CN109409080B - Auditing method and device for HTTPS of browser - Google Patents
Auditing method and device for HTTPS of browser Download PDFInfo
- Publication number
- CN109409080B CN109409080B CN201811170623.8A CN201811170623A CN109409080B CN 109409080 B CN109409080 B CN 109409080B CN 201811170623 A CN201811170623 A CN 201811170623A CN 109409080 B CN109409080 B CN 109409080B
- Authority
- CN
- China
- Prior art keywords
- function
- https
- ssl
- hooking
- dopayloadwrite
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
Abstract
The embodiment of the invention provides a browser HTTPS auditing method and device, wherein the method comprises the following steps: hooking a transmission function of the HTTPS; acquiring HTTPS content based on a sending function; the HTTPS content is audited. The method and the device provided by the embodiment of the invention hook the transmission function of the HTTPS. The method has the advantages that the HTTPS content is obtained and audited, pertinence is strong, diffusion is easy, the influence range is small when abnormity occurs, the auditing process is realized at an application layer, the problem of network blockage or even interruption caused by the fact that the auditing process is executed at a driving layer is avoided, and extra burden can not be caused to a network. In addition, as the HTTPS content obtained by hooking the transmission function of the HTTPS is a plaintext, the complex decryption operation is not required to be executed, the processing speed is high, and the system performance is not influenced.
Description
Technical Field
The embodiment of the invention relates to the technical field of big data security, in particular to a method and a device for auditing a browser HTTPS.
Background
With the increasing popularity of network office, the internet has become an indispensable, convenient and efficient tool in the working, life and learning processes of people. In the office process, the staff inevitably solves some work problems through the browser. Among them, a browser with a kernel of chrome, such as google browser, is popular among users because a plurality of programs run simultaneously and do not affect each other.
When the convenience is brought to the Internet, the phenomenon that the staff surf the Internet without working generally exists, and the normal working efficiency is seriously influenced. Further, it is likely that important secrets of the enterprise will be compromised, leading to serious network security problems. Therefore, how to sense the network behavior of the user and realize the auditing of the internet behavior of the user is always a very concern of enterprises.
At present, a method for auditing internet access behaviors, particularly for auditing HTTPS data, is realized through a driver layer, and network layer data is screened and filtered and then transmitted to an application layer for data analysis. The disadvantages of implementing HTTPS auditing using the above method are many, as follows:
(1) the HTTPS data acquired by the method are encrypted data, the decryption process is very complex, and the system performance is influenced by the decryption process;
(2) when the method is used for auditing, the network of the whole system is in a blocking state, so that the normal use of other programs is influenced, and the phenomenon that the network cannot be accessed frequently occurs. The method is complex to implement and difficult to maintain.
Disclosure of Invention
The embodiment of the invention provides a browser HTTPS auditing method and device, which are used for solving the problems that the existing auditing method is complex in decryption and can cause network blockage.
In a first aspect, an embodiment of the present invention provides a browser HTTPS auditing method, including:
hooking a transmission function of the HTTPS;
acquiring HTTPS content based on a sending function;
the HTTPS content is audited.
In a second aspect, an embodiment of the present invention provides a browser HTTPS auditing apparatus, including:
the hooking unit is used for hooking a sending function of the HTTPS;
an acquisition unit configured to acquire an HTTPS content based on a transmission function;
and the auditing unit is used for auditing the HTTPS content.
In a third aspect, an embodiment of the present invention provides an electronic device, including a processor, a communication interface, a memory, and a bus, where the processor and the communication interface, the memory complete communication with each other through the bus, and the processor may call a logic instruction in the memory to perform the steps of the method provided in the first aspect.
In a fourth aspect, an embodiment of the present invention provides a non-transitory computer readable storage medium, on which a computer program is stored, which when executed by a processor, implements the steps of the method as provided in the first aspect.
The method and the device for auditing the HTTPS of the browser provided by the embodiment of the invention hook the sending function of the HTTPS. The method has the advantages that the HTTPS content is obtained and audited, pertinence is strong, diffusion is easy, the influence range is small when abnormity occurs, the auditing process is realized at an application layer, the problem of network blockage or even interruption caused by the fact that the auditing process is executed at a driving layer is avoided, and extra burden can not be caused to a network. In addition, as the HTTPS content obtained by hooking the transmission function of the HTTPS is a plaintext, the complex decryption operation is not required to be executed, the processing speed is high, and the system performance is not influenced.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.
