CN111625784B - Anti-debugging method of application, related device and storage medium - Google Patents
Anti-debugging method of application, related device and storage medium Download PDFInfo
- Publication number
- CN111625784B CN111625784B CN202010481880.4A CN202010481880A CN111625784B CN 111625784 B CN111625784 B CN 111625784B CN 202010481880 A CN202010481880 A CN 202010481880A CN 111625784 B CN111625784 B CN 111625784B
- Authority
- CN
- China
- Prior art keywords
- application
- protected
- memory space
- target
- protection area
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 135
- 230000008569 process Effects 0.000 claims abstract description 94
- 230000006870 function Effects 0.000 claims description 23
- 238000012545 processing Methods 0.000 claims description 11
- 238000004590 computer program Methods 0.000 claims description 5
- 238000001514 detection method Methods 0.000 claims description 5
- 238000005516 engineering process Methods 0.000 description 7
- 238000011161 development Methods 0.000 description 6
- 238000010586 diagram Methods 0.000 description 6
- 238000004891 communication Methods 0.000 description 5
- 230000007246 mechanism Effects 0.000 description 4
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 238000003491 array Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 235000019800 disodium phosphate Nutrition 0.000 description 1
- 238000000802 evaporation-induced self-assembly Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 238000013522 software testing Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2113—Multi-level security, e.g. mandatory access control
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Abstract
The embodiment of the application discloses an anti-debugging method of an application, a related device and a storage medium, wherein the method comprises the following steps: and when the data reading request of the target process to the target protection area is detected, returning the data matched with the security level of the target protection area to the target process, wherein the target protection area is any protection area in the plurality of protection areas, and the important information of the application to be protected is protected in a grading manner by utilizing the protection areas with different security levels by implementing the method.
Description
Technical Field
The present application relates to the field of computers, and in particular, to an application anti-debugging method, a related device, and a storage medium.
Background
Software quality is a key factor that directly affects the development of software industry applications, and software testing plays an extremely important role in ensuring software quality. The debugging technology of the application program is continuously updated, but at the same time, the problem that some application programs are debugged by illegal means is brought, so the anti-debugging technology of the application program is also generated, and the purpose of the anti-debugging technology is to avoid that the application program is attacked maliciously.
Currently, the anti-debugging technology of an application is mostly set by using an application program, for example, the application to be protected is used for setting an anti-debugging checking technology, for example, a port number used by a debugging tool, a change of a system file after being debugged, a debugging signal and the like. If a malicious attacker changes the default port number of the debugging tool, modifies the system file, deletes the debugging signal detection mechanism of the application to be protected, etc., then the anti-debugging technology is in a malicious bypass risk, so how to effectively avoid the malicious bypass risk of the anti-debugging technology of the application to be protected becomes a problem to be solved.
Disclosure of Invention
The embodiment of the application provides an anti-debugging method, a related device and a storage medium for an application, which are used for protecting important information of the application to be protected in a grading manner through memory space protection areas with different security levels, so that the risk of leakage of the information of the application to be protected is effectively reduced.
In a first aspect, an embodiment of the present invention provides an anti-debugging method of an application, where the method is applied to an anti-debugging system component running on a mobile terminal, and the method includes:
detecting whether a target process entering a memory space of an application to be protected exists or not;
if yes, acquiring the data tag of the application to be protected;
dividing the memory space corresponding to the application to be protected into a plurality of protection areas with different security levels according to the data tag, and storing data matched with the security level of the protection area in each protection area;
and when the data reading request of the target process to the target protection area is detected, returning the data matched with the security level of the target protection area to the target process, wherein the target protection area is any one protection area in the plurality of protection areas.
In a second aspect, an embodiment of the present invention provides an anti-debugging device for an application, where the device includes:
the detection module is used for detecting whether a target process entering a memory space of the application to be protected exists or not;
the acquisition module is used for acquiring the data tag of the application to be protected if the application to be protected is the same;
the processing module is used for dividing the memory space corresponding to the application to be protected into a plurality of protection areas with different security levels according to the data tag, and each protection area stores data matched with the security level of the protection area;
And the sending module is used for returning data matched with the security level of the target protection area to the target process when the data reading request of the target process to the target protection area is detected, wherein the target protection area is any one protection area in the plurality of protection areas.
In a third aspect, an embodiment of the present invention provides a terminal, including a processor, an input device, an output device, a memory, and a memory, where the processor, the input device, the output device, the memory, and the network interface are connected to each other, where the memory is configured to store a computer program, the computer program includes program instructions, and the processor is configured to invoke the program instructions to execute the method described in the first aspect.
In a fourth aspect, embodiments of the present invention provide a computer readable storage medium storing a computer program comprising program instructions which, when executed by a processor, cause the processor to perform the method of the first aspect.
In the embodiment of the invention, an anti-debugging system component running on a mobile terminal detects whether a target process entering a memory space of an application to be protected exists, if yes, a data tag of the application to be protected is obtained, the memory space corresponding to the application to be protected is divided into a plurality of protection areas with different security levels according to the data tag, each protection area stores data matched with the security level of the protection area, when a data reading request of the target process to the target protection area is detected, the data matched with the security level of the target protection area is returned to the target process, the target protection area is any protection area in the plurality of protection areas, and important information of the application to be protected is protected in a grading manner by using the protection areas with different security levels by implementing the method, so that the risk of leakage of the information of the application to be protected is effectively reduced.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic flow chart of an anti-debugging method of an application according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of a code markup for application development provided by an embodiment of the present invention;
FIG. 3 is a flowchart of another method for anti-debugging an application according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of an anti-debugging device for an application according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of a terminal according to an embodiment of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are some, but not all embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Referring to fig. 1, fig. 1 is a schematic flow chart of an anti-debugging method of an application in an embodiment of the present invention, where the method is applied to an anti-debugging system component running on a mobile terminal, as shown in fig. 1, and the flow chart of the anti-debugging method of the application in the embodiment may include:
s101, detecting whether a target process entering a memory space of an application to be protected exists or not by the anti-debugging system component.
The anti-debugging system component is a component part of the mobile terminal operating system, and is developed and loaded in a mode of writing the operating system component to run in the mobile operating system, so that an application programming interface (Application Programming Interface, API) can be provided for a developer, and the API is a plurality of predefined functions, so that the application program and the developer can access a set of routines based on certain software or hardware without accessing source codes or understanding details of an internal working mechanism. Meanwhile, the anti-debugging system component has all functions realized by the processor.
In one possible implementation, the anti-debug system component detects whether there is a target process that enters the memory space of the application to be protected. The target process enters a memory space of an application to be protected by calling a Ptrace tool of the mobile terminal system, roams the whole memory space of the application to be protected by the Ptrace tool, searches related functions, variables or class information of the application to be protected, and triggers an anti-debugging system component to protect the application to be protected.
S102, if yes, the anti-debugging system component acquires the data tag of the application to be protected.
For step S101, if the anti-debug system component detects that there is a target process entering the memory space of the application to be protected, the anti-debug system component acquires the data tag of the application to be protected.
The generation and acquisition process of the data tag comprises the following steps: the anti-debugging system component provides an API for the development of the application to be protected, and a developer marks related function information, variable information and class information when writing codes of the application to be protected by using the API. For example, using "@ Protect", "@ High" identifies that the function, variable, or class requires the highest level of protection, using "@ Protect", "@ Medium" identifies that the function, variable, or class requires the Medium level of protection, and using "@ Protect", "@ Low" identifies that the target function, variable, or class requires the lowest level of protection. A specific example is shown in FIG. 2, which is a schematic diagram of a code mark for application development according to an embodiment of the present invention.
After marking the related function information, variable information and class information of the application to be protected, during compiling the code for writing the application to be protected into machine code, the anti-debugging system component informs the compiler that the marked functions, variables and classes need to be protected when being illegally debugged. Therefore, the compiler generates machine codes for the functions, variables and classes, marks the machine codes, namely the data labels in the invention, and stores the data labels in the compiled machine codes so as to facilitate the anti-debugging component to provide different levels of protection for the application to be protected according to specific situations when the application to be protected is debugged. Because the data tag is stored in the compiled machine code, when the anti-debugging system component detects that the target process entering the memory space of the application to be protected exists, the anti-debugging system component acquires the data tag of the application to be protected from the machine code.
S103, dividing the memory space corresponding to the application to be protected into a plurality of protection areas with different security levels according to the data tag by the anti-debugging system component, and storing data matched with the security level of the protection area in each protection area.
The security levels include a first level, a second level, and a third level, the first level being higher than the second level, the second level being higher than the third level. It should be noted that the size of the memory space occupied by each protection area may be the same or different. For example, if the memory space of the application to be protected is 300MB, the memory size occupied by the first-level protection area is 100MB, the memory size occupied by the second-level protection area is 100MB, and the memory size occupied by the third-level protection area is 100MB, where the size of the memory space occupied by each protection area is the same; if the memory space of the application to be protected is 256MB, the memory size occupied by the first-level protection area is 96MB, the memory size occupied by the second-level protection area is 80MB, and the memory size occupied by the third-level protection area is 80MB, which is the case that the sizes of the occupied memory spaces of the protection areas are different. The first level indicates that the importance of the information in its protection zone is highest, and the third level indicates that the importance of the information in its protection zone is lowest. The content stored in each protected area is also different. Memory stacks and memory stacks are provided in each protection area, wherein the memory stacks mainly serve to store data, variable values and objects, and the memory stacks mainly serve to store pointers, references, variable names, function names, parameters and the like. The operation mechanism in each protection area is the same as the operation mechanism in the non-protection mode, namely the basic application is operated in the memory. Meanwhile, all the protection areas can be communicated and accessed through the memory addresses.
And S104, when the data reading request of the target process to the target protection area is detected, the anti-debugging system component returns the data matched with the security level of the target protection area to the target process, wherein the target protection area is any one protection area in the plurality of protection areas.
The plurality of protection areas refer to the first-level protection area, the second-level protection area, and the third-level protection area described in step S103.
In one possible implementation, after the anti-debug system component detects that the target process enters the memory space of the application to be protected, the target process initiates the operation of the data read request to the application to be protected. Each operation of the data reading request has corresponding data reading content, and the corresponding data reading content is included in any one of the protection areas. Therefore, it is necessary to determine to which target protection area the requested data read content belongs, and after determining the protection area corresponding to the data read request, the anti-debug system component returns data matching the security level of the target protection area to the target process according to the corresponding protection policy.
In the embodiment of the invention, the anti-debugging system component detects whether a target process entering the memory space of the application to be protected exists, if yes, the data tag of the application to be protected is obtained, the memory space corresponding to the application to be protected is divided into a plurality of protection areas with different security levels according to the data tag, each protection area stores data matched with the security level of the protection area, when the data reading request of the target process to the target protection area is detected, the data matched with the security level of the target protection area is returned to the target process, the target protection area is any protection area in the plurality of protection areas, and the important information of the application to be protected is protected in a grading manner by utilizing the protection areas with different security levels by implementing the method, so that the risk that the information of the application to be protected is leaked is effectively reduced.
Fig. 3 is a schematic flow chart of another anti-debugging method of an application in an embodiment of the present invention, where the method is applied to an anti-debugging system component running on a mobile terminal, as shown in fig. 3, and the flow chart of the anti-debugging method of the application in the embodiment may include:
s301, the anti-debugging system component acquires a system file of the mobile terminal and a port number in a current opening state.
The method is characterized in that the application to be protected is debugged through a system file, and the application to be protected is debugged through the modification of a port number, so that the method is an illegal debugging means. Therefore, the anti-debug system component needs to monitor these illegal debug means before detecting whether there is a target process that enters the memory space of the application to be protected. The anti-debugging system component acquires a system file of the mobile terminal and a port number in a current opening state and is used for judging whether the current application to be protected is being debugged by illegal debugging means.
S302, if the system file does not comprise a file of a specified type and the port number does not comprise a preset port number, the anti-debugging system component detects whether a target process entering a memory space of the application to be protected exists.
In one possible implementation, after the anti-debug system component obtains the system file and the port number, the two are judged. If the system file does not include a file of a specified type and the port number does not include a preset port number, the anti-debugging system component directly detects whether a target process entering the memory space of the application to be protected exists.
In one possible implementation, the anti-debug system component is to check for presence with the mobile terminal operating system files. Specifically, after the anti-debugging system component obtains the system file of the mobile terminal from the mobile terminal operating system, it is checked whether the system file includes a file of a specified type, and the file of the specified type is, for example, an "xposedbridge" file and a "de. If the obtained system file includes the two files (the two files exist in the directory "/Proc/process PID/Maps"), it indicates that the application to be protected will be debugged, and then the anti-debugging system component directly protects the application to be protected, and directly executes steps S305 to S307.
In one possible implementation, the anti-debug system component is to monitor a default port number of a common debug tool. Specifically, the anti-debugging system component obtains a port number currently in an open state, where the open state refers to whether the port number for accessing the application to be protected by the debugging tool is in an occupied state. If the acquired port number in the current opening state comprises the preset port number, the anti-debugging system component directly stops the process of the debugging tool corresponding to the port number at the moment so as to prevent the process from further debugging the application to be protected. For example, frida (Frida is a hook framework based on python+javascript) is injected into the 27042 port of the debug tool, and the anti-debug system component determines whether a malicious attacker is debugging the application to be protected by Frida by checking whether the port is in a listening state, wherein the 27042 port is the preset port number.
S303, if yes, outputting a prompt message of password input by the anti-debugging system component.
In one possible implementation, if the anti-debugging system component detects that there is a target process entering the memory space of the application to be protected, the certificate signature file of the application to be protected stored in the memory space of the application to be protected is read, and a prompt message for inputting the password is output, so that whether the prompt message is a malicious attacker or not, the password is required to be input. The characteristic that a malicious attacker can debug the application to be protected or a developer can debug the application to be protected can be identified by inputting a password to view signature information.
S304, the anti-debugging system component acquires the password input for the prompt message.
In one possible implementation, after outputting the prompt message for the password input, the anti-debug system component obtains the password input for the prompt message.
S305, if the input password is inconsistent with the certificate password of the application to be protected and the number of times of input password errors reaches a preset number of times threshold, the anti-debugging system component acquires the data tag of the application to be protected.
In one possible implementation, the credential cryptogram is set by the developer at the time of development of the application to be protected. If the anti-debugging system component detects that the input password is inconsistent with the certificate password to be protected, the prompting message of password input is output again, and under the condition, if the number of times of password error input reaches a preset number threshold, password verification is not performed any more, the application to be protected is directly protected, and the anti-debugging system component can acquire the data tag of the application to be protected. The preset number of times threshold here is typically set at the time of application development, and the set threshold is typically 3 or 6. The description of the data tag related to step S102 is already described, and will not be described in detail here.
In one possible implementation manner, if the anti-debugging system component detects that the input password is consistent with the certificate password of the application to be protected, it can be determined that the application to be protected is to be debugged by the developer, and then the anti-debugging system component reloads the application to be protected and does not execute the operation of protecting the application to be protected, and at this time, the developer can normally debug the application to be protected.
S306, dividing the memory space corresponding to the application to be protected into a plurality of protection areas with different security levels according to the data tag by the anti-debugging system component, and storing data matched with the security level of the protection area in each protection area.
Wherein the security level is divided as described in step S103.
S307, when the data reading request of the target process to the target protection area is detected, the anti-debugging system component returns data matched with the security level of the target protection area to the target process, wherein the target protection area is any one protection area in the plurality of protection areas.
In one possible implementation manner, when detecting a data reading request of the target process to the target protection area, the anti-debugging system component returns data matching the security level of the target protection area to the target process, specifically: under the condition that the security level of the target protection area corresponding to the data reading request is detected to be the first level, the first level protection area describes an address space of the first level protection area by a base address and an offset address, in this case, the anti-debugging system component hides a real memory address of the first level protection area, and the anti-debugging system component reallocates the first memory space area for an application to be protected, wherein the first memory space area is a blank memory space area (no valid value is stored). At this time, the anti-debug system component returns the access address (base address+offset address) of the first memory space region to the target process, so that the target process obtains data from the first memory space region according to the access address, and in general, the target process will not obtain any information.
In one possible implementation manner, when detecting a data reading request of the target process to the target protection area, the anti-debugging system component returns data matching the security level of the target protection area to the target process, specifically: and under the condition that the security level of the target protection area corresponding to the data reading request is detected to be a second level, the anti-debugging system component reallocates a second memory space area for the application to be protected, wherein the second memory space area is used for storing structural frame information of the application to be protected, the structural frame information comprises one or more of function names, class names and variable names, and the structural frame information of the target application stored in the second memory space area is returned to the target process. It should be noted that in this case, the anti-debug system component simply provides a function name, class name, or variable name back to the target process, and does not expose the entire application to be protected, nor expose the logic of a function.
In a further possible implementation manner, the anti-debugging system component may provide a return value and a shared memory for a process that normally needs to communicate with the application to be protected, so that a process that needs to interact with the application to be protected may provide a corresponding value and a result for the application to be protected. Meanwhile, the real memory address and the memory size of the second-level protection area can be accessed with the first-level protection area, so that the continuity and accessibility of the memory address acquired by the whole application to be protected can be ensured. The second level protection area is therefore generally equivalent to providing an intermediary for interaction with other normal applications.
In one possible implementation manner, when detecting a data reading request of the target process to the target protection area, the anti-debugging system component returns data matching the security level of the target protection area to the target process, specifically: and when the security level of the target protection area corresponding to the data reading request is detected to be the third level, the anti-debugging system component acquires the data corresponding to the data reading request from the target protection area and returns the data corresponding to the data reading request to the target process. In this case, the contents of the target protected area, including functions, classes, reference types, and all return values, can be accessed, whether by malicious debuggers or normal processes.
In the embodiment of the invention, the anti-debugging system component acquires the system file of the mobile terminal and the port number in the current opening state, and under the condition that the system file does not comprise a file of a specified type and the port number does not comprise a preset port number, the anti-debugging system component detects whether a target process which enters a memory space of an application to be protected exists, if the target process exists, a prompt message input by a password is output and a password input aiming at the prompt message is acquired, if the input password is inconsistent with a certificate password of the application to be protected, the number of times of input password errors reaches a preset number threshold, the anti-debugging system component acquires a data tag of the application to be protected, and divides the memory space corresponding to the application to be protected into a plurality of protection areas with different security levels according to the data tag, and when a data reading request of the target process to the target protection area is detected, the anti-debugging system component returns data matched with the security level of the target protection area to the target process, and through the embodiment, the application to be protected in different modes can be protected, and different security levels of the application to be protected, and important functions of the application to be protected, important parameters of the application to be protected are also can be protected in different security levels, important functions of the application to be protected, important protection parameters and important protection parameters to be protected, and important protection resources can be protected, and protection resources can be effectively prevented from being subjected to protection against malicious protection by a user to be subjected to protection or a malicious protection.
Referring to fig. 4, fig. 4 is a schematic diagram of an anti-debugging device for an application in an embodiment of the invention. As shown in fig. 4, the apparatus 40 includes a detection module 401, an acquisition module 402, a processing module 403, a sending module 404, and an output module 405, configured to:
a detection module 401, configured to detect whether a target process that enters a memory space of an application to be protected exists;
an obtaining module 402, configured to obtain the data tag of the application to be protected if the data tag is positive;
the processing module 403 is configured to divide, according to the data tag, a memory space corresponding to the application to be protected into a plurality of protection areas with different security levels, where each protection area stores data matching with the security level of the protection area;
and the sending module 404 is configured to return, to the target process, data matching the security level of the target protection area when the data reading request of the target process for the target protection area is detected, where the target protection area is any one protection area of the plurality of protection areas.
In one possible implementation, the security level includes a first level, a second level, and a third level, wherein the first level is higher than the second level and the second level is higher than the third level.
In one possible implementation manner, the returning, to the target process, the data matching the security level of the target protection area includes:
a processing module 403, configured to reallocate a first memory space area for the application to be protected when the security level of the target protection area is the first level, where the first memory space area is a blank memory space area;
and the sending module 404 is configured to return, to the target process, an access address of the first memory space region, so that the target process obtains data from the first memory space region according to the access address.
In one possible implementation manner, the returning, to the target process, the data matching the security level of the target protection area includes:
a processing module 403, configured to reallocate a second memory space area for the application to be protected when the security level of the target protection area is the second level, where the second memory space area is used to store structural frame information of the application to be protected, and the structural frame information includes one or more of a function name, a class name, and a variable name;
And a sending module 404, configured to return, to the target process, the structure frame information of the target application stored in the second memory space area.
In one possible implementation manner, the returning, to the target process, the data matching the security level of the target protection area includes:
an obtaining module 402, configured to obtain, when the security level of the target protection area is the third level, data corresponding to the data reading request from the target protection area;
and a sending module 404, configured to return data corresponding to the data reading request to the target process.
In one possible implementation, the output module 405 is configured to output a prompting message for inputting a password;
an obtaining module 402, configured to obtain a password input for the prompt message;
and the processing module 403 is configured to execute the step of obtaining the data tag of the application to be protected if the input password is inconsistent with the certificate password of the application to be protected and the number of times of the input password error reaches a preset number of times threshold.
In a possible implementation manner, the obtaining module 402 is configured to obtain a system file of the mobile terminal and a port number currently in an on state;
And the processing module 403 is configured to execute the step of detecting whether the target process entering the memory space of the application to be protected exists if the system file does not include the file of the specified type and the port number does not include the preset port number.
In the embodiment of the invention, the anti-debugging system component running on the mobile terminal detects whether a target process entering the memory space of the application to be protected exists or not, if yes, the data tag of the application to be protected is obtained through the obtaining module 402, the memory space corresponding to the application to be protected is divided into a plurality of protection areas with different security levels according to the data tag, each protection area stores data matched with the security level of the protection area, when a data reading request of the target process to the target protection area is detected, the sending module 404 returns the data matched with the security level of the target protection area to the target process, and the target protection area is any protection area in the plurality of protection areas.
Referring to fig. 5, fig. 5 is a schematic structural diagram of a terminal according to an embodiment of the present invention. As shown in fig. 5, the terminal includes: at least one processor 501, an input device 503, an output device 504, a memory 505, and at least one communication bus 502. Wherein a communication bus 502 is used to enable connected communications between these components. The input device 503 may be a control panel, a microphone, or the like, and the output device 504 may be a display screen or the like. The memory 505 may be a high-speed RAM memory or a non-volatile memory (non-volatile memory), such as at least one magnetic disk memory. The memory 505 may also optionally be at least one storage device located remotely from the processor 501. Wherein the processor 501 may have stored in the memory 505 a set of program code, the processor 501, the input device 503, the output device 504 may call the program code stored in the memory 505 for:
detecting whether a target process entering a memory space of an application to be protected exists or not;
if yes, acquiring the data tag of the application to be protected;
dividing the memory space corresponding to the application to be protected into a plurality of protection areas with different security levels according to the data tag, and storing data matched with the security level of the protection area in each protection area;
And when the data reading request of the target process to the target protection area is detected, returning the data matched with the security level of the target protection area to the target process, wherein the target protection area is any one protection area in the plurality of protection areas.
In one possible implementation, the security level includes a first level, a second level, and a third level, wherein the first level is higher than the second level and the second level is higher than the third level.
In one possible implementation, the processor 501 is configured to:
under the condition that the security level of the target protection area is the first level, reallocating a first memory space area for the application to be protected, wherein the first memory space area is a blank memory space area;
and returning the access address of the first memory space region to the target process, so that the target process acquires data from the first memory space region according to the access address.
In one possible implementation, the processor 501 is configured to:
under the condition that the security level of the target protection area is the second level, reallocating a second memory space area for the application to be protected, wherein the second memory space area is used for storing structural frame information of the application to be protected, and the structural frame information comprises one or more of function names, class names and variable names;
And returning the structure frame information of the target application stored in the second memory space region to the target process.
In one possible implementation, the processor 501 is configured to:
acquiring data corresponding to the data reading request from the target protection area under the condition that the security level of the target protection area is the third level;
and returning the data corresponding to the data reading request to the target process.
In one possible implementation, the processor 501 is further configured to:
outputting a prompting message of password input;
acquiring a password input for the prompt message;
and if the input password is inconsistent with the certificate password of the application to be protected and the number of times of input password errors reaches a preset number of times threshold, executing the step of acquiring the data tag of the application to be protected.
In one possible implementation, the processor 501 is further configured to:
acquiring a system file of the mobile terminal and a port number in a current opening state;
and if the system file does not comprise the file of the appointed type and the port number does not comprise the preset port number, executing the step of detecting whether the target process entering the memory space of the application to be protected exists.
In the embodiment of the present invention, the processor 501 detects whether there is a target process entering a memory space of an application to be protected, if yes, a data tag of the application to be protected is obtained, and the memory space corresponding to the application to be protected is divided into a plurality of protection areas with different security levels according to the data tag, each protection area stores data matched with the security level of the protection area, when a data reading request of the target process to the target protection area is detected, the data matched with the security level of the target protection area is returned to the target process, the target protection area is any protection area of the plurality of protection areas, and by implementing the method, important information of the application to be protected is protected in a grading manner by using the protection areas with different security levels, thereby effectively reducing the risk that the information of the application to be protected is leaked.
It should be appreciated that in embodiments of the present invention, the processor 501 may be a central processing module (Central Processing Unit, CPU), which may also be other general purpose processors, digital signal processors (Digital Signal Processor, DSPs), application specific integrated circuits (Application Specific Integrated Circuit, ASICs), off-the-shelf programmable gate arrays (Field-Programmable Gate Array, FPGAs) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or the like. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The bus 502 can be an industry standard architecture (Industry Standard Architecture, ISA) bus, an external device interconnect (Peripheral Component, PCI) bus, or an extended industry standard architecture (Extended Industry Standard Architecture, EISA) bus, etc., and the bus 502 can be divided into an address bus, a data bus, a control bus, etc., with fig. 5 being shown with only one bold line for ease of illustration, but not with only one bus or one type of bus.
The embodiment of the present invention also provides a computer storage medium having stored therein program instructions for implementing the corresponding method described in the above embodiment when executed.
It should be noted that, for simplicity of description, the foregoing method embodiments are all described as a series of acts, but it should be understood by those skilled in the art that the present invention is not limited by the order of acts described, as some steps may be performed in other orders or concurrently in accordance with the present invention. Further, those skilled in the art will also appreciate that the embodiments described in the specification are presently preferred, and that the acts and modules involved are not necessarily essential to the invention
In the several embodiments provided by the present application, it should be understood that the disclosed apparatus may be implemented in other manners. For example, the above-described apparatus embodiments are merely illustrative, such as the above-described division of units, merely a division of logic functions, and there may be additional manners of dividing in actual implementation, such as multiple units or components may be combined or integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, or may be in electrical or other forms.
The units described above as separate components may or may not be physically separate, and components shown as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated units described above, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on this understanding, the technical solution of the present invention may be embodied in essence or a part contributing to the prior art or all or part of the technical solution in the form of a software product stored in a storage medium, including several instructions for causing a computer device (which may be a personal computer, a server or a network device, etc., in particular may be a processor in the computer device) to perform all or part of the steps of the above-mentioned method of the various embodiments of the present invention. Wherein the aforementioned storage medium may comprise: a U-disk, a removable hard disk, a magnetic disk, an optical disk, a Read-Only Memory (abbreviated as ROM), a random access Memory (abbreviated as Random Access Memory, RAM), or the like.
The above embodiments are only for illustrating the technical solution of the present invention, and not for limiting the same; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.
Claims (10)
1. An anti-debugging method of an application, the method being applied to an anti-debugging system component running on a mobile terminal, the method comprising:
detecting whether a target process entering a memory space of an application to be protected exists or not;
if yes, acquiring the data tag of the application to be protected from a machine code in a compiler; the data tag is generated and stored in a machine code by the compiler after the machine code is generated for the marked function information, variable information and class information in the application to be protected;
dividing the memory space corresponding to the application to be protected into a plurality of protection areas with different security levels according to the data tag, and storing data matched with the security level of the protection area in each protection area;
when a data reading request of the target process to a target protection area is detected, returning data matched with the security level of the target protection area to the target process, wherein the target protection area is any one protection area in the plurality of protection areas; when the security level of the target protection area is a first level, the target protection area is a first memory space area, and the first memory space area is a blank memory space area; and when the security level of the target protection area is the second level, the target protection area is a second memory space area, and the real memory address and the memory size of the first memory space area can be accessed with the second memory space area.
2. The method of claim 1, wherein the security level comprises a first level, a second level, and a third level, wherein the first level is higher than the second level and the second level is higher than the third level.
3. The method of claim 2, wherein the returning data to the target process that matches the security level of the target protection zone comprises:
under the condition that the security level of the target protection area is the first level, reallocating a first memory space area for the application to be protected, wherein the first memory space area is a blank memory space area;
and returning the access address of the first memory space region to the target process, so that the target process acquires data from the first memory space region according to the access address.
4. The method of claim 2, wherein the returning data to the target process that matches the security level of the target protection zone comprises:
under the condition that the security level of the target protection area is the second level, reallocating a second memory space area for the application to be protected, wherein the second memory space area is used for storing structural frame information of the application to be protected, and the structural frame information comprises one or more of function names, class names and variable names;
And returning the structural frame information of the application to be protected stored in the second memory space region to the target process.
5. The method of claim 2, wherein the returning data to the target process that matches the security level of the target protection zone comprises:
acquiring data corresponding to the data reading request from the target protection area under the condition that the security level of the target protection area is the third level;
and returning the data corresponding to the data reading request to the target process.
6. The method of claim 1, wherein after the detecting whether the target process enters the memory space of the application to be protected exists, before the acquiring the data tag of the application to be protected from the machine code in the compiler, the method further comprises:
outputting a prompting message of password input;
acquiring a password input for the prompt message;
and if the input password is inconsistent with the certificate password of the application to be protected and the number of times of password errors input reaches a preset number of times threshold, executing the step of acquiring the data tag of the application to be protected from the machine code in the compiler.
7. The method according to any of claims 1-6, wherein before detecting whether there is a target process entering a memory space of an application to be protected, the method further comprises:
acquiring a system file of the mobile terminal and a port number in a current opening state;
and if the system file does not comprise the file of the appointed type and the port number does not comprise the preset port number, executing the step of detecting whether the target process entering the memory space of the application to be protected exists.
8. An anti-debugging device for an application, the device comprising:
the detection module is used for detecting whether a target process entering a memory space of the application to be protected exists or not;
the acquisition module is used for acquiring the data tag of the application to be protected from the machine code in the compiler if the application to be protected is the same; the data tag is generated and stored in a machine code by the compiler after the machine code is generated for the marked function information, variable information and class information in the application to be protected;
the processing module is used for dividing the memory space corresponding to the application to be protected into a plurality of protection areas with different security levels according to the data tag, and each protection area stores data matched with the security level of the protection area;
The sending module is used for returning data matched with the security level of the target protection area to the target process when the data reading request of the target process to the target protection area is detected, wherein the target protection area is any one protection area in the plurality of protection areas; when the security level of the target protection area is a first level, the target protection area is a first memory space area, and the first memory space area is a blank memory space area; and when the security level of the target protection area is the second level, the target protection area is a second memory space area, and the real memory address and the memory size of the first memory space area can be accessed with the second memory space area.
9. A terminal comprising a processor, an input device, an output device, a memory and a memory, the processor, the input device, the output device, the memory and a network interface being interconnected, wherein the memory is adapted to store a computer program comprising program instructions, the processor being configured to invoke the program instructions to perform the method of any of claims 1-7.
10. A computer readable storage medium, characterized in that the computer readable storage medium stores a computer program comprising program instructions which, when executed by a processor, cause the processor to perform the method of any of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010481880.4A CN111625784B (en) | 2020-05-29 | 2020-05-29 | Anti-debugging method of application, related device and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010481880.4A CN111625784B (en) | 2020-05-29 | 2020-05-29 | Anti-debugging method of application, related device and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111625784A CN111625784A (en) | 2020-09-04 |
| CN111625784B true CN111625784B (en) | 2023-09-12 |
Family
ID=72272285
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010481880.4A Active CN111625784B (en) | 2020-05-29 | 2020-05-29 | Anti-debugging method of application, related device and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111625784B (en) |
Citations (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US4849614A (en) * | 1985-12-27 | 1989-07-18 | Toppan Moore Company, Ltd. | Composite IC card |
| CN103562897A (en) * | 2011-06-10 | 2014-02-05 | 国际商业机器公司 | Store storage class memory information command |
| CN103927485A (en) * | 2014-04-24 | 2014-07-16 | 东南大学 | Android application program risk assessment method based on dynamic monitoring |
| CN104412242A (en) * | 2012-06-27 | 2015-03-11 | 北欧半导体公司 | Memory protection |
| CN104615553A (en) * | 2015-01-30 | 2015-05-13 | 深圳酷派技术有限公司 | Data acquisition method and device and terminal |
| CN105787360A (en) * | 2016-03-02 | 2016-07-20 | 杭州字节信息技术有限公司 | Method for technically controlling secure access to embedded system memory |
| CN106295385A (en) * | 2015-05-29 | 2017-01-04 | 华为技术有限公司 | A kind of data guard method and device |
| CN106550128A (en) * | 2016-10-31 | 2017-03-29 | 努比亚技术有限公司 | A kind of EMS memory management process and terminal |
| CN107038373A (en) * | 2017-04-28 | 2017-08-11 | 北京洋浦伟业科技发展有限公司 | A kind of Process Debugging detection method and device |
| CN109359487A (en) * | 2018-10-09 | 2019-02-19 | 湖北文理学院 | A kind of expansible safe shadow storage and label management method based on hardware isolated |
| CN109857555A (en) * | 2019-01-15 | 2019-06-07 | Oppo广东移动通信有限公司 | Method for recovering internal storage and device, storage medium and electronic equipment |
| CN110084057A (en) * | 2019-03-13 | 2019-08-02 | 浙江大华技术股份有限公司 | Safety access method, device, equipment and the storage medium of vital document |
| CN110096853A (en) * | 2019-04-12 | 2019-08-06 | 福建天晴在线互动科技有限公司 | Unity Android application reinforcement means, storage medium based on Mono |
| CN110990084A (en) * | 2019-12-20 | 2020-04-10 | 紫光展讯通信(惠州)有限公司 | Chip secure starting method and device, storage medium and terminal |
| CN111131166A (en) * | 2019-11-28 | 2020-05-08 | 重庆小雨点小额贷款有限公司 | User behavior prejudging method and related equipment |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2010127438A1 (en) * | 2009-05-06 | 2010-11-11 | Irdeto Canada Corporation | Interlocked binary protection using whitebox cryptography |
| US9959418B2 (en) * | 2015-07-20 | 2018-05-01 | Intel Corporation | Supporting configurable security levels for memory address ranges |
| KR102319661B1 (en) * | 2015-08-07 | 2021-11-03 | 삼성전자주식회사 | Electronic device and security information storaging method |
-
2020
- 2020-05-29 CN CN202010481880.4A patent/CN111625784B/en active Active
Patent Citations (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US4849614A (en) * | 1985-12-27 | 1989-07-18 | Toppan Moore Company, Ltd. | Composite IC card |
| CN103562897A (en) * | 2011-06-10 | 2014-02-05 | 国际商业机器公司 | Store storage class memory information command |
| CN104412242A (en) * | 2012-06-27 | 2015-03-11 | 北欧半导体公司 | Memory protection |
| CN103927485A (en) * | 2014-04-24 | 2014-07-16 | 东南大学 | Android application program risk assessment method based on dynamic monitoring |
| CN104615553A (en) * | 2015-01-30 | 2015-05-13 | 深圳酷派技术有限公司 | Data acquisition method and device and terminal |
| CN106295385A (en) * | 2015-05-29 | 2017-01-04 | 华为技术有限公司 | A kind of data guard method and device |
| CN105787360A (en) * | 2016-03-02 | 2016-07-20 | 杭州字节信息技术有限公司 | Method for technically controlling secure access to embedded system memory |
| CN106550128A (en) * | 2016-10-31 | 2017-03-29 | 努比亚技术有限公司 | A kind of EMS memory management process and terminal |
| CN107038373A (en) * | 2017-04-28 | 2017-08-11 | 北京洋浦伟业科技发展有限公司 | A kind of Process Debugging detection method and device |
| CN109359487A (en) * | 2018-10-09 | 2019-02-19 | 湖北文理学院 | A kind of expansible safe shadow storage and label management method based on hardware isolated |
| CN109857555A (en) * | 2019-01-15 | 2019-06-07 | Oppo广东移动通信有限公司 | Method for recovering internal storage and device, storage medium and electronic equipment |
| CN110084057A (en) * | 2019-03-13 | 2019-08-02 | 浙江大华技术股份有限公司 | Safety access method, device, equipment and the storage medium of vital document |
| CN110096853A (en) * | 2019-04-12 | 2019-08-06 | 福建天晴在线互动科技有限公司 | Unity Android application reinforcement means, storage medium based on Mono |
| CN111131166A (en) * | 2019-11-28 | 2020-05-08 | 重庆小雨点小额贷款有限公司 | User behavior prejudging method and related equipment |
| CN110990084A (en) * | 2019-12-20 | 2020-04-10 | 紫光展讯通信(惠州)有限公司 | Chip secure starting method and device, storage medium and terminal |
Non-Patent Citations (1)
| Title |
|---|
| 胡振宇 ; 石宣化 ; 柯志祥 ; 金海 ; 王斐 ; .基于程序分析的大数据应用内存预估方法.中国科学:信息科学.(08),全文. * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111625784A (en) | 2020-09-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3674954B1 (en) | Security control method and computer system | |
| TWI575397B (en) | Point-wise protection of application using runtime agent and dynamic security analysis | |
| US8539593B2 (en) | Extraction of code level security specification | |
| JP5863973B2 (en) | Program execution device and program analysis device | |
| JP2010511227A (en) | Compile executable code into unreliable address space | |
| US20070136728A1 (en) | Computer readable medium in which program is stored, computer data signal embodied in carrier wave, information processing apparatus that executes program, and program control method for executing program | |
| CN109271789B (en) | Malicious process detection method and device, electronic equipment and storage medium | |
| MX2007011026A (en) | System and method for foreign code detection. | |
| US11163645B2 (en) | Apparatus and method of control flow integrity enforcement utilizing boundary checking | |
| JP2015219682A (en) | Information processing device, information processing monitoring method, program, and recording medium | |
| US20170185784A1 (en) | Point-wise protection of application using runtime agent | |
| CN111177727A (en) | Vulnerability detection method and device | |
| US20220058260A1 (en) | Binary image stack cookie protection | |
| EP3454216B1 (en) | Method for protecting unauthorized data access from a memory | |
| Piromsopa et al. | Survey of protections from buffer-overflow attacks | |
| JP2008234248A (en) | Program execution device and program execution method | |
| US9003236B2 (en) | System and method for correct execution of software based on baseline and real time information | |
| CN111625784B (en) | Anti-debugging method of application, related device and storage medium | |
| CN111367505A (en) | JavaScript source code secrecy method, device, equipment and storage medium | |
| CN114462041A (en) | Dynamic trusted access control method and system based on dual-system architecture | |
| Peiró et al. | An analysis on the impact and detection of kernel stack infoleaks | |
| Grechko et al. | Secure software developing recommendations | |
| CN116502239B (en) | Memory vulnerability detection method, device, equipment and medium for binary program | |
| CN116204891B (en) | Vulnerability exploitation analysis method, device and storage medium | |
| US20230041068A1 (en) | System and method for detecting insider threats in source code |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |