CN112989323B

CN112989323B - Process detection method, device, terminal and storage medium

Info

Publication number: CN112989323B
Application number: CN202110150374.1A
Authority: CN
Inventors: 李科; 李擎宇
Original assignee: Chengdu Oppo Communication Technology Co ltd
Current assignee: Chengdu Oppo Communication Technology Co ltd
Priority date: 2021-02-03
Filing date: 2021-02-03
Publication date: 2024-02-13
Anticipated expiration: 2041-02-03
Also published as: CN112989323A

Abstract

The application belongs to the technical field of terminals, and particularly relates to a process detection method, a process detection device, a terminal and a storage medium. The process detection method comprises the following steps: when detecting that a first process in an operating system calls a target interface, acquiring a current parent process of the first process, and acquiring a first parent process identification of the current parent process; when the first parent process identifier is consistent with a second parent process identifier recorded in a global variable, acquiring call information of the first process to the target interface, wherein the second parent process identifier is a parent process identifier of a history parent process, and the history parent process is a parent process of a second process for calling the target interface in a history manner; and when the calling information of the first process on the target interface meets the heap spraying condition information, determining that the first process is in a heap spraying state. By adopting the method and the device, the accuracy of process detection can be improved.

Description

Process detection method, device, terminal and storage medium

Technical Field

The application belongs to the technical field of terminals, and particularly relates to a process detection method, a process detection device, a terminal and a storage medium.

Background

With the continuous development of terminal technology, the operating system supported by the terminal also rapidly develops. When a vulnerability exists in the operating system of the terminal, the security of the terminal may be reduced. For example, when the operating system of the terminal has a defect or error in the logic relation, the user can utilize the exploit technology to reduce the security of the operating system of the terminal.

Disclosure of Invention

The embodiment of the application provides a process detection method, a device, a terminal and a storage medium, which can improve the accuracy of process detection. The technical scheme of the embodiment of the application is as follows:

in a first aspect, an embodiment of the present application provides a process detection method, where the method includes:

when detecting that a first process in an operating system calls a target interface, acquiring a current parent process of the first process, and acquiring a first parent process identification of the current parent process;

when the first parent process identifier is consistent with a second parent process identifier recorded in a global variable, acquiring call information of the first process to the target interface, wherein the second parent process identifier is a parent process identifier of a history parent process, and the history parent process is a parent process of a second process for calling the target interface in a history manner;

And when the calling information of the first process on the target interface meets the heap spraying condition information, determining that the first process is in a heap spraying state.

In a second aspect, an embodiment of the present application provides a process detection apparatus, where the apparatus includes:

the device comprises an identification acquisition unit, a target interface acquisition unit and a target interface generation unit, wherein the identification acquisition unit is used for acquiring a current parent process of a first process when detecting that the first process calls the target interface in an operating system and acquiring a first parent process identification of the current parent process;

the information acquisition unit is used for acquiring the calling information of the first process to the target interface when the first parent process identifier is consistent with a second parent process identifier recorded in the global variable, wherein the second parent process identifier is a parent process identifier of a history parent process, and the history parent process is a parent process of a second process for calling the target interface in a history manner;

and the state determining unit is used for determining that the first process is in a spraying state when the calling information of the first process on the target interface meets the spraying condition information.

In a third aspect, a terminal comprises a memory, a processor and a computer program stored in the memory and executable on the processor, the processor implementing the method of any of the first aspects when executing the computer program.

In a fourth aspect, embodiments of the present application provide a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements a method as described in any of the preceding claims.

In a fifth aspect, embodiments of the present application provide a computer program product, wherein the computer program product comprises a non-transitory computer readable storage medium storing a computer program operable to cause a computer to perform some or all of the steps as described in the first aspect of the embodiments of the present application. The computer program product may be a software installation package.

The technical scheme provided by some embodiments of the present application has the beneficial effects that at least includes:

in one or more embodiments of the present application, when it is detected that a first process calls a target interface in an operating system, a current parent process of the first process may be obtained, a first parent process identifier of the current parent process is obtained, when the first parent process identifier is consistent with a second parent process identifier recorded in a global variable, call information of the first process on the target interface is obtained, and when call information of the first process on the target interface meets heap-spraying condition information, it is determined that the first process is in a heap-spraying state. Therefore, when the first father process identification is consistent with the second father process identification and the calling information of the first process to the target interface meets the information of the spraying condition, the first process is determined to be in a spraying state, whether the first process is in the spraying state can be detected, the condition that the spraying state of the process cannot be detected is reduced, and the accuracy of process detection can be improved.

Drawings

In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.

FIG. 1 is a schematic background diagram of a process detection method applied to an embodiment of the present application;

FIG. 2 is a schematic background diagram of a process detection method applied to an embodiment of the present application;

FIG. 3 shows a system architecture diagram of a process detection method applied to an embodiment of the present application;

FIG. 4 is a flow chart of a process detection method according to an embodiment of the present application;

FIG. 5 is a flow chart of a process detection method according to an embodiment of the present application;

FIG. 6 is a flow chart of a process detection method according to an embodiment of the present application;

FIG. 7 shows an exemplary schematic diagram of a terminal interface according to an embodiment of the present application;

FIG. 8 shows an exemplary schematic diagram of a terminal interface according to an embodiment of the present application;

FIG. 9 is a flow chart of a process detection method according to an embodiment of the present application;

fig. 10 is a schematic structural diagram of a process detection device according to an embodiment of the present application;

FIG. 11 is a schematic diagram of a process detection device according to an embodiment of the present application;

fig. 12 is a schematic structural diagram of a process detection device according to an embodiment of the present application;

fig. 13 is a schematic structural diagram of a process detection device according to an embodiment of the present application;

fig. 14 is a schematic structural diagram of a process detection device according to an embodiment of the present application;

fig. 15 is a schematic structural diagram of a process detection device according to an embodiment of the present application;

fig. 16 shows a schematic structural diagram of a terminal according to an embodiment of the present application.

Detailed Description

In order to make the present application solution better understood by those skilled in the art, the following description will be made in detail and with reference to the accompanying drawings in the embodiments of the present application, it is apparent that the described embodiments are only a part of the embodiments of the present application, but not all the embodiments. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are within the scope of the present disclosure.