Fig. 1 is a schematic flowchart of an auditing method for HTTPS of a browser according to an embodiment of the present invention;
fig. 2 is a flowchart illustrating an SSL _ Write function hooking method according to an embodiment of the present invention;
fig. 3 is a schematic flow chart of a method for hooking a DoPayloadWrite function according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of an HTTPS auditing apparatus of a browser according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of a browser HTTPS auditing apparatus according to another embodiment of the present invention;
fig. 6 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Aiming at the problems that the existing method for auditing the browser HTTPS based on the chrome kernel needs to be decrypted, the system performance is greatly influenced, and the problem of system network blockage is caused because the audit is realized through a driving layer, the embodiment of the invention provides the method for auditing the browser HTTPS based on the chrome kernel, which audits the HTTPS without passing through the driving layer and simultaneously needs not to decrypt the HPPTS. Fig. 1 is a schematic flowchart of an auditing method for an HTTPS browser according to an embodiment of the present invention, and as shown in fig. 1, the method includes:
110, hook the transmit function of HTTPS.
Here, the HTTPS transmission function refers to a function for realizing the HTTPS transmission function in the browser of the chrome core. Here, hooking the transmission function of the HTTPS means intercepting a message in the HTTPS transmission function by a hook function. Hooks (Hook) are part of Windows message processing mechanism, and are callback functions for processing or filtering events, and by setting "hooks", an application program can filter all messages and events at a system level, and access messages which cannot be accessed under normal conditions. The essence of a hook is a program that handles system messages, which are put on the system through system calls. By hooking the transmission function of the HTTPS, the progress of the transmission function is captured.
Based on the send function, HTTPS content is obtained 120.
Specifically, after hooking a transmission function of HTTPS by a hooking technique, the content of HTTPS is acquired from the transmission function. Here, HTTPS content is content that needs to be audited for browser HTTPS. For example, the HTTPS content is obtained by analyzing the buffer parameter of the sending function directly, or the HTTPS content is extracted from a register containing the HTTPS content by positioning the register containing the HTTPS content in the sending function, or the HTTPS content is obtained after a stack restoring operation is performed by adding an assembler instruction to the processing function.
And 130, auditing the HTTPS content.
Specifically, after obtaining the HTTPS content, the HTTPS is audited. Here, the auditing of HTTPS content occurs at the application layer of the system.
The method provided by the embodiment of the invention hooks the transmission function of the HTTPS. The method has the advantages that the HTTPS content is obtained and audited, pertinence is strong, diffusion is easy, the influence range is small when abnormity occurs, the auditing process is realized at an application layer, the problem of network blockage or even interruption caused by the fact that the auditing process is executed at a driving layer is avoided, and extra burden can not be caused to a network. In addition, as the HTTPS content obtained by hooking the transmission function of the HTTPS is a plaintext, the complex decryption operation is not required to be executed, the processing speed is high, and the system performance is not influenced.
Based on the above embodiment, the send function includes SSL _ Write function and/or DoPayloadWrite function in the chrome. The SSL _ Write function is called in the DoPayloadWrite function.
Specifically, the browser of the current kernel usually uses a BoringSSL open source library to implement an HTTPS function, and BoringSSL is compiled in a chrome. In the BoringSSL library, the sending function of HTTPS is an SSL _ Write function, and is called in a DoPayloadWrite function. The following is a prototype of the DoPayloadWrite function as follows:
OPENSSL_EXPORT int SSL_write(SSL*ssl,const void*buf,int num);
int DoPayloadWrite();
it should be noted that DoPayloadWrite is a member function of the sslclient socketopenssl class.
As can be seen from the above, in the chrome.
Based on any of the above embodiments, step 110 specifically includes:
111, if it is determined that the SSL _ Write function is not compiled in-line, hooking the SSL _ Write function.
112, otherwise, hooking the function of the DoPayloadWrite.
Specifically, when the transmission function of the HTTPS may be an SSL _ Write function or a DoPayloadWrite function, the SSL _ Write function is preferentially selected to be hooked. The condition for preferentially selecting the SSL _ Write function to hook is that the SSL _ Write function is not compiled inline, that is, if the SSL _ Write function is not compiled inline, the SSL _ Write function is hooked as a transmission function and HTTPS content is acquired based on the SSL _ Write function in a subsequent step, and if the SSL _ Write function is compiled inline, the DoPayloadWrite function is taken as a transmission function and HTTPS content is acquired based on the DoPayloadWrite function in a subsequent step.
Based on any of the above embodiments, step 111 specifically includes: if the SSL _ Write function is judged and known not to be compiled in-line, disassembling a CHROME.DLL file, acquiring a path character string for identifying a file path from a data section, and acquiring an error code push instruction from a text section; and if any function is found to comprise the path character string and the error code push instruction, determining that the function is the SSL _ Write function, and hooking the SSL _ Write function.
Specifically, it is first determined whether the SSL _ Write function is compiled in-line, and if the SSL _ Write function is not compiled in-line, the SSL _ Write function is located, and the SSL _ Write function is hooked after the location is completed. Further, the method of locating the SSL _ Write function is as follows:
when disassembling a CHROME. After the path character string and the error code push instruction are respectively obtained, the condition that the path character string and the error code push instruction exist in the same function at the same time is searched in a CHROME.
Based on any of the above embodiments, fig. 2 is a schematic flowchart of a SSL _ Write function hooking method provided by an embodiment of the present invention, as shown in fig. 2, the step 111 further includes the following steps:
if the SSL _ Write function is not compiled in-line, when a CHROME.DLL file is disassembled, a character string for identifying a file path, namely a path character string SSL _ lib, is searched in a data field; if the search is successful, the path character string ssl _ lib is obtained, then step 202 is executed, otherwise, step 207 is skipped.
202, searching a push instruction with an assigned error code in the text field, namely an MOV instruction with the assigned error code, until the text is finished, wherein the error code is 0C2h or 0 CCh; if the lookup is successful, the error code push instruction MOV is obtained, step 203 is executed, otherwise, step 207 is skipped.
203, searching an assembly instruction comprising a path character string ssl _ lib and an error code stack pushing instruction MOV in 200 bytes; if the search is successful, step 204 is executed, otherwise, step 207 is skipped.
204, locating the SSL _ Write function initial address in 200 bytes backwards on the basis of the assembly instruction searched in the step 203; if the search is successful, step 205 is executed, otherwise, step 202 is skipped.
205, forward search calls for the contract identifier, where the contract identifier is determined according to the analysis result, and execute step 206 after the search is completed.
206, hook the function address, and execute step 207 after completion.
And 207, ending.
The embodiment of the invention provides a positioning and hooking method of an SSL _ Write function, which can quickly position the SSL _ Write function and provides conditions for extracting HTTPS content from the SSL _ Write function.
Based on any of the above embodiments, step 112 specifically includes: if the SSL _ Write function is judged and known to be compiled in an inline mode, disassembling a CHROME. And if any function is found to comprise the error code push instruction and the parameter push instruction, determining that the function is the DoPayloadWrite function, and hooking the DoPayloadWrite function.
Specifically, whether the SSL _ Write function is compiled in-line is first determined, and if the SSL _ Write function is compiled in-line, the DoPayloadWrite function is located, and after the location is completed, the DoPayloadWrite function is hooked. Further, the method of locating the DoPayloadWrite function is as follows:
dll file, look for error code push instruction and parameter push instruction in text section. Here, the parameter push instruction includes three push instructions for calling the SSL _ Write function, which are determined based on the disassembly result. After the path character string and the error code push instruction are respectively obtained, the condition that the path character string and the error code push instruction exist in the same function at the same time is searched in a CHROME.
Based on any of the above embodiments, fig. 3 is a schematic flowchart of a method for hooking a DoPayloadWrite function according to an embodiment of the present invention, and as shown in fig. 3, the step 112 further includes the following steps:
301, if the SSL _ Write function is compiled in-line, when disassembling the check. If the lookup is successful, the error code push instruction MOV is obtained, step 302 is executed, otherwise, step 305 is skipped.
302, when finding the assembly instruction of the error code push instruction MOV, searching a push instruction for calling the parameter of the SSL _ Write function backwards in 200 bytes, namely a parameter push instruction; if the search is successful, step 303 is executed, otherwise, step 301 is skipped.
303, positioning the first address of the DoPayloadWrite function in 200 bytes backwards on the basis of the parameter push instruction obtained by searching in the step 302; if the search is successful, go to step 304, otherwise, go to step 301.
304, hook the function address, and execute step 305 after completion.
305, ending.
The embodiment of the invention provides a method for positioning and hooking a DoPayloadWrite function, which can quickly position the DoPayloadWrite function and provides conditions for extracting HTTPS content from the DoPayloadWrite function.
Based on any of the above embodiments, step 120 specifically includes:
if the hooked sending function is an SSL _ Write function, analyzing a buffer parameter in the SSL _ Write function to acquire HTTPS content; if the hooked sending function is a DoPayloadWrite function, determining the offset of a register containing HTTPS content in the DoPayloadWrite function based on the parameter push instruction; the location of the register is determined based on the offset, and the HTTPS content is extracted from the register.
Specifically, corresponding to the condition that the SSL _ Write function and the DoPayloadWrite function are respectively hooked as a sending function, different methods are respectively adopted to obtain HTTPS contents:
if the hooked sending function is an SSL _ Write function, the buffer parameter is directly processed in the function to obtain HTTPS content; if the sending function of the hook is a DoPayloadWrite function, a parameter push instruction for calling the SSL _ Write function is obtained through disassembly, the offset of the register containing the HTTPS content is determined, and then the position of the register is determined in the processing function based on the offset, so that the HTTPS content is taken out of the register.
Here, the processing function is a function for processing the hooked transmission function. Dll may also use registers differently in different release versions, since the compiler used when releasing the chrome. The method for processing the sending function is specifically analyzed according to specific situations, and this is not particularly limited in the embodiment of the present invention. For example, for a function conforming to the stdcall calling convention, the function can be directly processed; for a function meeting the fastcall convention, an assembly instruction is added into a processing function to carry out stack reduction operation; the calling appointment timing which accords with thiscall can be realized through member functions of a hook class; in other cases, an appropriate calling convention is selected according to the stack pushing sequence of the parameters, and if necessary, an assembly instruction balance stack can be added in the processing function.
Based on any of the above embodiments, step 130 specifically includes: sending the HTTPS content to an HTTPS auditing system for auditing; if the audit is passed, returning to execute the sending function of the hooked HTTPS; otherwise, the hooking of the sending function is stopped.
Specifically, the HTTPS auditing system is a system for auditing HTTPS content. And when the HTTPS content is audited, sending the HTTPS content to an HTTPS auditing system, auditing by the HTTPS auditing system and returning an auditing result. If the auditing result is passed, returning to the step 110, continuing hooking the sending function of the HTTPS, further acquiring new HTTPS content and auditing; if the audit result is failure, the sending function is stopped hooking, for example, the original sending function can not be hooked again by modifying the return value of the processing function.
Based on any of the above embodiments, fig. 4 is a schematic structural diagram of a browser HTTPS auditing device according to an embodiment of the present invention, and as shown in fig. 4, the browser HTTPS auditing device includes a browser based on a kernel, an HTTPS auditing system, and an operating system OS, and an HTTPS function is implemented in the browser through a BoringSSL source opening library. In the BoringSSL library, the sending function of HTTPS is an SSL _ Write function, and is called in a DoPayloadWrite function.
The OS performs data transmission with the browser through a tcp (transmission Control protocol) transmission Control protocol and a udp (user Datagram protocol) user Datagram protocol. And hooking the SSL _ Write function or the DoPayloadWrite function through a hook technology, analyzing data, sending HTTPS content obtained by data analysis to an HTTPS auditing system, and auditing the HTTPS content.
Fig. 5 is a schematic structural diagram of a browser HTTPS auditing apparatus according to another embodiment of the present invention, as shown in fig. 5, the browser HTTPS auditing apparatus includes a hooking unit 501, an obtaining unit 502, and an auditing unit 503;
the hooking unit 501 is configured to hook a sending function of the HTTPS;
an obtaining unit 502, configured to obtain HTTPS content based on a sending function;
and an auditing unit 503, configured to audit the HTTPS content.
The device provided by the embodiment of the invention hooks the transmission function of the HTTPS. The method has the advantages that the HTTPS content is obtained and audited, pertinence is strong, diffusion is easy, the influence range is small when abnormity occurs, the auditing process is realized at an application layer, the problem of network blockage or even interruption caused by the fact that the auditing process is executed at a driving layer is avoided, and extra burden can not be caused to a network. In addition, as the HTTPS content obtained by hooking the transmission function of the HTTPS is a plaintext, the complex decryption operation is not required to be executed, the processing speed is high, and the system performance is not influenced.
The sending function comprises an SSL _ Write function and/or a DoPayloadWrite function in a chrome. The SSL _ Write function is called in the DoPayloadWrite function.
According to any of the above embodiments, the hooking unit 501 includes a first hooking sub-unit and a second hooking sub-unit;
the first hooking subunit is used for hooking the SSL _ Write function if judging that the SSL _ Write function is not compiled in an inline manner;
and the second hooking subunit is used for hooking the DoPayloadWrite function if not.
Based on any one of the above embodiments, the first hooking subunit is specifically configured to: if the SSL _ Write function is judged and known not to be compiled in-line, disassembling a CHROME.DLL file, acquiring a path character string for identifying a file path from a data section, and acquiring an error code push instruction from a text section; and if any function is found to comprise the path character string and the error code push instruction, determining that the function is the SSL _ Write function, and hooking the SSL _ Write function.
Based on any one of the above embodiments, the second hooking subunit is specifically configured to: if the SSL _ Write function is judged and known to be compiled in an inline mode, disassembling a CHROME. And if any function is found to comprise the error code push instruction and the parameter push instruction, determining that the function is the DoPayloadWrite function, and hooking the DoPayloadWrite function.
Based on any of the above embodiments, the obtaining unit 502 includes a first obtaining sub-unit and a second obtaining sub-unit;
the first acquiring subunit is configured to, if the hooked sending function is an SSL _ Write function, analyze a buffer parameter in the SSL _ Write function, and acquire an HTTPS content;
the second acquiring subunit is configured to determine, based on the parameter push instruction, an offset of a register containing HTTPS content in the DoPayloadWrite function if the hooked sending function is the DoPayloadWrite function; the location of the register is determined based on the offset, and the HTTPS content is extracted from the register.
Based on any of the above embodiments, the auditing unit 503 is specifically configured to: sending the HTTPS content to an HTTPS auditing system for auditing; if the audit is passed, returning to execute a sending function for hooking the HTTPS; otherwise, the hooking send function is stopped.
Fig. 6 is a schematic entity structure diagram of an electronic device according to an embodiment of the present invention, and as shown in fig. 6, the electronic device may include: a processor (processor)601, a communication Interface (Communications Interface)602, a memory (memory)603 and a communication bus 604, wherein the processor 601, the communication Interface 602 and the memory 603 complete communication with each other through the communication bus 604. The processor 601 may call a computer program stored on the memory 603 and operable on the processor 601 to execute the browser HTTPS auditing method provided by the above embodiments, for example, including: hooking a transmission function of the HTTPS; acquiring HTTPS content based on a sending function; the HTTPS content is audited.
In addition, the logic instructions in the memory 603 may be implemented in the form of software functional units and stored in a computer readable storage medium when the logic instructions are sold or used as independent products. Based on such understanding, the technical solutions of the embodiments of the present invention may be essentially implemented or make a contribution to the prior art, or may be implemented in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the methods described in the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
An embodiment of the present invention further provides a non-transitory computer-readable storage medium, on which a computer program is stored, where the computer program is implemented to, when executed by a processor, perform the browser HTTPS auditing method provided in each of the above embodiments, for example, including: hooking a transmission function of the HTTPS; acquiring HTTPS content based on a sending function; the HTTPS content is audited.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (8)
1. A browser HTTPS auditing method is applied to an application layer and comprises the following steps:
hooking a transmission function of the HTTPS;
acquiring HTTPS content based on the sending function, wherein the HTTPS content is a plaintext;
auditing the HTTPS content;
the send function comprises an SSL _ Write function and/or a DoPayloadWrite function in a chrome.
The SSL _ Write function is called in the DoPayloadWrite function;
the hooking HTTPS sending function specifically includes:
if the SSL _ Write function is judged and known not to be compiled in an inline mode, hooking the SSL _ Write function;
otherwise, hooking the DoPayloadWrite function;
the browser is a browser with a kernel of chrome, and the SSL _ Write function and the DoPayloadWrite function are used for buffering HTTPS content to be sent, encrypting the HTTPS content to be sent to obtain an encrypted data packet and sending the encrypted data packet.
2. The method of claim 1, wherein if it is determined that the SSL _ Write function is not compiled in-line, hooking the SSL _ Write function comprises:
if the SSL _ Write function is judged and known not to be compiled in-line, disassembling the CHROME.DLL file, acquiring a path character string for identifying a file path from a data section, and acquiring an error code push instruction from a text section;
and if any function is found to comprise the path character string and the error code push instruction, determining that the function is the SSL _ Write function, and hooking the SSL _ Write function.
3. The method of claim 1, wherein hooking the dopayoadwrite function otherwise comprises:
if the SSL _ Write function is judged and compiled in an inline mode, disassembling the CHROME.DLL file, and acquiring an error code push instruction and a parameter push instruction from a text section;
if any function is found to include the error code push instruction and the parameter push instruction, determining that the function is the DoPayloadWrite function, and hooking the DoPayloadWrite function.
4. The method according to claim 1, wherein the obtaining HTTPS content based on the send function specifically comprises:
if the hooked sending function is the SSL _ Write function, analyzing a buffer parameter in the SSL _ Write function to acquire the HTTPS content, wherein the buffer parameter is a pointer of a plaintext data buffer area to be sent in the SSL _ Write function;
if the hooked sending function is the DoPayloadWrite function, determining the offset of a register containing the HTTPS content in the DoPayloadWrite function based on a parameter push instruction;
determining a location of the register based on the offset, the HTTPS content being extracted from the register.
5. The method according to claim 1, wherein the auditing the HTTPS content specifically comprises:
sending the HTTPS content to an HTTPS auditing system for auditing;
if the audit is passed, returning to execute a sending function for hooking the HTTPS;
otherwise, the hooking of the sending function is stopped.
6. A browser HTTPS auditing device is applied to an application layer and comprises the following steps:
the hooking unit is used for hooking a sending function of the HTTPS;
an obtaining unit, configured to obtain, based on the sending function, an HTTPS content, where the HTTPS content is a plaintext;
the auditing unit is used for auditing the HTTPS content;
the send function comprises an SSL _ Write function and/or a DoPayloadWrite function in a chrome.
The SSL _ Write function is called in the DoPayloadWrite function;
the hooking unit is specifically configured to: if the SSL _ Write function is judged and known not to be compiled in an inline mode, hooking the SSL _ Write function; otherwise, hooking the DoPayloadWrite function;
the browser is a browser with a kernel of chrome, and the SSL _ Write function and the DoPayloadWrite function are used for buffering HTTPS content to be sent, encrypting the HTTPS content to be sent to obtain an encrypted data packet and sending the encrypted data packet.
7. An electronic device, comprising a processor, a communication interface, a memory and a bus, wherein the processor, the communication interface and the memory communicate with each other via the bus, and the processor can call logic instructions in the memory to execute the method according to any one of claims 1 to 5.
8. A non-transitory computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the method according to any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811170623.8A CN109409080B (en) | 2018-10-09 | 2018-10-09 | Auditing method and device for HTTPS of browser |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811170623.8A CN109409080B (en) | 2018-10-09 | 2018-10-09 | Auditing method and device for HTTPS of browser |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109409080A CN109409080A (en) | 2019-03-01 |
| CN109409080B true CN109409080B (en) | 2021-03-19 |
Family
ID=65466104
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811170623.8A Active CN109409080B (en) | 2018-10-09 | 2018-10-09 | Auditing method and device for HTTPS of browser |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109409080B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110855747A (en) * | 2019-10-14 | 2020-02-28 | 上海辰锐信息科技公司 | Method for collecting behavior audit data of user access application |
| CN117290840B (en) * | 2023-09-07 | 2024-03-15 | 北京海泰方圆科技股份有限公司 | Browser auditing method, device, computer equipment and storage medium |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102663318A (en) * | 2012-03-22 | 2012-09-12 | 百度在线网络技术(北京)有限公司 | Browser and client |
| CN107209831A (en) * | 2014-11-13 | 2017-09-26 | 克丽夫有限公司 | System and method for recognizing network attack |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102375946B (en) * | 2010-08-19 | 2015-06-03 | 腾讯科技(深圳)有限公司 | Method and device for detecting webpage trojan |
| CN104123120B (en) * | 2013-04-23 | 2016-03-16 | 腾讯科技(深圳)有限公司 | A kind of browser page data filtering method, device and system |
| CN104992112B (en) * | 2015-05-19 | 2017-10-13 | 上海理工大学 | The method and apparatus for detecting Android system sensitive information leakage |
-
2018
- 2018-10-09 CN CN201811170623.8A patent/CN109409080B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102663318A (en) * | 2012-03-22 | 2012-09-12 | 百度在线网络技术(北京)有限公司 | Browser and client |
| CN107209831A (en) * | 2014-11-13 | 2017-09-26 | 克丽夫有限公司 | System and method for recognizing network attack |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109409080A (en) | 2019-03-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Bossert et al. | Towards automated protocol reverse engineering using semantic information | |
| KR101373986B1 (en) | Method and apparatus to vet an executable program using a model | |
| US8321843B2 (en) | Automatic analysis of an application's run-time settings | |
| CN107436844B (en) | Method and device for generating interface use case aggregate | |
| TWI496023B (en) | Software modification for partial secure memory processing | |
| CN105556482A (en) | Monitoring mobile application performance | |
| CN109409080B (en) | Auditing method and device for HTTPS of browser | |
| US10977161B2 (en) | Automatic intelligent cloud service testing tool | |
| US9454375B2 (en) | Parallel program analysis and branch prediction | |
| US10284660B1 (en) | Data flow tokens to trace execution of services in a service provider network | |
| US11099889B2 (en) | Method-call-chain tracking method, electronic device, and computer readable storage medium | |
| CN111783124A (en) | Data processing method and device based on privacy protection and server | |
| CN108268773B (en) | Android application upgrade package local storage security detection method | |
| EP3139298B1 (en) | Information processing system, control method, and control program | |
| CN115552401A (en) | Fast application detection method, device, equipment and storage medium | |
| CN107291617B (en) | Vulnerability analysis method based on implicit taint propagation | |
| US9489215B2 (en) | Managing an expression-based DFA construction process | |
| CN114625375A (en) | Code analysis method and device | |
| US20080288501A1 (en) | Integrating Database Functionality with Workload Schedulers | |
| US20160378982A1 (en) | Local environment protection method and protection system of terminal responding to malicious code in link information | |
| US10599845B2 (en) | Malicious code deactivating apparatus and method of operating the same | |
| Chen et al. | Android stack machine | |
| CN116431669B (en) | Mybatis-based data processing method, mybatis-based data processing device, computer equipment and storage medium | |
| US20130212371A1 (en) | System Property Manipulation | |
| US20210319170A1 (en) | System and Method for Generating a Dynamic Document |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address | ||
| CP03 | Change of name, title or address |
Address after: 100195 Room 301, floor 3, building 103, No. 3, minzhuang Road, Haidian District, Beijing Patentee after: Mixin (Beijing) Digital Technology Co.,Ltd. Address before: 100093 301, 3rd floor, building 103, 3 minzhuang Road, Haidian District, Beijing Patentee before: BEIJING BEIXINYUAN INFORMATION SECURITY TECHNOLOGY CO.,LTD. |