CN110404267A - A kind of plug-in detection method of game based on HTTP flow HOST field feature - Google Patents

A kind of plug-in detection method of game based on HTTP flow HOST field feature Download PDF

Info

Publication number
CN110404267A
CN110404267A CN201910765984.5A CN201910765984A CN110404267A CN 110404267 A CN110404267 A CN 110404267A CN 201910765984 A CN201910765984 A CN 201910765984A CN 110404267 A CN110404267 A CN 110404267A
Authority
CN
China
Prior art keywords
host
layer
plug
data stream
blacklist
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN201910765984.5A
Other languages
Chinese (zh)
Inventor
刘德建
任佳伟
陈宏展
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Fujian Tianqing Online Interactive Technology Co Ltd
Original Assignee
Fujian Tianqing Online Interactive Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fujian Tianqing Online Interactive Technology Co Ltd filed Critical Fujian Tianqing Online Interactive Technology Co Ltd
Priority to CN201910765984.5A priority Critical patent/CN110404267A/en
Publication of CN110404267A publication Critical patent/CN110404267A/en
Withdrawn legal-status Critical Current

Links

Classifications

    • AHUMAN NECESSITIES
    • A63SPORTS; GAMES; AMUSEMENTS
    • A63FCARD, BOARD, OR ROULETTE GAMES; INDOOR GAMES USING SMALL MOVING PLAYING BODIES; VIDEO GAMES; GAMES NOT OTHERWISE PROVIDED FOR
    • A63F13/00Video games, i.e. games using an electronically generated display having two or more dimensions
    • A63F13/70Game security or game management aspects
    • A63F13/75Enforcing rules, e.g. detecting foul play or generating lists of cheating players
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Multimedia (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention provides a kind of plug-in detection methods of game based on HTTP flow HOST field feature, and described method includes following steps: step S1, the client of Windows system application layer creates networks filter driver in driving layer;Step S2, a HOST blacklist is established, the HOST blacklist stores the HOST domain name character string that the HTTP packet of plug-in sending is included;Step S3, networks filter driver captures all TCP data packets in layer data stream, and judgement is compared with the HOST blacklist in the HOST domain name parameters of TCP data packet request analysis, if domain name parameters are identical as domain name character string any one in HOST blacklist, determine that game player has plug-in usage behavior;Step S4, the process id information for obtaining this plug-in process, process path information are established in the context data stream that layer reaches layer data stream from Windows system data flow, and these information is written in plug-in detection journal file;The present invention can efficiently detect the plug-in usage behavior of known HTTP traffic characteristic, and collect plug-in information.

Description

A kind of plug-in detection method of game based on HTTP flow HOST field feature
Technical field
The present invention relates to computer system field of communication technology, software security, the plug-in detection fields of game, especially a kind of The means that the plug-in detection of game and plug-in information based on HTTP flow HOST field feature are collected, especially one kind are based on The plug-in detection method of game of HTTP flow HOST field feature.
Background technique
Existing plug-in behavior monitoring module is usually using the detection method based on proceeding internal memory scanning, such as scan procedure Memory headroom judges whether comprising plug-in condition code etc., existing temporarily without disclosed based on HTTP flow HOST field feature Plug-in detection block usually using based on proceeding internal memory scanning detection method, as the memory headroom of scan procedure judge whether include Plug-in condition code etc..
The above-mentioned existing plug-in behavior monitoring scheme of game may use hidden process, memory polymorphicization etc. by plug-in Method is around detection.The scheme of this patent description can monitor such plug-in usage behavior.In addition this patent is being applied to It detects in the plug-in scene for having HTTP flow HOST field feature and shows to obtain precise and high efficiency.
Technical term is explained:
The WFP filter frame that Microsoft provides delimit many layers in network packet transmission process, such as: FWPM_ LAYER_ALE_FLOW_ESTABLISHED_V4 layers (i.e. data flow foundation layer), FWPM_LAYER_STREAM_V4 layers of (i.e. data Fluid layer) and FWPM_LAYER_DATAGRAM_DATA_V4 layers (i.e. layer data packet);Since data packet needs basis in system bottom Different network protocols are packaged, therefore the data content that different layers capture is different.This patent scheme mentions FWPM_ LAYER_STREAM_V4 layers (layer data stream) can capture all TCP data packets for being free of IP, FWPM_LAYER_ALE_ FLOW_ESTABLISHED_V4 layers (i.e. data flow foundation layer), FWPM_LAYER_ALE_FLOW_ESTABLISHED_V4 layers can To capture the authorization connection request of process transmission, transmitting-receiving progress information, the transmitting-receiving IP letter of data packet can be obtained in this layer Breath, transmitting-receiving port information.
WFP (Windows Filter Platform), computerese are a kind of Windows filter stages, were used for Filter network packet.
Basic filtering engine BFE is the included user mode services of a Windows operating system, coordinates WFP component, base The main task that this filter engine BFE is executed is to add or remove filter, the configuration of stored filter device into system and strengthen WFP configures safety.The communication of application program and basic filtering engine BFE pass through the WFP management functions such as FwpmEngineOpen It carries out.
HOST field in HTTP data packet is used for the domain name of identification server.
Summary of the invention
In order to overcome the problems referred above, the object of the present invention is to provide outside a kind of game based on HTTP flow HOST field feature Detection method is hung, is a kind of hidden plug-in behavior monitoring means, can efficiently detect the plug-in of known HTTP traffic characteristic Usage behavior, and plug-in information is collected.
The present invention is realized using following scheme: a kind of plug-in detection side of game based on HTTP flow HOST field feature Method, described method includes following steps: step S1, the client of Windows system application layer creates network filtering in driving layer Driving;
Step S2, a HOST blacklist is established, the HTTP packet that the HOST blacklist stores plug-in sending is included HOST domain name character string;
Step S3, networks filter driver captures all TCP data packets in layer data stream, and by TCP data packet request analysis HOST domain name parameters judgement is compared with the HOST blacklist, if any one domain in domain name parameters and HOST blacklist Name character string is identical, then determines that game player has plug-in usage behavior.;
Step S4, it establishes in the context data stream that layer reaches layer data stream and is obtained furthermore from Windows system data flow The process id information of extension process, process path information, and these information are written in plug-in detection journal file.
Further, the step S2 is further specifically: during creation networks filter driver, carries out net for plug-in The HOST domain name that can be accessed in network interactive process is written in the file of networks filter driver, and Windows system application adds Carry simultaneously opening network filtration drive;After networks filter driver is opened successfully, HOST blacklist is initialized, in initialization blacklist In the process, all HOST domain names being written in file are inserted into HOST blacklist by networks filter driver.
Further, between the step S2 and step S3 further include: step S21, networks filter driver uses FwpmEngineOpen function obtains basic filtering engine BFE handle, the parameter as subsequent operation;
Step S22, networks filter driver is using FwpsCalloutRegister function registration in layer data stream, data flow Establish the call back function of layer monitoring data;
Step S23, networks filter driver uses FwpmCalloutAdd function to basic filtering engine BFE application addition The call back function of preceding registration;
Step S24, networks filter driver uses FwpmSubLayerAdd function, establishes layer wound in layer data stream, data flow Sublayer is built, for capturing data;
Step S25, networks filter driver uses FwpmFilterAdd function, by basic filtering engine BFE in data flow Layer, data flow establish layer data packet creation filter, and call back function is associated with sublayer;After completing association, when sublayer captures When to network packet, system can call the corresponding call back function network data packet of sublayer;The readjustment of the layer data stream Function is for handling TCP data packet;Data flow establish layer call back function be used for extract data packet transmitting-receiving process id information, into Journey routing information;
Step S26, the call back function that data flow establishes layer first parses the process road of network packet when being called by system Diameter, process id information, and then these information preservations are used into context data stream Context data stream is associated with binding with layer data stream by FwpsFlowAssociateContext function;Filter can be by context Data flow cross-layer transmission is to layer data stream.
Further, the step S3 is further specifically: when step S31, the call back function of layer data stream is called, returns Letter of transfer number judges whether the remote port of data packet is 80, is that then, data packet is the TCP data packet an of http protocol and enters Step S32;Otherwise call back function execution terminates;
Step S32, the call back function of layer data stream parses packet content according to HTTP message format, from http protocol HOST field character string is extracted in TCP data packet, HOST blacklist is then traversed, by HOST field character string and the black name of HOST Each blacklist item carries out character string comparison in list, the HOST field word extracted in blacklist item and TCP data packet if it exists Symbol string is identical, then determines that player has plug-in usage behavior.
Further, the step S4 is further specifically: establishes layer from Windows system data flow and reaches layer data stream Context data stream when, data flow establish layer call back function extract context data stream in process path, process ID letter Then far-end IP, remote port, process ID, process path these information are written to plug-in by breath using ZwWirteFile function It detects in journal file.
Further, the call back function parses packet content according to HTTP message format, from the TCP number of http protocol Specifically comprise the following steps: according to HOST field character string is extracted in packet
Step 1, using string matching algorithm, whether search in the TCP data packet of http protocol comprising character string " Host: ", if not including, this process terminates;If including character string " Host: ", it records and occurs character string for the first time The memory address of " Host: ", the address that the latter byte of this memory address is arranged is Start;
Step 2, the mode compared using character, using Start as starting point, the TCP data packet penultimate of http protocol Byte is terminal, search " x0d x0a ", i.e., continuous two bytes, front and back store respectively ' x0d ' and ' x0a ', if searched for Less than, then exit HOST extraction process;Otherwise the previous byte that the memory address searched is arranged is End;
Step 3, the data of this section of memory storage in centre are exactly the HOST of the TCP data packet of http protocol from Start to End Field contents.
The beneficial effects of the present invention are: 1. usage behavior blacklist mechanisms can efficiently monitor known HTTP flow The plug-in usage behavior of feature, and collect plug-in information.
2. plug-in to bypass this by traditional application layer API hook technology using the network filtering technology of inner nuclear layer Detection greatly increases plug-in reverse-examination and surveys and instead monitor difficulty.
Include login module, therefore this programme application surface is extremely wide 3. plug-in major part is all charge, can be applied to big Measure plug-in detection.
4. the plug-in behavior monitoring method of the game of this patent is a kind of hidden plug-in behavior monitoring means, detection is improved Ability.
5. being improved the present invention provides a kind of technical solution for extracting HOST field from HTTP data packet in inner nuclear layer The accuracy of detection.
Detailed description of the invention
Fig. 1 is method flow schematic diagram of the invention.
Specific embodiment
The present invention will be further described with reference to the accompanying drawing.
Refering to Figure 1, a kind of plug-in detection method of game based on HTTP flow HOST field feature of the invention, The present invention is based on the WFP networks filter driver frames of Microsoft to capture plug-in net by installing network filter in system bottom Network requests behavior.Described method includes following steps: step S1, the client of Windows system application layer is in driving layer creation Networks filter driver;
Step S2, a HOST blacklist is established, the HTTP packet that the HOST blacklist stores plug-in sending is included HOST domain name character string;The step S2 is further specifically: during creation networks filter driver, by plug-in carry out network The HOST domain name that can be accessed in interactive process is written in the file of networks filter driver, the load of Windows system application And opening network filtration drive;After networks filter driver is opened successfully, HOST blacklist is initialized, in the mistake of initialization blacklist All HOST domain names being written in file are inserted into HOST blacklist by Cheng Zhong, networks filter driver.In addition, being deposited in blacklist The blacklist item of storage must be plug-in distinctive feature, i.e., in addition to this remaining plug-in program does not have this network access row For or probability it is extremely low, otherwise exist wrong report risk.
Step S3, networks filter driver is in (i.e. FWPM_LAYER_STREAM_V4 layers) of layer data stream all TCP numbers of capture Judgement is compared with the HOST blacklist according to packet, and by the HOST domain name parameters of TCP data packet request analysis, if domain name Parameter is identical as domain name character string any one in HOST blacklist, then determines that game player has plug-in usage behavior.
Step S4, it establishes in the context data stream that layer reaches layer data stream and is obtained furthermore from Windows system data flow The process id information of extension process, process path information, and these information are written in plug-in detection journal file.
Between the step S2 and step S3 further include: step S21, networks filter driver uses FwpmEngineOpen letter Number obtains basic filtering engine BFE handle, the parameter as subsequent operation;
Step S22, networks filter driver is using FwpsCalloutRegister function registration in layer data stream, data flow Establish the call back function of layer monitoring data;
Step S23, networks filter driver uses FwpmCalloutAdd function to basic filtering engine BFE application addition The call back function of preceding registration;
Step S24, networks filter driver uses FwpmSubLayerAdd function, in FWPM_LAYER_STREAM_V4 (number According to fluid layer), FWPM_LAYER_ALE_FLOW_ESTABLISHED_V4 layers (data flow foundation layer) creation sublayers, for capturing number According to;
Step S25, networks filter driver uses FwpmFilterAdd function, by basic filtering engine BFE in data flow Layer, data flow establish layer creation filter, and call back function is associated with sublayer;After completing association, when sublayer captures network When data packet, system can call the corresponding call back function network data packet of sublayer;The call back function of the layer data stream is used In processing TCP data packet;The call back function that data flow establishes layer is used to extract transmitting-receiving process id information, the process path of data packet Information;
Step S26, the call back function that data flow establishes layer first parses the process road of network packet when being called by system Diameter, process id information, and then these information preservations are used into context data stream Context data stream is associated with binding with layer data stream by FwpsFlowAssociateContext function;Filter can be by context Data flow cross-layer transmission is to layer data stream.Wherein, at FWPM_LAYER_ALE_FLOW_ESTABLISHED_V4 layers, (data flow is built Vertical layer) call back function processing sublayer capture data packet when, this data packet can be obtained by parsing context data stream Process path, process id information.
The step S3 is further specifically: when step S31, the call back function of layer data stream is called, call back function is sentenced Whether the remote port of disconnected data packet is 80, is that then, data packet is the TCP data packet an of http protocol and enters step S32; Otherwise call back function execution terminates;
Step S32, the call back function of layer data stream parses packet content according to HTTP message format, from http protocol HOST field character string is extracted in TCP data packet, HOST blacklist is then traversed, by HOST field character string and the black name of HOST Each blacklist item carries out character string comparison in list, the HOST field word extracted in blacklist item and TCP data packet if it exists Symbol string is identical, then determines that player has plug-in usage behavior.
The step S4 is further specifically: establishes the context that layer reaches layer data stream from Windows system data flow When data flow, the call back function that data flow establishes layer extracts process path, process id information in context data stream, then makes Far-end IP, remote port, process ID, process path these information are written to plug-in detection log with ZwWirteFile function In file.
The call back function parses packet content according to HTTP message format, from the TCP data Bao Zhongti of http protocol HOST field character string is taken out to specifically comprise the following steps:
Step 1, using string matching algorithm, whether search in the TCP data packet of http protocol comprising character string " Host: ", if not including, this process terminates;If including character string " Host: ", it records and occurs character string for the first time The memory address of " Host: ", the address that the latter byte of this memory address is arranged is Start;
Step 2, the mode compared using character, using Start as starting point, the TCP data packet penultimate of http protocol Byte is terminal, search " x0d x0a ", i.e., continuous two bytes, front and back store respectively ' x0d ' and ' x0a ', if searched for Less than, then exit HOST extraction process;Otherwise the previous byte that the memory address searched is arranged is End;
Step 3, the data of this section of memory storage in centre are exactly the HOST of the TCP data packet of http protocol from Start to End Content of parameter.Such as: HOST content of parameter is referring to such as the following table 1
Table 1
Other data “Host:” HOST parameter “\x0d\x0a” Other data
Wherein, string matching algorithm can use KMP algorithm, can also use other algorithms in practical application.This is specially " HOST field " can also be illustrated with " HOST parameter " in benefit, i.e., " HOST field " and " HOST parameter " states identical number According to object (for describing the data segment of HOST domain name in HTTP data packet), in order to facilitate local read and understanding, in part text " HOST parameter " replacement " HOST field " is used in section.
Below with reference to a specific embodiment, to further describe the specific implementation of this patent scheme:
Assuming that the plug-in A of game is the externally hung software for destroying the network game client C of game company B product.Plug-in A " tools.cheat.com/key.txt " being accessed after process initiation, (the HOST parameter of this network address is " tools.cheat.com "), in addition to the plug-in A of game, other processes not will do it identical network request.Game company B makes Plug-in A whether is run during detecting player with the networks filter driver D developed based on this programme, and scheme protection trip whereby Play client C.
1. after player's running game client C, game client C can automatic load networks filtration drive D, network filtering drives Dynamic D initializes HOST blacklist after loading successfully, and is inserted into HOST blacklist dedicated for the black of the detection plug-in A of game Name individual event " tools.cheat.com ".
2. networks filter driver D is in FWPM_LAYER_ALE_FLOW_ESTABLISHED_V4 layers, FWPM_LAYER_ Start to play network data after the sequence of operations such as STREAM_V4 layers of completion registered callbacks function, creation sublayer, opening filter Packet filtering function.
3. assuming in game client C operational process, player brings into operation the plug-in A of game.Game plug-in A starting at Access " tools.cheat.com/key.txt " is attempted after function, is first sent out to the network address that domain name is " tools.cheat.com " One is sent for requesting the data packet of connection server, the plug-in A of game sends one after server confirms connection request HOST parameter is the TCP data packet of the http protocol of " tools.cheat.com ".
The filters trap of 4.FWPM_LAYER_ALE_FLOW_ESTABLISHED_V4 layers (data flow foundation layer) to use After the data packet of request connection server, the information of transmission process, the i.e. process of the plug-in A of game are extracted from incoming parameter Then ID, process path information, then use these information preservations into context data stream Context data stream is associated with binding with FWPM_LAYER_STREAM_V4 layers by FwpsFlowAssociateContext function.Extremely This can be from when FWPM_LAYER_STREAM_V4 layers (layer data streams) capture the data packet of game plug-in A transmitting-receiving The progress information of the plug-in A of game is extracted in context data stream.
After 5.FWPM_LAYER_STREAM_V4 layers of filters trap to this TCP data packet, this data packet is judged Distal end slogan whether be 80, if port numbers be equal to 80 if be a http protocol TCP data packet, it is assumed that http protocol report The content of text is " xxxHost:tools.cheat.com ' 0d ' ' 0a ' xxxxxx ", enters step 7.Otherwise call back function is held Row terminates.(x represents extraneous data)
6.WPM_LAYER_STREAM_V4 layers of call back function parses packet content according to HTTP message format.Parsing HTTP data packet obtains HOST parameter character string " tools.cheat.com ".
7.WPM_LAYER_STREAM_V4 layers of call back function traverses HOST blacklist, by HOST parameter character string " tools.cheat.com " and each blacklist item carry out character string comparison, arrive blacklist item when comparing When " tools.cheat.com ", two character strings are equal, determine that this HTTP data packet meets HOST blacklist rule, thus determine The process for sending this data packet is the process of the plug-in A creation of game.
8.FWPM_LAYER_ALE_FLOW_ESTABLISHED_V4 layers are extracted the plug-in A's of game in context data stream Then process ID, process path information are written to plug-in inspection using ZwWirteFile function by process path, process id information It surveys in journal file.So far, the primary plug-in detection of game for being successfully directed to the plug-in A of game is completed.
The foregoing is merely presently preferred embodiments of the present invention, all equivalent changes done according to scope of the present invention patent with Modification, is all covered by the present invention.

Claims (6)

1. a kind of plug-in detection method of game based on HTTP flow HOST field feature, it is characterised in that: the method includes Following steps: step S1, the client of Windows system application layer creates networks filter driver in driving layer;
Step S2, a HOST blacklist is established, the HOST blacklist stores the domain HOST that the HTTP packet of plug-in sending is included Name character string;
Step S3, networks filter driver captures all TCP data packets in layer data stream, and by TCP data packet request analysis Judgement is compared with the HOST blacklist in HOST domain name parameters, if any one domain name in domain name parameters and HOST blacklist Character string is identical, then determines that game player has plug-in usage behavior;
Step S4, established in the context data stream that layer reaches layer data stream from Windows system data flow obtain this it is plug-in into The process id information of journey, process path information, and these information are written in plug-in detection journal file.
2. a kind of plug-in detection method of game based on HTTP flow HOST field feature according to claim 1, special Sign is: the step S2 is further specifically: during creation networks filter driver, by plug-in carry out network interaction process The middle HOST domain name that can be accessed is written in the file of networks filter driver, and Windows system application loads and opens net Network filtration drive;After networks filter driver is opened successfully, HOST blacklist, during initializing blacklist, net are initialized All HOST domain names being written in file are inserted into HOST blacklist by network filtration drive.
3. a kind of plug-in detection method of game based on HTTP flow HOST field feature according to claim 1, special Sign is: between the step S2 and step S3 further include: step S21, networks filter driver uses FwpmEngineOpen letter Number obtains basic filtering engine BFE handle, the parameter as subsequent operation;
Step S22, networks filter driver is established using FwpsCalloutRegister function registration in layer data stream, data flow The call back function of layer monitoring data;
Step S23, networks filter driver is infused using FwpmCalloutAdd function to basic filtering engine BFE application addition before The call back function of volume;
Step S24, networks filter driver uses FwpmSubLayerAdd function, establishes layer creation in layer data stream, data flow Layer, for capturing data;
Step S25, networks filter driver use FwpmFilterAdd function, by basic filtering engine BFE layer data stream, Data flow establishes layer creation filter, and call back function is associated with sublayer;After completing association, when sublayer captures network data Bao Shi, system can call the corresponding call back function network data packet of sublayer;The call back function of the layer data stream is for locating Manage TCP data packet;The call back function that data flow establishes layer is used to extract the transmitting-receiving process id information of data packet, process path letter Breath;
Step S26, data flow establishes the call back function of layer when being called by system, first parse network packet process path, Process id information, and by these information preservations into context data stream, then use FwpsFlowAssociateContext Context data stream is associated with binding with layer data stream by function;Filter can be by context data stream cross-layer transmission to data flow Layer.
4. a kind of plug-in detection method of game based on HTTP flow HOST field feature according to claim 3, special Sign is: the step S3 is further specifically: when step S31, the call back function of layer data stream is called, call back function judgement Whether the remote port of data packet is 80, is that then, data packet is the TCP data packet an of http protocol and enters step S32;It is no Then call back function execution terminates;
Step S32, the call back function of layer data stream parses packet content according to HTTP message format, from the TCP of http protocol HOST field character string is extracted in data packet, HOST blacklist is then traversed, by HOST field character string and HOST blacklist In each blacklist item carry out character string comparison, the HOST field character extracted in blacklist item and TCP data packet if it exists It goes here and there identical, then determines that player has plug-in usage behavior.
5. a kind of plug-in detection method of game based on HTTP flow HOST field feature according to claim 3, special Sign is: the step S4 is further specifically: establishes the context number that layer reaches layer data stream from Windows system data flow When according to stream, the call back function that data flow establishes layer extracts process path, process id information in context data stream, then uses Far-end IP, remote port, process ID, process path these information are written to plug-in detection log text by ZwWirteFile function In part.
6. a kind of plug-in detection method of game based on HTTP flow HOST field feature according to claim 4, special Sign is: the call back function parses packet content according to HTTP message format, extracts from the TCP data packet of http protocol HOST field character string specifically comprises the following steps: out
Step 1, using string matching algorithm, whether search in the TCP data packet of http protocol comprising character string " Host: ", If not including, this process terminates;If including character string " Host: ", it records and occurs the memory of character string " Host: " for the first time Address, the address that the latter byte of this memory address is arranged is Start;
Step 2, the mode compared using character, using Start as starting point, the TCP data packet penultimate byte of http protocol For terminal, search " x0d x0a ", i.e., continuous two bytes, front and back store respectively ' x0d ' and ' x0a ', if search for less than, Then exit the process of HOST extraction;Otherwise the previous byte that the memory address searched is arranged is End;
Step 3, the data of this section of memory storage in centre are exactly the HOST field of the TCP data packet of http protocol from Start to End Content.
CN201910765984.5A 2019-08-19 2019-08-19 A kind of plug-in detection method of game based on HTTP flow HOST field feature Withdrawn CN110404267A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910765984.5A CN110404267A (en) 2019-08-19 2019-08-19 A kind of plug-in detection method of game based on HTTP flow HOST field feature

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910765984.5A CN110404267A (en) 2019-08-19 2019-08-19 A kind of plug-in detection method of game based on HTTP flow HOST field feature

Publications (1)

Publication Number Publication Date
CN110404267A true CN110404267A (en) 2019-11-05

Family

ID=68368017

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910765984.5A Withdrawn CN110404267A (en) 2019-08-19 2019-08-19 A kind of plug-in detection method of game based on HTTP flow HOST field feature

Country Status (1)

Country Link
CN (1) CN110404267A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111722979A (en) * 2020-06-10 2020-09-29 北京百度网讯科技有限公司 Quality monitoring method, quality monitoring device, server and storage medium
CN112995145A (en) * 2021-02-05 2021-06-18 中国科学院信息工程研究所 HTTP traffic analysis processing method and system for DPI application and storage medium

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111722979A (en) * 2020-06-10 2020-09-29 北京百度网讯科技有限公司 Quality monitoring method, quality monitoring device, server and storage medium
CN111722979B (en) * 2020-06-10 2024-02-13 北京百度网讯科技有限公司 Quality monitoring method, quality monitoring device, server and storage medium
CN112995145A (en) * 2021-02-05 2021-06-18 中国科学院信息工程研究所 HTTP traffic analysis processing method and system for DPI application and storage medium

Similar Documents

Publication Publication Date Title
CN101437032B (en) System for monitoring VOIP voice quality based on SIP protocol and detection method thereof
US8065722B2 (en) Semantically-aware network intrusion signature generator
CN106330584B (en) A kind of recognition methods of Business Stream and identification device
CN103139315A (en) Application layer protocol analysis method suitable for home gateway
KR20000057209A (en) Method and apparatus for automated network-wide surveillance and security breach intervention
CN101360019A (en) Detection method, system and apparatus of zombie network
CN112039904A (en) Network traffic analysis and file extraction system and method
CN105103496A (en) System and method for extracting and preserving metadata for analyzing network communications
CN110404267A (en) A kind of plug-in detection method of game based on HTTP flow HOST field feature
WO2009115034A1 (en) Method, system and apparatus for detecting protocol message
CN110768875A (en) Application identification method and system based on DNS learning
CN107666486A (en) A kind of network data flow restoration methods and system based on message protocol feature
CN109818970A (en) A kind of data processing method and device
CN106789242A (en) A kind of identification application intellectual analysis engine based on mobile phone client software behavioral characteristics storehouse
CN109474485A (en) Method, system and storage medium based on network traffic information detection Botnet
CN100493065C (en) Method for using immediate information software by data detection network address switching equipment
CN110368695A (en) A kind of plug-in detection method of game based on HTTP flow URI feature
CN101321097A (en) Tencent network living broadcast business recognition method based on payload depth detection
CN113542311B (en) Method for detecting and backtracking defect host in real time
CN101582880B (en) Method and system for filtering messages based on audited object
CN110507995A (en) A kind of plug-in behavior monitoring method of game based on HTTP flow HOST field feature
CN105792265B (en) Malicious traffic stream detection method and system, monitor supervision platform
CN111865724B (en) Information acquisition control implementation method for video monitoring equipment
CN110465094A (en) A kind of plug-in detection method of game based on IP port diagnostic
JP3648520B2 (en) Network communication monitoring / control method, monitoring / control apparatus using the same, and computer-readable recording medium recording network communication monitoring / control program

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WW01 Invention patent application withdrawn after publication
WW01 Invention patent application withdrawn after publication

Application publication date: 20191105