log is obtained, so that an analyst can be helped to quickly locate equipment with a vulnerability;
2) the method has the advantage of having the uid filtering function, and can monitor the designated app so as to filter irrelevant monitoring information;
3) the influence on the performance of equipment is small and is only less than 1%.
Drawings
FIG. 1 is a block diagram of a file operation behavior monitoring module according to the present invention.
FIG. 2 is a flow chart of the Hook module invocation module of the present invention.
FIG. 3 is a flow diagram of the uid filtration module of the present invention.
FIG. 4 is a diagram of an object model for file path conversion according to the present invention.
FIG. 5 is a flowchart of a file path conversion module according to the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention more apparent, embodiments of the present invention will be described in detail below with reference to the accompanying drawings and embodiments.
The invention relates to a device for monitoring file operation behaviors based on an Android kernel, which comprises the following components:
the interactive interface is used for realizing the interaction between the user layer and the kernel layer in a driving mode and is used for a user to specify an application program to be monitored and a file path;
the kernel monitoring unit mainly comprises a system call table replacing module for replacing a system function as a monitoring function, a file operation behavior monitoring module for recording different monitoring information for different system calls, and a restoring module for eliminating the influence of the monitoring function on the execution of the original system call function so as to normally execute the original system call, and is used for realizing the system call monitoring of a kernel layer;
the file path monitoring unit mainly comprises a file path traversing module and a file operation behavior monitoring module, wherein the file path traversing module is used for traversing the subfiles and the subfolders in the file path and monitoring the subfiles and the subfolders according to needs, and the file operation behavior monitoring module is used for monitoring the file operation behavior by using a monitoring mechanism embedded in Linux. The monitoring object comprises subfiles and subfolders of the specified file path;
and the log output unit is used for outputting the log information to the disk in a file form at the kernel layer.
As shown in fig. 1, the file operation behavior monitoring module includes:
the file operation behavior monitoring module of the mobile application program is responsible for monitoring the file operation behavior of the specified application program; the system consists of 12 (only 7 modules in the figure) modules, wherein the content of the 12 modules is that Hook is carried out on module calls of 12 file operation behaviors, and a monitoring function of the system is added before the original normal file operation, so that the required monitoring information is recorded without influencing the function of the original file operation;
and the file operation behavior monitoring module of the specified file path is responsible for monitoring the file operation behavior of the specified file path.
The input data of the file operation behavior monitoring module is an app or a file path needing to be monitored. Since the two modules respectively implement different functions, the different modules are described below.
The file operation behavior monitoring module of the mobile application program realizes the function of monitoring the file operation behavior of the specified app.
1. Open the mobile phone
2. Installing apps that need monitoring
3. Running adb shell on computer end to run ps to obtain uid of app to be monitored
4. Transmitting the uid obtained by the step 3 to the kernel through the interface driver written by the step, and starting the monitoring module
5. Running the monitored app, the monitoring log of the app can be obtained under the directory of/data/local/tmp/uid
The file operation behavior monitoring module is described in detail as follows:
1. file operation behavior monitoring module of mobile application program
There are three key technologies in this module:
the hijacking technology of the Android module call list is responsible for adding a monitoring function into the call of the original file operation module;
the file path conversion technology is responsible for converting the file descriptor and the file path descriptor in the kernel into a specific file path;
double buffer logging in kernel techniques.
Specifically, the principle of the hijacking technology of the Android module call table is shown in the attached figure 2. To execute a module call, an application first needs to trigger an exception to cause the module to enter a kernel-mode calling function to handle the exception. The function that handles exceptions here is actually the focus of this document-the module calls the function. The process is implemented in different forms on different architectures, but the module call handler is executed in a way that the user space causes an exception to be trapped in the kernel.
Since all module calls are trapped in the kernel in the same manner, the trapping kernel alone cannot determine which module call function is specifically executed. Different module call numbers must be passed to the kernel. The module call number is passed to the core via the x8 register on the hardware of the arm64 architecture. When a user program triggers a soft interrupt, the module call number is stored in the x8 register so that the kernel can read it directly. Other architectural implementations are also similar.
So, when a program falls into the kernel, it will pass the module call number to the kernel together, and first the module will compare the incoming parameter with NR syscalls (the maximum value of the module call number) and if it is greater than or equal to NR syscalls, it will return to ENOSYS. If the module calling number is normal, the module is searched in the module calling table, and if the module calling number is searched, the corresponding module calling is executed according to the found module calling number. After the module call execution ends, the return value is returned to the user space.
The module calling hijack technology adopted in the text is that the address of the module calling function is replaced by the own function address in the module calling table, and after the own monitoring function is executed, the original module calling address is skipped back to continue the execution.
Specifically, a file path conversion technique. The Android module adopts a Linux kernel, so that the most characteristic virtual file module (VFS) in the Linux kernel is used. The virtual file module is designed in such a way that the realization of different file modules on different media is kept transparent to the user program, so that the universality and the portability of the program can be increased, and the operation of the user program on all the file modules can be realized by calling one group of modules. The flow chart is shown in fig. 5.
In the Linux kernel, the file descriptor and the file path descriptor need to be analyzed and converted into a character string form which can be understood by people. When analyzing, whether the file descriptor is valid needs to be checked, and if the file descriptor is valid, the dent structure and the inode are spliced into a character string.
Specifically, in the Linux kernel, it takes time to record logs by file operation, so a circular double-buffering mode is adopted to improve the efficiency of recording logs. Opening up a large section of memory in the memory to be used as a buffer area for log record, calling file operation when the log fills half of the buffer area, writing the first half section of log into the file, and continuously filling the new log in the second half section of buffer area. When the buffer is full, calling file operation to write the second half log into the file, and moving the cursor of the log writing buffer to the beginning of the file. This greatly reduces the number of times a file is opened, thereby reducing the overhead of time and resources.
The file operation behavior monitoring module for the specified file path is used for monitoring the file path based on inotify and can monitor the change of files under the specified path and files under the subfolders, so that the high-risk behavior of the malicious app can be monitored.
At app run time, taking a file operation necessarily calls a module call. At this time, since the module call function is hijacked, when the module queries the module call table, the module will preferentially enter the monitoring function, referring to fig. 3, in the monitoring function, key information such as a timestamp and a file path will be recorded, and a log is recorded by adopting a circular double-buffering method. In the process, a technology for filtering the Uid is needed, because the Uid number of the process called by the module is monitored and judged when the file operation is monitored in the kernel, but the Uid of the normal software process is not changed in the running process, but the Uid of the malicious software is possibly changed, so that the monitoring of the Uid of the process is not enough in the monitoring process, the pid of the process needs to be brought into the monitoring condition, and when the judgment is carried out, the monitored app adds the child process into the monitoring list every time the child process is generated, so that no omission exists in the process.
In the Android kernel, the file path is stored as shown in fig. 4. All files in the Linux kernel are files, and not only files in the traditional sense but also directories, block devices, sockets and the like are treated as files; the Android modules inherit the point, and although the types of the Android modules are different, the Android modules provide the same set of operation interfaces.
The design idea of VFS is an object-oriented design idea, but since there is no object-related support in C language, a set of data structures is used in Linux kernel to represent a common file object. These data structures are similar to objects, and the functions of class (class) can be basically implemented only by defining the function method for operating the structure members in the structure in the form of function pointers.
There are four main object types in VFS, which are:
1) superblock object (superblock object) which represents a specific file module itself, stores file block sizes, operation functions, etc. set by the file module.
2) An inode object (inode object), which represents a specific file.
3) A directory entry object (entry object), which represents a directory entry, i.e. a level directory, is a component of the path.
4) A file object (file object) that represents a file opened by the process.
The operand is implemented as a structure pointer, which contains a function pointer to the parent of the operation. The four objects make up the VFS. When converting the file path, the method needs to comprise the following steps:
1) preprocessing, which requires removing duplicates '/' in the file name and then checking the depth of the symbolic link to prevent the symbolic link from recursing and falling into dead loops.
2) The directory names are separated, and file paths are layered according to '/' to form a structure.
3) Relative to the path, all that needs to be processed is that in the file path, "and". means the current working directory and the upper level directory, respectively
4) And analyzing the directory, wherein the Linux kernel calls a do _ lookup function to analyze the path name, the analyzed result is returned through a structural body, and the d _ path () function can be used for extracting the file path from the structural body.