In the description of the present application, it should be understood that the terms "first," "second," and the like are used for descriptive purposes only and are not to be construed as indicating or implying relative importance. In the description of the present application, it is to be understood that the terms "comprise" and "have," and any variations thereof, are intended to cover non-exclusive inclusions, unless otherwise specifically defined and defined. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those listed steps or elements but may include other steps or elements not listed or inherent to such process, method, article, or apparatus. The specific meaning of the terms in this application will be understood by those of ordinary skill in the art in a specific context. Furthermore, in the description of the present application, unless otherwise indicated, "a plurality" means two or more. "and/or", describes an association relationship of an association object, and indicates that there may be three relationships, for example, a and/or B, and may indicate: a exists alone, A and B exist together, and B exists alone. The character "/" generally indicates that the context-dependent object is an "or" relationship.

With the continuous development of terminal technology, the operating system supported by the terminal also rapidly develops. When a vulnerability exists in the operating system of the terminal, the security of the terminal may be reduced. For example, when the operating system of the terminal has a defect or error logically, the user can utilize the exploit technology to reduce the security of the operating system of the terminal. Heap spraying (Heap Spray) is an exploit technology, and users can use Heap spraying to trigger exploit, so as to reach hijacking functions and trigger malicious codes when the exploit is triggered, and the security of the operating system of the terminal is lower. However, the terminal cannot detect the heap-spraying state of the process, and the process detection accuracy is low, so that the security of the operating system of the terminal is low.

Fig. 1 illustrates a schematic view of a process detection method applied to an embodiment of the present application, according to some embodiments. An exemplary terminal interface diagram when a user browses information using a terminal may be shown in fig. 1. When the terminal cannot detect the heap-spraying state of the process, the security of the terminal may be reduced. Therefore, when the terminal is in the exploit state, the schematic diagram of the terminal interface may be as shown in fig. 2, and the user of the terminal cannot use the terminal at this time, so that the convenience of the user in using the terminal is reduced, and the user is inconvenient to use.

The execution subject of the embodiments of the present application is a terminal having an operating system, including but not limited to: wearable devices, handheld devices, personal computers, tablet computers, vehicle-mounted devices, smart phones, computing devices, or other processing devices connected to a wireless modem, etc. Terminal devices in different networks may be called different names, for example: an electronic device, a user device, an access terminal, a subscriber unit, a subscriber station, a mobile station, a remote terminal, a mobile device, a user terminal, a wireless communication device, a user agent or user equipment, a cellular telephone, a cordless telephone, a personal digital assistant (personal digital assistant, PDA), a terminal device in a fifth generation mobile communication technology (5th generation mobile networks,5G) network or a future evolution network, and the like. The terminal is provided with an operating system which can run on the terminal, is a program for managing and controlling terminal hardware and terminal application, and is an indispensable system application of the terminal. The operating system comprises an Android system, an IOS system, a Windows Phone (WP) system, a Ubuntu mobile version operating system and the like.

Fig. 3 shows a system architecture diagram applied to a process detection method of an embodiment of the present application. As shown in fig. 3, a process 100 in the operating system of the terminal with the operating system 10 may call an interface 200 to implement a data communication process. The embodiment of the application provides a process detection method, when a terminal detects that a first process calls a target interface in an operating system, the terminal can acquire a current parent process of the first process, acquire a first parent process identification of the current parent process, acquire call information of the first process to the target interface when the first parent process identification is consistent with a second parent process identification recorded in a global variable, and determine that the first process is in a heap spraying state when the call information of the first process to the target interface meets heap spraying condition information. By adopting the method and the device, the accuracy of process detection can be improved.

The present application is described in detail with reference to specific examples.

In one embodiment, as shown in fig. 4, a process detection method is proposed, which may be implemented in dependence on a computer program, and may be run on a terminal based on a system with an operating system. The computer program may be integrated in the application or may run as a stand-alone tool class application.

Specifically, the process detection method includes:

s101, when detecting that a first process in an operating system calls a target interface, acquiring a current parent process of the first process, and acquiring a first parent process identification of the current parent process;

according to some embodiments, an Operating System (OS) refers to a System in a terminal that may be used to perform functions of managing and configuring memory, prioritizing supply and demand of System resources, and the like. Including but not limited to Linux operating systems, windows operating systems, and the like. The operating system of the embodiment of the application may be, for example, a Linux operating system. The Linux operating system is a clone system developed based on the UNIX operating system, and processes in the Linux operating system can call interfaces to realize data communication functions.

It is easy to understand that a Process (Process) is a running activity of a program in a computer on a certain data set, is a basic unit of resource allocation and scheduling by a system, and is a basis of an operating system structure. A process is an entity. The first process refers to a process which is detected by the operating system and calls the target interface. The first process is not specific to a fixed process. When the point in time detected by the terminal changes, the first process will also change accordingly. When the target interface changes, the first process will also change accordingly.

According to some embodiments, the interface refers to a communication rule in the terminal for implementing data communication. The interface is a shared boundary for two independent components in the operating system to exchange information. The target interface refers to an interface called by a first process in the operating system. The target interface is not specific to a fixed interface. When the interface called by the first process in the operating system changes, the target interface also changes accordingly.

It is readily understood that a Parent Process (Parent Process) refers to a Process that has created one or more child processes. In an operating system, a parent process of a child process is unique. The current parent process refers to the parent process of the first process. The current parent process is not specific to a particular fixed parent process. When a first process changes, the current parent process of the first process will also change accordingly. When a first process is determined, the current parent process of the first process is also determined.

According to some embodiments, parent Process Identification (PPID) refers to a device for uniquely identifying a Parent Process, i.e., one Parent Process has and only one identification. The first parent process identifier refers to an identifier corresponding to the current parent process, namely, the first parent process identifier is an identifier corresponding to the current parent process of the first process. The first parent process identification does not refer specifically to a certain fixed parent process identification. When the first process changes, the current parent process of the first process also changes correspondingly, and the first parent process identification also changes correspondingly.

According to some embodiments, when the terminal detects that the first process in the operating system calls the target interface, the terminal may acquire the current parent process of the first process. When the terminal acquires the current parent process of the first process, the terminal can acquire the first parent process identification of the current parent process. For example, when the terminal detects that the A process in the Linux system calls the B interface, the terminal can acquire the current parent process of the A process. The current parent process acquired by the terminal may be, for example, an A1 parent process. The terminal may obtain a first parent process identification of the A1 parent process. The first parent process identifier of the A1 parent process acquired by the terminal may be 587946125, for example.

S102, when the first parent process identification is consistent with the second parent process identification recorded in the global variable, acquiring call information of the first process on the target interface, wherein the second parent process identification is the parent process identification of the history parent process, and the history parent process is the parent process of the second process of the history call target interface;

according to some embodiments, the variables are divided into local and global variables, which may also be referred to as internal variables. Variables whose local variables are created by an object or function are typically local variables that can only be referenced internally and cannot be referenced by other objects or functions. Global variables, also called external variables, may be created either as an object function or anywhere within the operating system. A global variable is a variable that can be invoked by all processes within the present operating system.

It is readily understood that the second parent process identification refers to the parent process identification of the history parent process. The history parent process is the parent process of the second process of the history call target interface. The second process refers to a process of calling the target interface in history in the operating system. The second parent process identification does not refer specifically to a fixed parent process identification. When the second process changes, the historical parent process of the second process also changes correspondingly, and the second parent process identification also changes correspondingly. The history parent process is not specific to a particular fixed parent process. When the second process changes, the history parent process will also change accordingly.

According to some embodiments, the call information of the first process on the target interface refers to call information corresponding to the call of the first process on the target interface. When the terminal detects that a first process call target interface exists in the operating system and obtains the current parent process of the first process and the first parent process identification of the current parent process, the terminal can detect whether the first parent process identification is consistent with the second parent process identification in the global variable. When the terminal detects that the first parent process identifier is consistent with the second parent process identifier, the terminal can acquire the call information of the first process on the target interface.

It is easy to understand that, for example, when the terminal detects that the a process in the Linux system invokes the B interface, the terminal may acquire the current parent process of the a process. The current parent process acquired by the terminal may be, for example, an A1 parent process. The terminal may obtain a first parent process identification of the A1 parent process. The first parent process identifier of the A1 parent process acquired by the terminal may be 587946125, for example. When the terminal detects that the first parent process identifier 587946125 is consistent with the second parent process identifier 587946125 in the global variable, the terminal can acquire call information of the A process to the B interface.

S103, when the calling information of the first process to the target interface meets the information of the spraying condition, determining that the first process is in a spraying state.

In accordance with some embodiments, heap spraying is an exploit technology. Before triggering the vulnerability, the process of the operating system may be in a heap-spray state. The heap-spray state refers to the state of a first process, which frequently calls a target interface. The stack condition information refers to condition information for detecting whether the first process is in a stack state. The stack condition information is not particularly limited to a certain fixed condition information. For example, when the first schedule changes, the stack condition information will also change accordingly.

It is easy to understand that when the terminal detects that the first parent process identifier is consistent with the second parent process identifier in the global variable, the terminal can acquire call information of the first process to the target interface. When the terminal acquires the call information of the first process to the target interface, the terminal can detect whether the call information of the first process to the target interface meets the heap-spraying condition information. When the terminal detects that the calling information of the first process on the target interface meets the information of the spraying condition, the terminal can determine that the first process is in a spraying state.

According to some embodiments, for example, when the terminal detects that an a process in the Linux system invokes the B interface, the terminal may acquire a current parent process of the a process. The current parent process acquired by the terminal may be, for example, an A1 parent process. The terminal may obtain a first parent process identification of the A1 parent process. The first parent process identifier of the A1 parent process acquired by the terminal may be 587946125, for example. When the terminal detects that the first parent process identifier 587946125 is consistent with the second parent process identifier 587946125 in the global variable, the terminal can acquire call information of the A process to the B interface. When the terminal detects that the calling information of the A process to the B interface meets the information of the spraying condition, the terminal can determine that the A process is in a spraying state.

In one or more embodiments of the present application, when it is detected that a first process calls a target interface in an operating system, a current parent process of the first process may be obtained, a first parent process identifier of the current parent process is obtained, when the first parent process identifier is consistent with a second parent process identifier recorded in a global variable, call information of the first process on the target interface is obtained, and when call information of the first process on the target interface meets heap-spraying condition information, it is determined that the first process is in a heap-spraying state. Therefore, when the first father process identification is consistent with the second father process identification and the calling information of the first process to the target interface meets the information of the spraying condition, the first process is determined to be in a spraying state, whether the first process is in the spraying state can be detected, the condition that the spraying state of the process cannot be detected is reduced, and the accuracy of process detection can be improved. In addition, by detecting the process, the condition that the security of the operating system of the terminal is low due to the fact that the heap-spraying state of the process cannot be detected can be reduced, and the security of the operating system can be improved.

Referring to fig. 5, a flow chart of a process detection method is provided in an embodiment of the present application. As shown in fig. 5, the method includes the following steps S201 to S207.

S201, when detecting that a first process call target interface exists in an operating system, acquiring a current parent process of the first process, and acquiring a first parent process identification of the current parent process;

s202, when the first father process identification is inconsistent with the second father process identification recorded in the global variable, storing the current father process identification into the global variable, and clearing call information of the second process in the global variable to the target interface;

according to some embodiments, global variables, also called external variables, may be created either as some object function or anywhere within the present operating system. A global variable is a variable that can be invoked by all processes within the present operating system.

According to some embodiments, the call information of the first process on the target interface refers to call information corresponding to the call of the first process on the target interface. Fig. 6 shows a flowchart of a process detection method according to an embodiment of the present application. As shown in fig. 6, when the terminal detects that the first process in the operating system calls the target interface, and obtains the current parent process of the first process and the first parent process identifier of the current parent process, the terminal may detect whether the first parent process identifier is consistent with the second parent process identifier in the global variable. When the terminal detects that the first parent process identifier is inconsistent with the second parent process identifier, the terminal can store the current parent process identifier into the global variable, and empty calling information of the second process in the global variable to the target interface. The terminal stores the current parent process identification into the global variable, for example, the terminal replaces the second parent process identification in the global variable with the first parent process identification. The terminal stores the current parent process identifier into the global variable, and the terminal can delete the second parent process identifier in the global variable and empty the call information of the second process in the global variable to the target interface.

It is readily understood that the first process may be, for example, an a process and the second process may be, for example, a C process. For example, when the terminal detects that the A process in the Linux system calls the B interface, the terminal can acquire the current parent process of the A process. The current parent process acquired by the terminal may be, for example, an A1 parent process. The terminal may obtain a first parent process identification of the A1 parent process. The first parent process identifier of the A1 parent process acquired by the terminal may be 587946125, for example. When the terminal detects that the first parent process identifier 587946125 is inconsistent with the second parent process identifier 587946127 in the global variable, the terminal can store the first parent process identifier 587946125 in the global variable and empty call information of the C process to the B interface. The call information of the C process to the B interface includes, but is not limited to, call time information and call times information of the C process to call the B interface. The calling frequency information is the counting information of the C process stored in the global variable for calling the B interface.

S203, when the first parent process identification is consistent with the second parent process identification recorded in the global variable, acquiring call information of the first process on the target interface, wherein the second parent process identification is the parent process identification of the history parent process, and the history parent process is the parent process of the second process of the history call target interface;

The specific process is as described above, and will not be described here again.

According to some embodiments, the call information in the present application includes current time information and count information. The current time information is the time information of the first process calling the target interface when the terminal detects that the first process calling the target interface exists in the operating system. The count information refers to the number of times the first process calls the target interface. The counting information in the embodiment of the application is described by taking the number of times information that the first process calls the target interface as an example.

It is readily understood that the current time information may be, for example, current absolute time information, which may be, for example, a UNIX (Unix epoch) timestamp, i.e., the relative time of the current moment of time from the UNIX time reference 1970, 7 months, 1 day, 00:00:00, to the nearest second.

Optionally, the count information recorded in the global variable includes count information corresponding to each interface, that is, the global variable records count information corresponding to each interface, and the detection of the terminal on the first process may not be affected by other processes calling other interfaces, so that accuracy of process detection may be improved. When the count information is the number of times of calling the interface, for example, the global variable may record that the number of times of calling the interface a by the first process is 100 times, the number of times of calling the interface Q by the third process is 120 times, the number of times of calling the interface W by the fourth process is 110 times, and the number of times of calling the interface E by the fifth process is 140 times.

S204, global variable time information recorded in a global variable is obtained;

according to some embodiments, before the terminal detects whether the call information of the first process on the target interface meets the heap injection condition information, the terminal may acquire global variable time information recorded in the global variable. The global variable time information refers to time information of calling the target interface by the second process, and the second process is a process of calling the target interface in history.

It is readily understood that the global variable time information may be, for example, a UNIX timestamp, i.e., the relative time of the current moment of time from 1 day 00:00:00, 7 months of the UNIX time base 1970, to the nearest second.

S205, when the current time information is consistent with the global variable time information and the count information is greater than a count threshold, determining that the first process is in a stack-spraying state;

according to some embodiments, when the terminal obtains call information of the first process on the target interface, that is, the terminal obtains current time information and count information of the first process on the target interface, and the terminal obtains global variable time information recorded in the global variable, the terminal may detect whether the current time information and the global variable time information are consistent, and whether the count information is greater than a count threshold. When the terminal detects that the current time information is consistent with the global variable time information and the count information is greater than the count threshold, the terminal can determine that the first process is in a heap-spraying state. When the terminal detects that the calling frequency of the first process to the target interface is greater than the frequency threshold, the terminal can determine that the first process is in a stack spraying state. The terminal performs process detection and has supporting effect on process defense and detection, so that the terminal can increase the attack defense strength when the process calls an interface, increase the running integrity of the process and increase the difficulty of cracking the process.

It is to be readily understood that the count threshold refers to a threshold corresponding to count information. The counting threshold value can be set based on a threshold value setting instruction of a user for the counting threshold value, and can also be set when the terminal leaves the factory. The count threshold is not specific to a fixed threshold. For example, when the terminal receives a modification instruction for the count threshold by the user, the terminal may modify the count threshold based on the modification instruction input by the user. Wherein the modification instructions include, but are not limited to, a voice threshold modification instruction, a click threshold modification instruction, a timing threshold modification instruction, and the like. The threshold modification instruction received by the terminal may be, for example, a click threshold modification instruction. When the terminal receives the click threshold modification instruction, the terminal can modify the count threshold based on the electrode threshold modification instruction. At this time, an exemplary schematic diagram of the terminal interface may be shown in fig. 7.

Alternatively, the count threshold may be 200 times, for example. The current time information acquired by the terminal may be, for example, 2019, 10 months, 1 day, 12:00:00. The global variable time information recorded in the global variable acquired by the terminal may be, for example, 2019, 10, 1, 12:00:00. The terminal may acquire the count information of the first process a process to the target interface B interface, for example, 350 times. When the terminal acquires the current time information and the global variable time information, the terminal can detect whether the current time information and the global variable time information are consistent or not, and whether the count information is larger than a count threshold value or not. When the terminal detects that the current time information 2019, 10 month, 1 day, 12:00:00 is consistent with the global variable time information 2019, 10 month, 1 day, 12:00:00, and the count information is 350 times greater than the count threshold value for 200 times, the terminal determines that the first process A process is in a stack spraying state.

S206, stopping executing the first process, and resetting the call information of the first process in the global variable to the target interface;

according to some embodiments, when the terminal detects that the current time information is consistent with the global variable time information and the count information is greater than the count threshold, the terminal may determine that the first process is in a heap-spraying state, that is, when the terminal detects that the call information of the first process on the target interface meets the heap-spraying condition information, the terminal may determine that the first process is in the heap-spraying state. When the terminal determines that the first process is in the heap-spraying state, the terminal can stop executing the first process and reset the call information of the first process in the global variable to the target interface. When the terminal determines that the first process is in a heap-spraying state, the information recorded in the global variable is the calling information of the first process calling target interface. Since there are a large number of heap allocation operations before the exploit program executes, i.e., before the exploit is triggered, a certain interface is frequently called by the same process in a short period of time. Therefore, when the terminal determines that the first process is in the heap-spraying state, that is, the target interface has the exploit risk, the execution of the first process can be stopped, the exploit risk can be reduced, and the security of an operating system in the terminal is improved. In addition, the terminal resets the calling information of the first process on the target interface in the global variable, so that the influence of the calling information of the first process on the target interface on the detection of the next process can be reduced, and the accuracy of the terminal on the detection of the next process can be improved.

It is easy to understand that the step of stopping executing the first process by the terminal and the step of resetting the call information of the first process to the target interface in the global variable may be performed simultaneously, or the step of stopping executing the first process by the terminal first and then executing the step of resetting the call information of the first process to the target interface in the global variable may be performed first, or the step of resetting the call information of the first process to the target interface in the global variable may be performed first by the terminal and then executing the step of stopping executing the first process.

Alternatively, the count threshold may be 200 times, for example. The current time information acquired by the terminal may be, for example, 2019, 10 months, 1 day, 12:00:00. The global variable time information recorded in the global variable acquired by the terminal may be, for example, 2019, 10, 1, 12:00:00. The terminal may acquire the count information of the first process a process to the target interface B interface, for example, 350 times. When the terminal acquires the current time information and the global variable time information, the terminal can detect whether the current time information and the global variable time information are consistent or not, and whether the count information is larger than a count threshold value or not. When the terminal detects that the current time information 2019, 10 month, 1 day, 12:00:00 is consistent with the global variable time information 2019, 10 month, 1 day, 12:00:00, and the count information is 350 times greater than the count threshold value for 200 times, the terminal determines that the first process A process is in a stack spraying state. The terminal can stop executing the A process and reset the call information of the A process calling the B interface in the global variable, namely resetting the current time information and the count information of the A process calling the B interface in the global variable.

S207, process information of the first process is acquired, the process information is stored, and prompt information is sent out based on the process information.

According to some embodiments, when the terminal detects that the current time information is consistent with the global variable time information and the count information is greater than the count threshold, the terminal may determine that the first process is in a heap-spraying state, that is, when the terminal detects that the call information of the first process on the target interface meets the heap-spraying condition information, the terminal may determine that the first process is in the heap-spraying state. When the terminal determines that the first process is in the stack spraying state, the terminal can acquire the process information of the first process. When the terminal acquires the process information of the first process, the terminal can store the process information and send out prompt information based on the process information. The process information includes, but is not limited to, a process identifier of the first process, a current parent process identifier of the current parent process, target interface information, and information that the first process is in a heap state. The hint information may be, for example, a hint information that the first process is in a heap-spray state. The hint information may include, for example, at least one of the process information.

It will be readily appreciated that the terminal may set the buried point in the process detection routine before determining that the first process is in the heap-spray state. When the terminal determines that the first process is in the stack spraying state, the buried point can be triggered, so that the terminal can acquire the process information of the first process and store the process information. The storage of the process information by the terminal has an important data supporting function for threat information analysis and malicious behavior analysis.

Alternatively, when the terminal stores the process information, the terminal may store the process information in a memory of the terminal. When the terminal stores the process information, the terminal can also send the process information to the server for storage, i.e. when the server receives the process information sent by the terminal, the server can store the process information.

According to some embodiments, when the terminal obtains the process information of the first process, the terminal may report the process information. For example, the terminal may report the process information to the daemon. The daemon may be a function in the operating system of the terminal for collecting information that the first process is in a heap state. The daemon may be a pre-set process. The specific daemon is not limiting of the embodiments of the present application.

Alternatively, the count threshold may be 200 times, for example. The current time information acquired by the terminal may be, for example, 2019, 10 months, 1 day, 12:00:00. The global variable time information recorded in the global variable acquired by the terminal may be, for example, 2019, 10, 1, 12:00:00. The terminal may acquire the count information of the first process a process to the target interface B interface, for example, 350 times. When the terminal acquires the current time information and the global variable time information, the terminal can detect whether the current time information and the global variable time information are consistent or not, and whether the count information is larger than a count threshold value or not. When the terminal detects that the current time information 2019, 10 month, 1 day, 12:00:00 is consistent with the global variable time information 2019, 10 month, 1 day, 12:00:00, and the count information is 350 times greater than the count threshold value for 200 times, the terminal determines that the first process A process is in a stack spraying state. When the terminal determines that the first process A process is in the spraying state, the prompt message sent by the terminal can be, for example, that the first process A process is in the spraying state, and the terminal requests to process in time. At this time, an exemplary schematic of the terminal interface may be as shown in fig. 8.

According to some embodiments, the manner in which the terminal sends the prompt information includes, but is not limited to, a display manner, a vibration manner, a flashing manner, and the like. The presentation mode includes, but is not limited to, a display mode, a volume prompt mode, and the like.

According to some embodiments, the terminal may perform step 206 and step 207 simultaneously, or may perform only any one of step 206 and step 207.

In one or more embodiments of the present application, when it is detected that a first process in an operating system calls a target interface, a current parent process of the first process is obtained, a first parent process identifier of the current parent process is obtained, when the first parent process identifier is inconsistent with a second parent process identifier recorded in a global variable, the current parent process identifier is stored in the global variable, call information of the second process in the global variable to the target interface is cleared, and when the first process is not in a heap-spraying state, the current parent process identifier and call information of the first process to the target interface can be stored in the global variable, so that a terminal can detect a next process. And secondly, when the identification of the first father process is consistent with the identification of the second father process recorded in the global variable, acquiring call information of the first process to the target interface, wherein the call information comprises current time information and counting information, so that when the global variable time information recorded in the global variable is acquired, when the current time information is consistent with the global variable time information, and the counting information is greater than a counting threshold value, the first process is determined to be in a heap-spraying state, and the accuracy of process detection can be improved. In addition, when the first process is in a heap spraying state, the execution of the first process can be stopped, the calling information of the first process on the target interface in the global variable is reset, the risk of vulnerability exploitation can be reduced, the safety of an operating system in the terminal is improved, the influence of the calling information of the first process on the target interface on the detection of the next process is reduced, and the accuracy of the terminal on the detection of the next process can be improved. Finally, when the first process is in the heap-spraying state, the process information of the first process can be acquired, and prompt information is sent out based on the process information, so that the time of the first process in the heap-spraying state can be reduced, the probability of the terminal operating system being utilized by the loophole is reduced, and the safety of the terminal operating system is improved.

Referring to fig. 9, a flow chart of a process detection method is provided in an embodiment of the present application. As shown in fig. 9, the method includes the following steps S301 to S305.

S301, when detecting that a first process call target interface exists in an operating system, acquiring a current parent process of the first process, and acquiring a first parent process identification of the current parent process;

s302, when the first parent process identification is consistent with the second parent process identification recorded in the global variable, acquiring call information of the first process on the target interface, wherein the second parent process identification is the parent process identification of the history parent process, and the history parent process is the parent process of the second process of the history call target interface;

S303, acquiring chip information of a terminal chip and acquiring stack spraying condition information corresponding to the chip information;

According to some embodiments, before the terminal detects whether the call information of the first process on the target interface meets the heap ejection condition information, the terminal may acquire chip information of the terminal chip. Wherein different terminal chips correspond to unused chip information. When the terminal obtains the chip information of the terminal chip, the terminal can obtain the stack spraying condition information corresponding to the chip information. Because different chips correspond to different spraying condition information, the terminal can acquire the spraying condition information corresponding to the chip information by acquiring the chip information of the terminal chip, and the accuracy of process detection can be improved.

It is easy to understand that when the terminal obtains the chip information of the terminal chip, the terminal may obtain the stack condition information corresponding to the chip information from the server, for example, and the terminal may directly obtain the stack condition information corresponding to the chip information from the memory of the terminal.

Optionally, before the terminal detects whether the call information of the first process on the target interface meets the information of the stacking condition, the terminal may acquire chip information of the terminal chip. The chip information includes, but is not limited to, chip identification, chip size, etc. The chip information of the terminal chip acquired by the terminal may be, for example, a chip identifier. The chip identity may be, for example, an R chip identity. The terminal obtains the information of the heap spraying condition corresponding to the R chip identifier, for example, the current time information is consistent with the global variable time information recorded in the global variable, and the counting information is greater than 200 times. The chip identity may also be a T-chip identity, for example. The terminal obtains the information of the heap spraying condition corresponding to the T chip identifier, for example, the current time information is consistent with the global variable time information recorded in the global variable, and the count information is greater than 400 times.

S304, when the calling information of the first process to the target interface does not meet the information of the heap spraying condition, acquiring global variable time information in a global variable;

according to some embodiments, when the terminal obtains the call information of the first process to the target interface and the heap ejection condition information, the terminal may detect whether the call information of the first process to the target interface meets the heap ejection condition information. And when the terminal can detect whether the calling information of the first process on the target interface meets the information of the heap spraying condition. When the terminal detects that the calling information of the first process on the target interface does not meet the information of the heap spraying condition, the terminal can acquire global variable time information in the global variables. When the call information of the first process to the target interface includes the current time information and the count information, the terminal detects that the call information of the first process to the target interface does not meet the heap ejection condition information, for example, at least one of the current time information is inconsistent with the global variable time information recorded in the global variable and the count information is not greater than the count threshold.

It is easy to understand that the current time information obtained by the terminal may be, for example, consistent with the global variable time information recorded in the global variable, and the count information is greater than the count threshold 200 times. The current time information acquired by the terminal may be, for example, 2019, 10 months, 1 day, 12:00:00. The terminal may acquire the count information of the first process a process to the target interface B interface, for example, 100 times. When the terminal detects that the current time information is consistent with the global variable time information recorded in the global variable, but the count information is smaller than the count threshold value for 200 times for 100 times, the terminal can acquire the global variable time information recorded in the global variable.

S305, when the global variable time information is zero, storing the current time information into the global variable, and adding one to the count information;

according to some embodiments, when the terminal detects that the call information of the first process on the target interface does not meet the heap injection condition information, and global variable time information in the global variable is obtained, the terminal may detect whether the global variable time information is zero. Since the default global variable time information is zero after the terminal is started, the terminal detects whether the global variable time information is zero or not, so that the condition that a first process in an operating system calls a target interface for the first time after the terminal is started, and the first process is misjudged to be in a heap-spraying state can be reduced, and the accuracy of process detection can be improved.

It is easy to understand that when the terminal detects that the global variable time information is zero, the terminal may determine that the first process is not in the heap-spraying state, and the terminal may store the current time information into the global variable and increment the count information by 1.

Alternatively, the current time information obtained by the terminal may be, for example, consistent with the global variable time information recorded in the global variable, and the count information is greater than the count threshold by 200 times. The current time information acquired by the terminal may be, for example, 2019, 10 months, 1 day, 12:00:00. The terminal may acquire the count information of the first process a process to the target interface B interface, for example, 100 times. When the terminal detects that the current time information is inconsistent with the global variable time information recorded in the global variable, and the count information is smaller than the count threshold value for 200 times for 100 times, the terminal can acquire the global variable time information recorded in the global variable. When the terminal detects that the global variable time information is zero, the terminal can store the current time information 2019, 10 months, 1 day, 12:00:00 into the global variable, increment the counting information by one, namely, update the counting information for 100 times to 101 times.

And S306, when the global variable time information is not zero, adding one to the count information.

According to some embodiments, when the terminal detects that the call information of the first process on the target interface does not meet the heap injection condition information, and global variable time information in the global variable is obtained, the terminal may detect whether the global variable time information is zero. When the terminal detects that the global variable time information is not zero, that is, the terminal determines that the first process is not in a heap spraying state and the first process in the operating system calls the target interface for the first time after the terminal is started, the terminal can determine to add 1 to the count information.

Alternatively, the current time information obtained by the terminal may be, for example, consistent with the global variable time information recorded in the global variable, and the count information is greater than the count threshold by 200 times. The current time information acquired by the terminal may be, for example, 2019, 10 months, 1 day, 12:00:00. The terminal may acquire the count information of the first process a process to the target interface B interface, for example, 100 times. When the terminal detects that the current time information is consistent with the global variable time information recorded in the global variable, but the count information is smaller than the count threshold value for 200 times for 100 times, the terminal can acquire the global variable time information recorded in the global variable. When the terminal detects that the global variable time information is not zero, the terminal can increment the count information by one, namely, the count information is updated for 100 times to 101 times.

In one or more embodiments of the present application, before detecting that the call information of the first process on the target interface meets the stacking condition information, the terminal may acquire chip information of the terminal chip, and acquire the stacking condition information corresponding to the chip information, so that accuracy of detection of the first process may be improved. And secondly, when the calling information of the first process on the target interface does not meet the heap spraying condition information, global variable time information in the global variable is obtained, when the global variable time information is zero, the current time information is stored in the global variable, and the counting information is increased by one, so that the condition that the first process in the operating system calls the target interface for the first time after the terminal is started up, misjudging that the first process is in a heap spraying state can be reduced, and the accuracy of process detection can be improved. In addition, when the global variable time information is not zero, the counting information is increased by one, so that the accuracy of the terminal on the detection of the next process can be improved.

The process detection device provided in the embodiments of the present application will be described in detail below with reference to fig. 10 to 15. It should be noted that, the process detection apparatus shown in fig. 10 to 15 is used to perform the method of the embodiment shown in fig. 4 to 9, and for convenience of explanation, only the portion relevant to the embodiment of the present application is shown, and specific technical details are not disclosed, please refer to the embodiment shown in fig. 4 to 9 of the present application.

Referring to fig. 10, a schematic structural diagram of a process detection apparatus according to an embodiment of the present application is shown. The process detection means 1000 may be implemented as all or part of a user terminal by software, hardware or a combination of both.

According to some embodiments, the process detection apparatus 1000 includes an identification acquisition unit 1001, an information acquisition unit 1002, and a state determination unit 1003, specifically for:

the identifier obtaining unit 1001 is configured to obtain, when it is detected that the first process call target interface exists in the operating system, a current parent process of the first process, and obtain a first parent process identifier of the current parent process;

an information obtaining unit 1002, configured to obtain, when the first parent process identifier is identical to the second parent process identifier recorded in the global variable, call information of the first process on the target interface, where the second parent process identifier is a parent process identifier of a history parent process, and the history parent process is a parent process of the second process that calls the target interface in history;

the state determining unit 1003 is configured to determine that the first process is in a heap-spraying state when call information of the first process on the target interface satisfies heap-spraying condition information.

Fig. 11 is a schematic structural diagram of a process detection device according to an embodiment of the present application. As shown in fig. 11, the process detection apparatus 1000 further includes an information clearing unit 1004, configured to, when it is detected that the first process in the operating system calls the target interface, obtain a current parent process of the first process, after obtaining a first parent process identifier of the current parent process, store the current parent process identifier in the global variable when the first parent process identifier is inconsistent with a second parent process identifier recorded in the global variable, and clear call information of the second process in the global variable to the target interface.

According to some embodiments, the call information includes current time information and count information, and the state determining unit 1003 is configured to, when the call information of the first process on the target interface meets the heap ejection condition information, determine that the first process is in a heap ejection state, specifically configured to:

acquiring global variable time information recorded in a global variable;

and when the current time information is consistent with the global variable time information and the count information is greater than the count threshold, determining that the first process is in a heap spraying state.

Fig. 12 is a schematic structural diagram of a process detection device according to an embodiment of the present application. As shown in fig. 13, the call information includes current time information and count information, and the process detection apparatus 1000 further includes a time information obtaining unit 1005 configured to obtain global variable time information in the global variable when the call information of the first process to the target interface does not satisfy the heap ejection condition information after obtaining the call information of the first process to the target interface when the first parent process identifier is identical to the second parent process identifier recorded in the global variable;

when the global variable time information is zero, storing the current time information into the global variable, and adding one to the count information;

The count information is incremented by one when the global variable time information is not zero.

Fig. 13 is a schematic structural diagram of a process detection device according to an embodiment of the present application. As shown in fig. 13, the process detection apparatus 1000 further includes an information resetting unit 1006, configured to stop executing the first process after determining that the first process is in the heap-spraying state when the call information of the first process to the target interface satisfies the heap-spraying condition information, and reset the call information of the first process to the target interface in the global variable.

Fig. 14 is a schematic structural diagram of a process detection device according to an embodiment of the present application. As shown in fig. 14, the process detection apparatus 1000 further includes an information prompt unit 1007 configured to, when the call information of the first process to the target interface meets the stacking condition information, obtain the process information of the first process after determining that the first process is in the stacking state, store the process information, and send out prompt information based on the process information.

Fig. 15 is a schematic structural diagram of a process detection apparatus according to an embodiment of the present application. As shown in fig. 15, the process detection apparatus 1000 further includes a chip information obtaining unit 1008, configured to obtain chip information of a terminal chip and obtain the spraying condition information corresponding to the chip information before determining that the first process is in the spraying state when the calling information of the first process to the target interface meets the spraying condition information.

Fig. 16 is a schematic structural diagram of a terminal according to an embodiment of the present application. As shown in fig. 16, the terminal 1600 may include: at least one processor 1601, at least one network interface 1604, a user interface 1603, a memory 1605, at least one communication bus 1602.

Wherein a communication bus 1602 is used to enable connected communication between these components.

The user interface 1603 may include a display screen, among other things, and the optional user interface 1603 may also include standard wired interfaces, wireless interfaces.

The network interface 1604 may optionally comprise a standard wired interface, a wireless interface (e.g., WI-FI interface), among others.

Wherein the processor 1601 may include one or more processing cores. The processor 1601 utilizes various interfaces and lines to connect various portions of the overall terminal 1600, perform various functions of the terminal 1600 and process data by executing or executing instructions, programs, code sets, or instruction sets stored in the memory 1605, and invoking data stored in the memory 1605. Alternatively, the processor 1601 may be implemented in hardware in at least one of digital signal processing (Digital Signal Processing, DSP), field programmable gate array (Field-Programmable Gate Array, FPGA), programmable logic array (Programmable Logic Array, PLA). The processor 1601 may integrate one or a combination of several of a central processing unit (Central Processing Unit, CPU), an image processor (Graphics Processing Unit, GPU), and a modem, etc. The CPU mainly processes an operating system, a user interface, an application program and the like; the GPU is used for rendering and drawing the content required to be displayed by the display screen; the modem is used to handle wireless communications. It will be appreciated that the modem may not be integrated into the processor 1601 and may be implemented by a single chip.

The Memory 1605 may include a random access Memory (Random Access Memory, RAM) or a Read-Only Memory (Read-Only Memory). Optionally, the memory 1605 includes a non-transitory computer readable medium (non-transitory computer-readable storage medium). Memory 1605 may be used to store instructions, programs, code, sets of codes, or sets of instructions. The memory 1605 may include a stored program area that may store instructions for implementing an operating system, instructions for at least one function (e.g., a touch function, a sound playing function, an image playing function, etc.), instructions for implementing the various method embodiments described above, etc., and a stored data area; the storage data area may store data or the like referred to in the above respective method embodiments. Memory 1605 may also optionally be at least one storage device located remotely from the aforementioned processor 1601. As shown in fig. 16, an operating system, a network communication module, a user interface module, and an application program for process detection may be included in the memory 1605, which is one type of computer storage medium.

In the terminal 1600 shown in fig. 16, a user interface 1603 is mainly an interface for providing input to a user, acquiring data input by the user; and the processor 1601 may be configured to call an application program for process detection stored in the memory 1605, and specifically perform the following operations:

when the first parent process identification is consistent with the second parent process identification recorded in the global variable, acquiring call information of the first process on the target interface, wherein the second parent process identification is the parent process identification of the history parent process, and the history parent process is the parent process of the second process of the history call target interface;

when the calling information of the first process on the target interface meets the information of the heap spraying condition, determining that the first process is in a heap spraying state.

According to some embodiments, the processor 1601 is configured to, when detecting that the first process in the operating system calls the target interface, obtain a current parent process of the first process, and after obtaining a first parent process identifier of the current parent process, specifically perform the following operations:

when the first parent process identification is inconsistent with the second parent process identification recorded in the global variable, storing the current parent process identification into the global variable, and clearing call information of the second process in the global variable to the target interface.

According to some embodiments, the call information includes current time information and count information, and the processor 1601 is configured to, when the call information of the first process to the target interface satisfies the heap ejection condition information, determine that the first process is in a heap ejection state, specifically perform the following operations:

Acquiring global variable time information recorded in a global variable;

According to some embodiments, the call information includes current time information and count information, and the processor 1601 is configured to, when the first parent process identifier is consistent with the second parent process identifier recorded in the global variable, obtain call information of the first process on the target interface, further specifically perform the following operations:

when the calling information of the first process on the target interface does not meet the information of the heap spraying condition, acquiring global variable time information in a global variable;

According to some embodiments, the processor 1601 is configured to, when the call information of the first process to the target interface satisfies the heap ejection condition information, determine that the first process is in a heap ejection state, specifically further perform the following operations:

stopping executing the first process, and resetting the call information of the first process to the target interface in the global variable.

and acquiring the process information of the first process, storing the process information and sending out prompt information based on the process information.

According to some embodiments, the processor 1601 is configured to, when the call information of the first process to the target interface satisfies the heap ejection condition information, determine that the first process is in a heap ejection state, specifically perform the following operations:

and acquiring chip information of the terminal chip, and acquiring the stack spraying condition information corresponding to the chip information.

The present application also provides a computer readable storage medium having stored thereon a computer program which when executed by a processor performs the steps of the above method. The computer readable storage medium may include, among other things, any type of disk including floppy disks, optical disks, DVDs, CD-ROMs, micro-drives, and magneto-optical disks, ROM, RAM, EPROM, EEPROM, DRAM, VRAM, flash memory devices, magnetic or optical cards, nanosystems (including molecular memory ICs), or any type of media or device suitable for storing instructions and/or data.

The present application also provides a computer program product comprising a non-transitory computer readable storage medium storing a computer program operable to cause a computer to perform some or all of the steps of any one of the process detection methods described in the method embodiments above.

It will be clear to a person skilled in the art that the solution of the present application may be implemented by means of software and/or hardware. "Unit" and "module" in this specification refer to software and/or hardware capable of performing a specific function, either alone or in combination with other components, such as Field programmable gate arrays (Field-ProgrammaBLE Gate Array, FPGAs), integrated circuits (Integrated Circuit, ICs), etc.

It should be noted that, for simplicity of description, the foregoing method embodiments are all expressed as a series of action combinations, but it should be understood by those skilled in the art that the present application is not limited by the order of actions described, as some steps may be performed in other order or simultaneously in accordance with the present application. Further, those skilled in the art will also appreciate that the embodiments described in the specification are all preferred embodiments, and that the acts and modules referred to are not necessarily required in the present application.

In the foregoing embodiments, the descriptions of the embodiments are emphasized, and for parts of one embodiment that are not described in detail, reference may be made to related descriptions of other embodiments.

In the several embodiments provided in this application, it should be understood that the disclosed apparatus may be implemented in other ways. For example, the apparatus embodiments described above are merely illustrative, such as the division of the units, merely a logical function division, and there may be additional manners of dividing the actual implementation, such as multiple units or components may be combined or integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some service interface, device or unit indirect coupling or communication connection, electrical or otherwise.

The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.

In addition, each functional unit in each embodiment of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.

The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable memory. Based on such understanding, the technical solution of the present application may be embodied in essence or a part contributing to the prior art or all or part of the technical solution in the form of a software product stored in a memory, including several instructions for causing a computer device (which may be a personal computer, a server or a network device, etc.) to perform all or part of the steps of the method described in the embodiments of the present application. And the aforementioned memory includes: a U-disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a removable hard disk, a magnetic disk, or an optical disk, or other various media capable of storing program codes.

Those of ordinary skill in the art will appreciate that all or a portion of the steps in the various methods of the above embodiments may be performed by hardware associated with a program that is stored in a computer readable memory, which may include: flash disk, read-Only Memory (ROM), random-access Memory (Random Access Memory, RAM), magnetic or optical disk, and the like.

The foregoing is merely exemplary embodiments of the present disclosure and is not intended to limit the scope of the present disclosure. That is, equivalent changes and modifications are contemplated by the teachings of this disclosure, which fall within the scope of the present disclosure. Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure herein. This application is intended to cover any adaptations, uses, or adaptations of the disclosure following, in general, the principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a scope and spirit of the disclosure being indicated by the claims.

Claims

1. A process detection method, the method comprising:

when the calling information of the first process on the target interface meets the information of the spraying condition, determining that the first process is in a spraying state;

the call information includes current time information and count information, and when call information of the first process to the target interface meets the heap spraying condition information, determining that the first process is in a heap spraying state includes:

acquiring global variable time information recorded in the global variable;

and when the current time information is consistent with the global variable time information and the count information is greater than a count threshold, determining that the first process is in a heap spraying state.

2. The method according to claim 1, wherein when it is detected that the first process calls the target interface in the operating system, acquiring a current parent process of the first process, and after acquiring a first parent process identifier of the current parent process, further comprising:

3. The method according to claim 1, wherein the call information includes current time information and count information, and when the first parent process identifier is consistent with a second parent process identifier recorded in a global variable, after obtaining call information of the first process to the target interface, further includes:

when the calling information of the first process on the target interface does not meet the information of the heap spraying condition, global variable time information in the global variable is obtained;

And when the global variable time information is not zero, adding one to the count information.

4. The method according to claim 1, wherein when the call information of the first process to the target interface satisfies the heap ejection condition information, determining that the first process is in a heap ejection state further comprises:

5. The method according to claim 1, wherein when the call information of the first process to the target interface satisfies the heap ejection condition information, determining that the first process is in a heap ejection state further comprises:

and acquiring the process information of the first process, storing the process information and sending prompt information based on the process information.

6. The method of claim 1, wherein when the call information of the first process to the target interface satisfies the heap ejection condition information, determining that the first process is in a heap ejection state, further comprises:

and acquiring chip information of a terminal chip, and acquiring stack spraying condition information corresponding to the chip information.

7. A process detection apparatus, the apparatus comprising:

the state determining unit is used for determining that the first process is in a spraying state when the calling information of the first process on the target interface meets the spraying condition information;

the call information comprises current time information and count information, and the state determining unit is specifically configured to: acquiring global variable time information recorded in the global variable; and when the current time information is consistent with the global variable time information and the count information is greater than a count threshold, determining that the first process is in a heap spraying state.

8. A terminal comprising a memory, a processor and a computer program stored in the memory and executable on the processor, characterized in that the processor implements the method of any of the preceding claims 1-6 when executing the computer program.

9. A computer readable storage medium, on which a computer program is stored, characterized in that the program, when being executed by a processor, implements the method of any of the preceding claims 1-6.