5) And (6) searching files. This part will eventually complete the last lookup of the file
6) Special case processing for processing the special case when the analyzed directory does not exist or the searched file does not exist
When a point of time of a log is noticed is recorded in a circular double-buffering mode, because some multithreading operations exist in the app, a scene that a plurality of threads write contents into one buffer at the same time may be generated, so that the log is mixed and cannot be read. Therefore, a kernel lock is required to be added in the process of reading and writing the log, and the condition is avoided.
2. File operation behavior monitoring module for specified file path
The file operation behavior monitoring module for specifying the file path is a monitoring module realized based on Inotify, which is a Linux kernel characteristic, monitors the file module, timely sends out related event warnings such as deletion, reading, writing and unloading operations to a special application program, and can also track details such as an activity source and an activity target.
In summary, the present invention can monitor the file operation behavior under the specified app or the specified file path from the kernel layer, and output the file operation behavior in the form of a file. And an important data source can be provided for the subsequent app behavior feature analysis and extraction. Its advantage does:
1) the method completely covers all sensitive file operations of the app and is a good data source for extracting behavior characteristics of the app.
2) And monitoring is carried out at the kernel layer, the monitoring behavior cannot be perceived by the malicious app, and the existing anti-debugging technology can be bypassed.
3) The performance of the equipment is slightly influenced, and only the performance is reduced by less than 1 percent.
Claims (7)
1. A kernel-based file operation behavior monitoring method comprises the following steps:
s1, starting the monitoring device;
s2, specifying an application program to be monitored;
s3, specifying a file path to be monitored;
s4, operating the monitored application program and triggering the function of the application program;
s5, recording the file operation behavior of the monitored application program in the kernel, and generating a monitoring log;
s6, closing the monitoring device and outputting the log to a file;
the method is characterized in that:
the file path to be monitored refers to a system path or a user-defined path, and a monitoring result of the file path is complemented with a monitoring result of an application program, so that malicious behaviors of software are monitored more comprehensively, wherein the file operation behaviors include: the monitoring device comprises a monitoring device and a monitoring system, wherein the monitoring device comprises a file opening operation, a file closing operation, a file reading and writing operation, an IO (input/output) channel operation, a file deleting operation, a file renaming operation and a file permission changing operation, the monitoring device uses a linux drive program to provide an interactive interface, and a monitored application program is uniquely specified through uid;
appointing any file path in the system to monitor based on Inotify, wherein the monitoring range comprises all subdirectories and subfiles under the file path; the monitoring method under the appointed file path is as follows: and the file operation behavior monitoring module is used for monitoring the file operation of the specified path, including file opening operation, file closing operation, file reading and writing operation, file deleting operation, file permission changing operation and file transferring-in and transferring-out operation.
2. The kernel-based file operation behavior monitoring method according to claim 1, wherein in S5, in the kernel layer, the combination of system call monitoring and system directory monitoring specifically includes:
s51, compiling corresponding monitoring functions according to different system calling functions in the kernel layer;
s52, replacing the function address of the original system calling function in the system calling table by the address of the monitoring function;
s53, executing a monitoring function according to the judgment condition;
s54, returning to the original system call without influencing the normal operation of the system;
and S55, monitoring the file operation behavior in the specified file path.
3. The kernel-based file operation behavior monitoring method according to claim 1, wherein, in the S6, the monitoring result is output in the form of a file in the kernel, and a circular double buffering manner is adopted: writing the log into a memory buffer area, opening a log file when the log fills half of the buffer area, writing the log of the first half buffer area into the file, and simultaneously recording a new log into the second half of the buffer area; when the second half buffer is full, the log file is opened, the second half buffer log is written into the file, and simultaneously, a new log is recorded into the first half buffer.
4. A file operation behavior monitoring device based on an Android kernel comprises:
the interactive interface is used for the user to specify the application program and the file path to be monitored;
the kernel monitoring unit is used for realizing the system call monitoring of the kernel layer;
the file path monitoring unit is used for monitoring the file operation behavior of the specified file path, and the monitored object comprises a subfile and a subfolder of the specified file path;
the log output unit is used for outputting the log information to a magnetic disk in a form of a file in a kernel layer;
the method is characterized in that:
the file path to be monitored refers to a system path or a user-defined path, and the monitoring result of the system path and the monitoring result of the application program complement each other, so that malicious behaviors of software are monitored more comprehensively, wherein the file operation behaviors comprise: the monitoring device comprises a monitoring device and a monitoring system, wherein the monitoring device comprises a file opening operation, a file closing operation, a file reading and writing operation, an IO (input/output) channel operation, a file deleting operation, a file renaming operation and a file permission changing operation, the monitoring device uses a linux drive program to provide an interactive interface, and a monitored application program is uniquely specified through uid;
appointing any file path in the system to monitor based on Inotify, wherein the monitoring range comprises all subdirectories and subfiles under the file path; the monitoring method under the appointed file path is as follows: and the file operation behavior monitoring module is used for monitoring the file operation of the specified path, including file opening operation, file closing operation, file reading and writing operation, file deleting operation, file permission changing operation and file transferring-in and transferring-out operation.
5. The kernel-based file operation behavior monitoring apparatus according to claim 4,
the interactive interface realizes interaction between the user layer and the kernel layer in a driving mode;
the kernel monitoring unit includes:
the system call table replacing module is used for replacing the system function into a monitoring function;
the file operation behavior monitoring module is used for calling and recording different monitoring information for different systems;
the restoring module is used for eliminating the influence of the monitoring function on the execution of the calling function of the original system so as to ensure that the original system calls to be normally executed;
the file path monitoring unit includes:
the file path traversing module is used for traversing the subfiles and the subfolders under the file path and monitoring the subfiles and the subfolders according to the requirement;
the file operation behavior monitoring module monitors the file operation behavior by using a monitoring mechanism embedded in Linux;
and the log output module is used for outputting the monitoring log to a magnetic disk for storage in a file form.
6. The kernel-based file operation behavior monitoring apparatus according to claim 5, wherein the file operation behavior monitoring module comprises:
the file operation behavior monitoring module of the mobile application program is responsible for monitoring the file operation behavior of the specified application program;
and the file operation behavior monitoring module of the specified file path is responsible for monitoring the file operation behavior of the specified file path.
7. The kernel-based file operation behavior monitoring apparatus according to claim 6, wherein there are three key technologies in the file operation behavior monitoring module of the mobile application:
the hijacking technology of the Android module call list is responsible for adding a monitoring function into the call of the original file operation module;
the file path conversion technology is responsible for converting the file descriptor and the file path descriptor in the kernel into a specific file path;
double buffer logging in kernel techniques.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811066041.5A CN109388538B (en) | 2018-09-13 | 2018-09-13 | Kernel-based file operation behavior monitoring method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811066041.5A CN109388538B (en) | 2018-09-13 | 2018-09-13 | Kernel-based file operation behavior monitoring method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109388538A CN109388538A (en) | 2019-02-26 |
| CN109388538B true CN109388538B (en) | 2020-12-08 |
Family
ID=65418930
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811066041.5A Active CN109388538B (en) | 2018-09-13 | 2018-09-13 | Kernel-based file operation behavior monitoring method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109388538B (en) |
Families Citing this family (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110008103B (en) * | 2019-04-10 | 2020-11-10 | 苏州浪潮智能科技有限公司 | Log collection method, system, device and storage medium for third-party application program |
| CN110909380B (en) * | 2019-11-11 | 2021-10-19 | 西安交通大学 | Abnormal file access behavior monitoring method and device |
| CN110941551B (en) * | 2019-11-21 | 2021-04-30 | 腾讯科技(深圳)有限公司 | Application stuck detection method, device and equipment and computer storage medium |
| CN113704179B (en) * | 2020-05-21 | 2023-12-05 | 奇安信网神信息技术(北京)股份有限公司 | File monitoring method, device, computer system and storage medium |
| CN111753286A (en) * | 2020-06-16 | 2020-10-09 | Oppo广东移动通信有限公司 | Terminal device monitoring method and device, terminal device and storage medium |
| CN112612749B (en) * | 2020-12-15 | 2023-07-04 | 重庆电子工程职业学院 | Intelligent security management storage system |
| CN113220645B (en) * | 2021-05-31 | 2022-07-05 | 技德技术研究所(武汉)有限公司 | Linux-compatible Android file display method and device |
| CN114780353B (en) * | 2022-06-15 | 2022-09-27 | 统信软件技术有限公司 | File log monitoring method and system and computing device |
| CN115422121B (en) * | 2022-07-25 | 2023-06-06 | 安芯网盾(北京)科技有限公司 | Method and device for monitoring file by utilizing inotify, electronic equipment and storage medium |
| CN115599929B (en) * | 2022-09-30 | 2023-08-04 | 荣耀终端有限公司 | File management method and electronic equipment |
| CN115840938B (en) * | 2023-02-21 | 2023-05-09 | 山东捷讯通信技术有限公司 | File monitoring method and device |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106649064A (en) * | 2016-11-28 | 2017-05-10 | 武汉斗鱼网络科技有限公司 | Application operation monitoring method and device |
| CN107040535A (en) * | 2017-04-07 | 2017-08-11 | 网易(杭州)网络有限公司 | Mobile solution channel logs in monitoring method, device, system and storage medium |
| CN108388496A (en) * | 2018-01-23 | 2018-08-10 | 晶晨半导体(上海)股份有限公司 | A kind of collection method of system log |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9916475B2 (en) * | 2014-08-11 | 2018-03-13 | North Carolina State University | Programmable interface for extending security of application-based operating system |
| CN105956468B (en) * | 2016-04-22 | 2018-12-28 | 中国科学院信息工程研究所 | A kind of Android malicious application detection method and system based on file access dynamic monitoring |
| CN108229161A (en) * | 2016-12-15 | 2018-06-29 | 中国电信股份有限公司 | Using monitoring method, device and terminal |
-
2018
- 2018-09-13 CN CN201811066041.5A patent/CN109388538B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106649064A (en) * | 2016-11-28 | 2017-05-10 | 武汉斗鱼网络科技有限公司 | Application operation monitoring method and device |
| CN107040535A (en) * | 2017-04-07 | 2017-08-11 | 网易(杭州)网络有限公司 | Mobile solution channel logs in monitoring method, device, system and storage medium |
| CN108388496A (en) * | 2018-01-23 | 2018-08-10 | 晶晨半导体(上海)股份有限公司 | A kind of collection method of system log |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109388538A (en) | 2019-02-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109388538B (en) | Kernel-based file operation behavior monitoring method and device | |
| US10977370B2 (en) | Method of remediating operations performed by a program and system thereof | |
| US11507663B2 (en) | Method of remediating operations performed by a program and system thereof | |
| US9129058B2 (en) | Application monitoring through continuous record and replay | |
| US8555385B1 (en) | Techniques for behavior based malware analysis | |
| EP4095724B1 (en) | Method of remediating operations performed by a program and system thereof | |
| Zhao et al. | Malicious executables classification based on behavioral factor analysis | |
| US9652616B1 (en) | Techniques for classifying non-process threats | |
| CN101458754B (en) | Method and apparatus for monitoring application program action | |
| CN104598823A (en) | Kernel level rootkit detection method and system in Andriod system | |
| KR20090065183A (en) | Apparatus and method automatically generating security policy of selinux based on selt | |
| US20150113653A1 (en) | Scanning method and device, and client apparatus | |
| Stirparo et al. | In-memory credentials robbery on android phones | |
| CN113176926A (en) | API dynamic monitoring method and system based on virtual machine introspection technology | |
| KR20130075300A (en) | Open type system for analyzing and managing malicious code | |
| Rana et al. | Automated windows behavioral tracing for malware analysis | |
| WO2017092355A1 (en) | Data service system | |
| Webb | Evaluating tool based automated malware analysis through persistence mechanism detection | |
| KR102122968B1 (en) | System and method for analyzing of application installation information | |
| CN109344028B (en) | Super-user-permission-free process behavior monitoring device and method | |
| US20170220611A1 (en) | Analysis of system information | |
| CN102868690B (en) | Method and system for WEB service isolation and detection | |
| Safitri | A study: Volatility forensic on hidden files | |
| White | Identifying the unknown in user space memory | |
| Guo et al. | A function oriented methodology to validate and verify forensic copy function of digital forensic tools |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |