CN115080983A - Kernel function hiding method and device, terminal device and storage medium - Google Patents

Kernel function hiding method and device, terminal device and storage medium Download PDF

Info

Publication number
CN115080983A
CN115080983A CN202210766898.8A CN202210766898A CN115080983A CN 115080983 A CN115080983 A CN 115080983A CN 202210766898 A CN202210766898 A CN 202210766898A CN 115080983 A CN115080983 A CN 115080983A
Authority
CN
China
Prior art keywords
function
printed
kernel
name
blacklist
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210766898.8A
Other languages
Chinese (zh)
Inventor
李科
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Chengdu Oppo Communication Technology Co ltd
Original Assignee
Chengdu Oppo Communication Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chengdu Oppo Communication Technology Co ltd filed Critical Chengdu Oppo Communication Technology Co ltd
Priority to CN202210766898.8A priority Critical patent/CN115080983A/en
Publication of CN115080983A publication Critical patent/CN115080983A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/606Protecting data by securing the transmission between two devices or processes
    • G06F21/608Secure printing

Abstract

The application discloses a kernel function hiding method and device, terminal equipment and a storage medium, and belongs to the technical field of terminal control. The method is applied to the terminal equipment and comprises the following steps: acquiring a function name of a kernel function to be printed currently; comparing the function name of the kernel function to be printed with a blacklist, wherein the blacklist comprises the function names of all kernel functions to be hidden; and when the function name of the kernel function to be printed is the same as any function name in the blacklist, hiding the function information of the kernel function to be printed when the kernel function to be printed is printed. According to the method and the terminal device, the blacklist is maintained in the terminal device, the function names of the kernel functions to be printed are screened, the function information required to be hidden by each kernel function to be printed is hidden in a targeted manner, other high-authority processes cannot be closed, and the use safety of the terminal device is improved.

Description

Kernel function hiding method and device, terminal device and storage medium
Technical Field
The present application relates to the field of terminal control technologies, and in particular, to a kernel function hiding method and apparatus, a terminal device, and a storage medium.
Background
With the development of information technology and internet technology, the phenomenon that users use terminal equipment in daily life is very common, and it is more and more important that the terminal equipment avoids attacks such as network bugs and the like in the use process.
At present, most terminal devices execute security policies set in the terminal devices when defending against vulnerabilities. For example, in the terminal device of the Linux system, for the security protection aspect of the kernel symbol table Kallsyms, the Linux system has a native security policy kptr _ restore, the security policy may be opened or closed, and when a network vulnerability or the like attacks the terminal device, the terminal device may be protected according to the security policy kptr _ restore.
For the above security policy, although the utilization of the network vulnerability to Kallsyms can be effectively reduced, the security policy can be dynamically closed after being authorized, and the problem of low security of the terminal device exists.
Disclosure of Invention
In order to solve the problems in the prior art and improve the use security of the terminal device, embodiments of the present application provide a kernel function hiding method and apparatus, a terminal device, and a storage medium. The technical scheme is as follows:
in one aspect, the present application provides a kernel function hiding method, applied to a terminal device, where the method includes:
acquiring a function name of a kernel function to be printed currently;
comparing the function name of the kernel function to be printed with a blacklist, wherein the blacklist comprises the function names of all kernel functions to be hidden;
when the function name of the kernel function to be printed is the same as any function name in the blacklist, hiding the function information of the kernel function to be printed when the kernel function to be printed is printed.
In one aspect, the present application provides a terminal device control apparatus, applied to a terminal device, the apparatus including:
the name acquisition module is used for acquiring the function name of the kernel function to be printed currently;
the name comparison module is used for comparing the function name of the kernel function to be printed with a blacklist, and the blacklist comprises the function names of all kernel functions to be hidden;
and the function hiding module is used for hiding the function information of the kernel function to be printed when the function name of the kernel function to be printed is the same as any function name in the blacklist and the kernel function to be printed is printed.
In another aspect, the present application provides a terminal device comprising a processor and a memory, wherein the memory stores at least one instruction, at least one program, code set, or instruction set, and the at least one instruction, the at least one program, the code set, or the instruction set is loaded and executed by the processor to implement the kernel function hiding method according to an aspect.
In another aspect, the present application provides a computer-readable storage medium having at least one instruction, at least one program, code set, or set of instructions stored therein, which is loaded and executed by a processor to implement a kernel function hiding method as described in one aspect.
In another aspect, the present application provides a computer program product, which when running on a computer, causes the computer to execute the kernel function hiding method according to the above aspect.
In another aspect, an embodiment of the present application provides an application publishing platform, configured to publish a computer program product, where when the computer program product runs on a computer, the computer is caused to execute the kernel function hiding method according to the above aspect.
The beneficial effects brought by the technical scheme provided by the embodiment of the application at least comprise:
the method comprises the steps of obtaining a function name of a kernel function to be printed currently; comparing the function name of the kernel function to be printed with a blacklist, wherein the blacklist comprises the function names of all kernel functions to be hidden; and when the function name of the kernel function to be printed is the same as any function name in the blacklist, hiding the function information of the kernel function to be printed when the kernel function to be printed is printed. According to the method and the terminal device, the blacklist is maintained in the terminal device, the function names of the kernel functions to be printed are screened, the function information required to be hidden by each kernel function to be printed is hidden in a targeted mode, other high-authority processes cannot be closed, and the use safety of the terminal device is improved.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
FIG. 1 is a flowchart of a kernel function hiding method according to an exemplary embodiment of the present application;
FIG. 2 is a flowchart of a method for kernel function hiding according to an exemplary embodiment of the present application;
FIG. 3 is a flowchart of a method for kernel function hiding according to an exemplary embodiment of the present application;
fig. 4 is a block diagram illustrating a kernel function hiding apparatus according to an exemplary embodiment of the present application;
fig. 5 is a schematic structural diagram of a terminal device according to an exemplary embodiment of the present application.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.
With the rapid development of science and technology, various terminal devices have been applied to daily life of people, and people need to use the terminal devices in work, life and study, for example, people use the terminal devices to photograph the surrounding environment, use the terminal devices to record data in work, and the like. With the increasing use of terminal equipment and the popularization and use of the interconnection of everything, data information in the terminal equipment is more and more important, and the safety requirement of people on the terminal equipment is higher and higher. Although each mainstream manufacturer sets a program with the capability of improving security defense and vulnerability mitigation in manufactured terminal equipment, related rights-proposing events in the terminal equipment still appear endlessly.
At present, the main systems of terminal devices include an Android (Android) system, an iOS system, a Linux system, and the like, and for terminal devices of various kernel systems, native security policies are generally configured, and when a kernel system is attacked by a network bug or a hacker, a security protection effect can be realized based on the security policies.
For example, in a terminal device of a Linux system, a kernel symbol table Kallsyms is one of common targets to be attacked, and once Kallsyms is attacked, Root authority can display all function names and corresponding addresses in the kernel system through Kallsyms. Currently, for the aspect of security protection of Kallsyms, a Linux system has a native security policy kptr _ restore, and Kallsyms is protected by the kptr _ restore in a terminal device.
However, in the Linux terminal, the Kallsyms node paths and permissions are as follows: all rights are readable (-r- -r- -r- -1root root 02022-01-1402: 28 proc/kallsyms). However, for the security policy kptr _ restore native to the Linux system, the switch thereof is (-rw-r-1 Root root 02022-01-1402: 28proc/sys/kernel/kptr _ restore), the switch has Root authority, can be read and written, and other authorities are read only.
Control of kptr _ trigger in a terminal device of a Linux system is as follows, when kptr _ trigger is 0, both a caller (process or application) having Root authority and a normal caller can read; when kptr _ trigger is 1, a caller with Root authority can read, and an ordinary caller does not have the authority to read; when kptr _ restore is 2, the kernel system can print each function address in Kallsyms as all 0, and neither the caller with Root authority nor the normal caller has the authority to read.
For the above security protection strategy, although kptr _ restore can effectively reduce the utilization of network vulnerabilities to Kallsyms, due to the existence of the switch, it is easy to be closed after being authorized. For example, if there is a risk of being hijacked and injecting a command, a high-privilege system process may dynamically close kptr _ restart, and then may still read the kallsyms address, and there is a risk of being dynamically closed after being authorized, and moreover, kptr _ restart may only hide and close the kallsyms as a whole, and may not provide finer-grained hiding protection.
In order to solve the problems in the related art, improve the use safety of the terminal equipment and enhance the capability of the terminal equipment against the hole-leakage attack, the application provides a kernel function hiding method, which can detect the current to-be-printed function to be printed and hide and protect the kernel function with finer granularity.
Referring to fig. 1, a flowchart of a kernel function hiding method provided in an exemplary embodiment of the present application is shown, where the kernel function hiding method may be used in a terminal device. As shown in fig. 1, the kernel function hiding method may include the following steps:
step 101, acquiring a function name of a kernel function to be printed currently.
The terminal device may be a mobile phone, a tablet computer, a notebook computer, smart glasses, a smart watch, an MP3 player (Moving Picture Experts Group Audio Layer III, motion Picture Experts compression standard Audio Layer 3), an MP4 player (Moving Picture Experts Group Audio Layer IV, motion Picture Experts compression standard Audio Layer 4), a desktop computer, a laptop computer, a smart home device, and the like.
In the running process of a kernel system of the terminal equipment, various application programs or processes can call a preset function with a function of printing the kernel function, so that the kernel function is printed. The printing is to display function information of a kernel function, where the kernel function is a function provided by a system kernel, for example, a system of the terminal device is a Linux system, a certain process may call a getpriority function in the kernel system, and the getpriority function needs to be printed, and at this time, a function name of the kernel function to be currently printed may be obtained as the getpriority function.
Step 102, comparing the function name of the kernel function to be printed with a blacklist, wherein the blacklist comprises the function names of all kernel functions to be hidden.
Optionally, in the present application, a blacklist is maintained in advance in a kernel system of a terminal device, and the obtained function name of the kernel function to be printed is compared with the function names of the kernel functions in the blacklist one by one. For example, the blacklist may include three functions, namely, a function one, a function two, and a function three, and after the function name of the kernel function to be printed is obtained in step 101, the function name may be compared with the three functions, namely, the function one, the function two, and the function three, respectively.
And 103, hiding the function information of the kernel function to be printed when the kernel function to be printed is printed when the function name of the kernel function to be printed is the same as any function name in the blacklist.
That is, when the function name of the kernel function to be printed is in the blacklist, the terminal device may hide the function information that needs to be hidden by the kernel function to be printed when the function name to be printed is printed. The function information may include any one or more of a function name, a function address, and the like. For example, the function name of the obtained kernel function to be printed is function one, the blacklist includes three functions of function one, function two and function three, and the function information is the function name, after the comparison in step 102, the terminal device can determine that the function name of the kernel function to be printed is in the blacklist, so that the terminal device can hide the function name of the kernel function to be printed when the kernel function to be printed is printed, thereby implementing hidden protection of function one.
In summary, the function name of the current kernel function to be printed is obtained; comparing the function name of the kernel function to be printed with a blacklist, wherein the blacklist comprises the function names of all kernel functions to be hidden; and when the function name of the kernel function to be printed is the same as any function name in the blacklist, hiding the function information of the kernel function to be printed when the kernel function to be printed is printed. According to the method and the terminal device, the blacklist is maintained in the terminal device, the function names of the kernel functions to be printed are screened, the function information required to be hidden by each kernel function to be printed is hidden in a targeted mode, other high-authority processes cannot be closed, and the use safety of the terminal device is improved.
In a possible implementation manner, in the present application, based on different hiding levels, different levels of hiding effects may be performed on functions that need to be hidden, so as to improve flexibility of hiding protection.
Referring to fig. 2, a flowchart of a kernel function hiding method provided in an exemplary embodiment of the present application is shown, where the kernel function hiding method may be used in a terminal device. As shown in fig. 2, the kernel function hiding method may include the following steps:
step 201, a hook node for monitoring an objective function is created, wherein the objective function is a function for printing a kernel function.
The terminal device can create a hook node for an objective function in a kernel system of the terminal device by using a hook function. Alternatively, the target function may be any one of functions existing in a kernel system of the terminal device for printing the kernel function. For example, the terminal device needs to monitor the first function or use the method provided by the present solution, and the terminal device may create a hook node (hook point) for a certain function by using the hook function. For example, the kernel system of the terminal device is a Linux system, the hooking function may be a register _ kretprobe function, and a hooking node may be registered or created for another function through the register _ kretprobe function.
And 202, monitoring the target function according to the hook nodes.
After creating the hook node for the objective function, the terminal device may monitor the function requiring hook by using the hook node (hook point).
And step 203, when the target function is monitored to be called through the hook node, sequentially importing the source data input to the target function into the target structure.
Optionally, in the terminal device, the application program or a certain process may call the target function, and when it is monitored through the hook node that the target function is called, the flow of the scheme may be triggered, so that the source data input to the target function is sequentially imported into the target structure.
In a possible implementation manner, before the terminal device sequentially imports the source data input to the target function into the target structure, it may first detect whether the kernel state of the terminal device is in an unlocked state; and when the kernel state of the terminal equipment is not in an unlocked state, sequentially acquiring the source data input to the target function from the register, and further sequentially importing the acquired source data input to the target function into the target structure.
For example, the terminal device detects whether a target parameter value in the kernel startup parameter is equal to a first preset parameter value, if the target parameter value is equal to the first preset parameter value, it indicates that the kernel state is an unlocked state, and if the target parameter value is not equal to the first preset parameter value, it indicates that the kernel state is not an unlocked state. Optionally, the first preset parameter value may be preset by a developer or an operation and maintenance person. Still taking the example that the kernel system of the terminal device is a Linux system, the kernel starting parameter may be a cmdlene parameter, the target parameter value may be an android.verifiedbootstate parameter value in the cmdlene parameter, and when the android.verifiedbootstate parameter value is equal to orange, the kernel state of the terminal device is an unlocked (unlocked) state, which indicates that the terminal device is untrusted at this time, and a protection function is no longer provided, that is, a hidden protection mechanism of the present scheme is not provided. When the android.verifiedbootstate parameter value is not equal to orange, the kernel state of the terminal device is not an unlocked state, the source data input to the target function can be sequentially acquired from the register, and the acquired source data input to the target function are sequentially imported into the target structure. Wherein, the source data refers to data which is directly input to the objective function by the system kernel.
Taking the target function as an s _ show function as an example, when the kernel system calls the first parameter of the s _ show function: when the seq _ file is used, the terminal equipment can know that the source data input to the target function is from the seq _ file through source code analysis, so that each seq _ file value can be sequentially acquired from regs [0] of a pt _ regs register, and the source data are sequentially imported into a target structure (kallsyms _ iter).
And 204, acquiring the function name of the kernel function to be printed currently according to the target structure body.
Optionally, the terminal device may obtain a function name of the kernel function to be printed currently according to the content of the pointer in the target structure. For example, the terminal device may obtain the function name of the kernel function to be printed currently through iter- > name. For example, when the kernel function to be currently printed is a commit _ crid function, the function name of the kernel function to be currently printed is "commit _ crid".
Step 205, comparing the function name of the kernel function to be printed with a blacklist, where the blacklist includes the function names of the kernel functions to be hidden.
Optionally, in this application, a blacklist maintained by the terminal device includes function names of kernel functions to be protected, after the function names of the kernel functions to be printed are obtained, the terminal device may compare the obtained function names of the kernel functions to be printed with the blacklist, if the blacklist includes the function name of the kernel function to be printed currently, the kernel function to be printed currently needs to be hidden and protected, and if the blacklist does not include the function name of the kernel function to be printed currently, the process may be ended. For example, the function name of each kernel function included in the black list is: a commit _ crid function and a prefix _ kernel _ crid function, if the function name of the kernel function to be printed, which is obtained by the terminal device in the step 204, is commit _ crid, after the comparison in this step, it is determined that the blacklist includes the function name of the kernel function to be printed currently, and the subsequent steps need to be executed, that is, the process proceeds to the step 206.
And step 206, when the function name of the kernel function to be printed is the same as any function name in the blacklist, hiding the function information of the kernel function to be printed when the kernel function to be printed is printed.
Optionally, when the blacklist includes the function name of the kernel function to be printed currently, the terminal device hides the function information of the kernel function to be printed when the kernel function to be printed is printed subsequently.
Optionally, the function information includes a function name and/or a function address. In a possible implementation manner, the manner in which the terminal device hides the function information of the kernel function to be printed may be as follows: and hiding the function address of the kernel function to be printed when the function name of the kernel function to be printed is the same as any function name in the blacklist. Namely, the terminal device conceals and protects the function address of the kernel function to be printed. For example, the terminal device may adjust the value of the first parameter variable to a second preset parameter value, thereby implementing an effect of hiding the function address of the kernel function to be printed. When the kernel system of the terminal device is a Linux system, the terminal device can hide the function address of the kernel function to be printed by modifying the value of iter- > value to 00000000.
In a possible implementation manner, when the function name of the kernel function to be printed is the same as any function name in the blacklist, the function name and the function address of the kernel function to be printed are hidden. That is, the terminal device may hide and protect the function name and the function address of the kernel function to be printed. For example, the terminal device may delete the name variable, thereby implementing the effect of hiding and protecting the function name and the function address of the kernel function to be printed. When the kernel system of the terminal equipment is a Linux system, the terminal equipment can delete iter-name together, and can realize the effect of hiding and protecting the function name and the function address of the kernel function to be printed together.
In a possible implementation manner, the manner in which the terminal device hides the function information of the kernel function to be printed may also be as follows: when the function name of the kernel function to be printed is the same as any function name in the blacklist, determining the hiding level according to the function name of the kernel function to be printed; determining function information to be hidden of the kernel function to be printed according to the hidden level; and hiding the function information which is needed to be hidden by the kernel function to be printed. When the hiding level is a first hiding level, determining that function information needing to be hidden by a function to be printed is a function address; and when the hiding level is a second hiding level, determining that the function information to be hidden by the function to be printed is the function name and the function address.
Namely, the terminal device may further obtain a hidden level corresponding to the kernel function to be printed by the terminal device according to the function name of the kernel function to be printed, and determine the function information that the kernel function to be printed needs to be hidden according to the hidden level. For example, the terminal device sets a corresponding hiding level for each kernel function to be hidden and protected in advance, and in this step, the corresponding hiding level may be obtained according to the obtained function name of the kernel function to be printed. For the first function, the corresponding hidden level is the second hidden level, the function name of the kernel function to be printed, which is obtained by the terminal device, is the first function, the terminal device can obtain the corresponding hidden level as the second hidden level according to the first function, and then determine that the function information of the function to be printed, which needs to be hidden, is the function name and the function address, and hide and protect the function name and the function address of the kernel function to be printed.
In one possible implementation, the terminal device may further receive a switch variable at the virtual file system node; when the switch variable indicates that the function information of each kernel function contained in the blacklist is restored to printing, the function information of the kernel function is displayed when the kernel function in the blacklist is printed. For example, in a terminal device of the Linux system, by adding a dynamic sysfs switch, the corresponding switch variable of which is the sysfs value, the terminal device determines whether the printing effect on each kernel function in the blacklist can be restored by receiving the input sysfs value at the virtual file system node.
In a possible implementation manner, the terminal device may further obtain call information for calling a currently printed kernel function to be printed, where the call information includes at least one of identity information of a caller, authority information of the caller, name information of the caller, and call time, and the caller includes an application program or a process; and storing the calling information into the daemon process. Namely, the terminal device can perform the point burying processing on the calling information for calling the currently printed kernel function to be printed, so that the subsequent defense for similar application programs or processes is facilitated.
In a possible implementation manner, the terminal device may further send the call information to the server; receiving a target blacklist sent by a server, wherein the target blacklist is obtained by the server according to the calling information; and updating the currently maintained blacklist according to the target blacklist. Optionally, the terminal device may send the call information stored in the daemon process to the server, the server obtains a new function to be protected by hiding according to the call information received this time, adds the new function to be protected by hiding into the blacklist to obtain a target blacklist, and returns the target blacklist to the terminal device, and the terminal device updates the blacklist in the current system according to the received target blacklist.
It should be noted that, the present solution may also enforce the effect of hidden protection on all kernel functions. For example, the terminal device may detect whether a parameter variable currently pointed by the target structure is a preset parameter variable; when the parameter variable currently pointed by the target structure body is not the preset parameter variable, executing a step of comparing the function name of the kernel function to be printed with a blacklist; when the parameter variable pointed by the target structure body at present is a preset parameter variable, hiding the function information of the kernel function to be printed when the kernel function to be printed is printed. For example, the kernel function needing hidden protection is an s _ show function, all iter- > names are deleted at the beginning of the s _ show function, or iter- > value is assigned to be 0, and in the process of calling the s _ show function, the function information of any kernel function to be printed is hidden protected, so that the effect of forced opening is achieved.
In summary, the function name of the current kernel function to be printed is obtained; comparing the function name of the kernel function to be printed with a blacklist, wherein the blacklist comprises the function names of all kernel functions to be hidden; and when the function name of the kernel function to be printed is the same as any function name in the blacklist, hiding the function information of the kernel function to be printed when the kernel function to be printed is printed. According to the method and the terminal device, the blacklist is maintained in the terminal device, the function names of the kernel functions to be printed are screened, the function information required to be hidden by each kernel function to be printed is hidden in a targeted mode, other high-authority processes cannot be closed, and the use safety of the terminal device is improved.
In addition, the scheme can provide fine-grained hiding of hiding levels for different functions, so that the mode of hiding and protecting the functions in the terminal equipment is more flexible, the address of the function is not modified, and the system operation is not influenced.
The kernel system of the terminal equipment is a Linux system, and the scheme can be realized based on a KretProbe framework, and is mounted and operated in the form of a kernel module.
Referring to fig. 3, a flowchart of a kernel function hiding method provided in an exemplary embodiment of the present application is shown, where the kernel function hiding method may be used in a terminal device. As shown in fig. 3, the kernel function hiding method may include the following steps:
in step 301, kretprobe is registered to s _ show ().
The s _ show () is a function which can print a kernel function, and the terminal device can register a hook point of pre _ handle with the s _ show function for monitoring by using a register _ kretprobe.
Step 302, detecting whether the terminal device is unocked.
The terminal device judges whether the terminal device is unockeled by detecting whether the value of android.verifiedbootstate in the kernel starting parameter cmdle is equal to orange, jumps out of the check if the value of android.verifiedbootstate is equal to orange, and executes step 303 if the value of android.verifiedbootstate is not equal to orange.
In step 303, the seq _ file data is derived from the register.
Optionally, in the terminal device, when the s _ show function is called, the first parameter called is: and in seq _ file, the terminal equipment can know that the iter data comes from seq _ file according to source code analysis, and further can take out the 1 st seq _ file value from the regs [0] of the pt _ regs register.
Step 304, importing the seq _ file data into iter iterator.
Optionally, the terminal device may import the obtained seq _ file data into the iter iterator. Wherein, iter iterator is the target structure, i.e. introduced into kallsyms iter structure. The manner of importing the information may refer to the description in step 203 in the embodiment of fig. 2, and is not described herein again.
Step 305, comparing the iter- > name with the characters in the blacklist.
That is, the terminal device may obtain the function name of the kernel function to be printed currently through iter- > name, compare the function name of the kernel function to be printed currently with the blacklist, and skip the check if the blacklist does not include the function name of the kernel function to be printed currently. If the blacklist contains the function name of the kernel function to be printed currently, step 306 is entered. Optionally, this step may refer to the description in step 205 in the embodiment of fig. 2, and is not described herein again.
Step 306, modify iter- > value-00000000 or delete iter- > name together.
Namely, the terminal device modifies the iter- > value or deletes the iter- > name, so that the hidden protection effect is achieved. Optionally, this step may refer to the description in step 206 in the embodiment of fig. 2, and is not described here again.
Taking the fact that the commit _ crid function needs to be printed in the process of calling the s _ show () in the scheme as an example, before the scheme is not adopted, when the commit _ crid is printed, the codes may be as follows: OP5209L1:/# cat proc/kallsyms | grep commit _ crid
ffffffe83ebb4c68 T commit_creds。
According to the interception level 1: in a manner of hiding only the function address, the code may be as follows:
OP5209L1:/#cat proc/kallsyms|grep commit_cred
0000000000000000T commit_creds
according to the interception level 2: for the way of hiding the function name and address together, the code may be as follows:
OP5209L1:/data/local/tmp#cat/proc/kallsyms|grep commit_cred
(empty)
And 307, uploading the buried points.
Optionally, the terminal device obtains the call information of the process or the application program calling the s _ show () function here. For example, the authority of the process, the id of the process, the calling time and the like are saved and uploaded to the key for embedding. Here, reference may be made to the content of storing the calling information in the daemon process in step 206 in the embodiment of fig. 2, which is not described herein again.
In summary, the function name of the current kernel function to be printed is obtained; comparing the function name of the kernel function to be printed with a blacklist, wherein the blacklist comprises the function names of all kernel functions to be hidden; and when the function name of the kernel function to be printed is the same as any function name in the blacklist, hiding the function information of the kernel function to be printed when the kernel function to be printed is printed. According to the method and the terminal device, the blacklist is maintained in the terminal device, the function names of the kernel functions to be printed are screened, the function information required to be hidden by each kernel function to be printed is hidden in a targeted mode, other high-authority processes cannot be closed, and the use safety of the terminal device is improved.
In addition, the current solution meets the GKI 2.0.0 requirement, and can be realized in the form of a ko file. The integrity of the kernel cannot be damaged, and the adaptability is wider.
The following are embodiments of the apparatus of the present application that may be used to perform embodiments of the method of the present application. For details which are not disclosed in the embodiments of the apparatus of the present application, reference is made to the embodiments of the method of the present application.
Referring to fig. 4, a block diagram of a kernel function hiding apparatus according to an exemplary embodiment of the present application is shown. The kernel function hiding apparatus 400 may be used in a terminal device to perform all or part of the steps performed by the terminal device in the method provided by the embodiment shown in fig. 1, fig. 2, or fig. 3. The kernel function hiding apparatus 400 includes:
a name obtaining module 401, configured to obtain a function name of a kernel function to be currently printed;
a name comparison module 402, configured to compare function names of the kernel functions to be printed with a blacklist, where the blacklist includes function names of the kernel functions that need to be hidden;
a function hiding module 403, configured to hide the function information of the kernel function to be printed when the function name of the kernel function to be printed is the same as any function name in the blacklist and print the kernel function to be printed.
In summary, the function name of the current kernel function to be printed is obtained; comparing the function name of the kernel function to be printed with a blacklist, wherein the blacklist comprises the function names of all kernel functions to be hidden; and when the function name of the kernel function to be printed is the same as any function name in the blacklist, hiding the function information of the kernel function to be printed when the kernel function to be printed is printed. According to the method and the terminal device, the blacklist is maintained in the terminal device, the function names of the kernel functions to be printed are screened, the function information required to be hidden by each kernel function to be printed is hidden in a targeted mode, other high-authority processes cannot be closed, and the use safety of the terminal device is improved.
Optionally, the function information includes a function name and/or a function address, and the function hiding module 403 includes: a first hidden unit or a second hidden unit;
the first hiding unit is used for hiding the function address of the kernel function to be printed when the function name of the kernel function to be printed is the same as any function name in the blacklist; alternatively, the first and second electrodes may be,
and the second hiding unit is used for hiding the function name and the function address of the kernel function to be printed when the function name of the kernel function to be printed is the same as any function name in the blacklist.
Optionally, the function hiding module 403 includes: a first determining unit, a second determining unit and a third hiding unit;
the first determining unit is configured to determine a hiding level according to a function name of the kernel function to be printed when the function name of the kernel function to be printed is the same as any function name in the blacklist;
the second determining unit is configured to determine, according to the hiding level, function information that the kernel function to be printed needs to be hidden;
and the third hiding unit is used for hiding the function information which needs to be hidden by the kernel function to be printed.
Optionally, the apparatus further comprises:
a variable receiving module for receiving a switch variable at a virtual file system node;
and the information display module is used for displaying the function information of the kernel function in the blacklist when the switch variable indicates that the function information of each kernel function contained in the blacklist is restored to be printed and the kernel function in the blacklist is printed.
Optionally, the apparatus further comprises:
a hook creating module, configured to create a hook node for monitoring a target function before the function name of the kernel function to be currently printed is obtained, where the target function is a function for printing the kernel function;
the name acquisition module comprises: a first acquisition unit;
the first obtaining unit is configured to obtain a function name of a kernel function to be printed currently when the hook node monitors that the target function is called.
Optionally, the first obtaining unit includes: a first import subunit and a first acquisition subunit;
the first importing subunit is configured to, when it is monitored that the target function is called through the hook node, sequentially import source data input to the target function into a target structure;
and the first acquiring subunit is configured to acquire, according to the target structure, a function name of a kernel function to be currently printed.
Optionally, the apparatus further comprises:
the state detection module is used for detecting whether the kernel state of the terminal equipment is in an unlocked state or not before the source data input to the target function are sequentially imported into the target structure;
and the data acquisition module is used for sequentially acquiring the source data input to the target function from the register when the kernel state of the terminal equipment is not in the unlocked state.
Optionally, the apparatus further comprises:
the information acquisition module is used for acquiring calling information for calling the currently printed kernel function to be printed, wherein the calling information comprises at least one of identity information of a caller, authority information of the caller, name information of the caller and calling time, and the caller comprises an application program or a process;
and the information storage module is used for storing the calling information into a daemon process.
Optionally, the apparatus further comprises:
the information sending module is used for sending the calling information to a server after the calling information is stored in the daemon process;
the list receiving module is used for receiving a target blacklist sent by the server, wherein the target blacklist is obtained by the server according to the calling information;
and the list updating module is used for updating the currently maintained blacklist according to the target blacklist.
Fig. 5 is a schematic structural diagram of a terminal device according to an exemplary embodiment of the present application. As shown in fig. 5, the terminal device 500 includes a Central Processing Unit (CPU) 501, a system Memory 504 including a Random Access Memory (RAM) 502 and a Read Only Memory (ROM) 503, and a system bus 505 connecting the system Memory 504 and the CPU 501. The terminal device 500 also includes a basic transmission/Output System (I/O System) 506 that facilitates the transmission of information between the various devices within the computer, and a mass storage device 507 for storing an operating System 512, application programs 513, and other program modules 514.
The basic transmission/output system 506 comprises a display 506 for displaying information and a transmission device 509, such as a mouse, keyboard, etc., for transmitting information to a user. Wherein the display 506 and the transmission device 509 are connected to the central processing unit 501 through a transmission output controller 510 connected to the system bus 505. The basic transmit/output system 506 may also include a transmit output controller 510 for receiving and processing transmissions from a number of other devices, such as a keyboard, mouse, or electronic stylus. Similarly, transport output controller 510 also provides output to a display screen, a printer, or other type of output device.
The mass storage device 507 is connected to the central processing unit 501 through a mass storage controller (not shown) connected to the system bus 505. The mass storage device 507 and its associated computer-readable media provide non-volatile storage for the terminal device 500. That is, the mass storage device 507 may include a computer-readable medium (not shown) such as a hard disk or a CD-ROM (Compact disk Read-Only Memory) drive.
The computer readable media may include computer storage media and communication media. Computer storage media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data. Computer storage media includes RAM, ROM, EPROM (Erasable Programmable Read-Only Memory), EEPROM (Electrically Erasable Programmable Read-Only Memory), flash Memory or other solid state Memory technology, CD-ROM, DVD (Digital Video Disc) or other optical, magnetic, tape, magnetic disk storage or other magnetic storage devices. Of course, those skilled in the art will appreciate that the computer storage media is not limited to the foregoing. The system memory 504 and mass storage device 507 described above may be collectively referred to as memory.
The terminal device 500 may be connected to the internet or other network devices through a network interface unit 511 connected to the system bus 505. The memory also includes one or more programs, which are stored in the memory.
The embodiment of the present application further provides a computer-readable medium, where at least one instruction is stored, and the at least one instruction is loaded and executed by the processor to implement all or part of the steps executed by the terminal device in the kernel function hiding method according to the foregoing embodiments.
The present application further provides a computer program product, where the computer program product stores at least one instruction, and the at least one instruction is loaded and executed by the processor to implement all or part of the steps executed by the terminal device or the server, of the kernel function hiding method according to the above embodiments.
It should be noted that: in the apparatus provided in the foregoing embodiment, when the control of the terminal device is executed, only the division of the functional modules is illustrated, and in practical applications, the function distribution may be completed by different functional modules according to needs, that is, the internal structure of the device is divided into different functional modules, so as to complete all or part of the functions described above. In addition, the apparatus and method embodiments provided by the above embodiments belong to the same concept, and specific implementation processes thereof are described in the method embodiments for details, which are not described herein again.
The above-mentioned serial numbers of the embodiments of the present application are merely for description and do not represent the merits of the embodiments.
It will be understood by those skilled in the art that all or part of the steps for implementing the above embodiments may be implemented by hardware, or may be implemented by a program instructing relevant hardware, where the program may be stored in a computer-readable storage medium, and the above-mentioned storage medium may be a read-only memory, a magnetic disk or an optical disk, etc.
The above description is only exemplary of the present application and should not be taken as limiting, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the protection scope of the present application.

Claims (12)

1. A kernel function hiding method is applied to a terminal device, and comprises the following steps:
acquiring a function name of a kernel function to be printed currently;
comparing the function name of the kernel function to be printed with a blacklist, wherein the blacklist comprises the function names of all kernel functions to be hidden;
when the function name of the kernel function to be printed is the same as any function name in the blacklist, hiding the function information of the kernel function to be printed when the kernel function to be printed is printed.
2. The method according to claim 1, wherein the function information includes a function name and/or a function address, and hiding the function information of the kernel function to be printed when the kernel function to be printed is printed when the function name of the kernel function to be printed is the same as any function name in the blacklist comprises:
hiding the function address of the kernel function to be printed when the function name of the kernel function to be printed is the same as any function name in the blacklist; alternatively, the first and second electrodes may be,
and hiding the function name and the function address of the kernel function to be printed when the function name of the kernel function to be printed is the same as any function name in the blacklist.
3. The method according to claim 1, wherein hiding the function information of the kernel function to be printed when printing the kernel function to be printed when the function name of the kernel function to be printed is the same as any function name in the blacklist comprises:
when the function name of the kernel function to be printed is the same as any function name in the blacklist, determining a hiding level according to the function name of the kernel function to be printed;
determining function information which needs to be hidden by the kernel function to be printed according to the hiding level;
and hiding the function information which needs to be hidden by the kernel function to be printed.
4. The method of claim 1, further comprising:
receiving a switch variable at a virtual file system node;
when the switch variable indicates that the function information of each kernel function contained in the blacklist is restored to be printed, the function information of the kernel function in the blacklist is displayed when the kernel function in the blacklist is printed.
5. The method according to any one of claims 1 to 4, wherein before the obtaining the function name of the kernel function to be printed currently, the method further comprises:
creating a hook node for monitoring a target function, wherein the target function is a function for printing a kernel function;
the acquiring the function name of the kernel function to be printed currently comprises the following steps:
and when the hook node monitors that the target function is called, acquiring the function name of the kernel function to be printed currently.
6. The method according to claim 5, wherein the obtaining a function name of a kernel function to be printed currently when the target function is called is monitored by the hook node comprises:
when the target function is monitored to be called through the hook node, sequentially importing source data input to the target function into a target structure;
and acquiring the function name of the kernel function to be printed currently according to the target structure body.
7. The method according to claim 6, before the sequentially importing the source data input to the objective function into the target structure, further comprising:
detecting whether the kernel state of the terminal equipment is in an unlocked state;
and when the kernel state of the terminal equipment is not in the unlocked state, sequentially acquiring the source data input to the target function from a register.
8. The method of claim 1, further comprising:
acquiring calling information for calling the kernel function to be printed currently, wherein the calling information comprises at least one of identity information of a caller, authority information of the caller, name information of the caller and calling time, and the caller comprises an application program or a process;
and storing the calling information into a daemon process.
9. The method of claim 8, after storing the call information in a daemon process, further comprising:
sending the calling information to a server;
receiving a target blacklist sent by the server, wherein the target blacklist is obtained by the server according to the calling information;
and updating the currently maintained blacklist according to the target blacklist.
10. A kernel function hiding device is applied to a terminal device, and comprises:
the name acquisition module is used for acquiring the function name of the kernel function to be printed currently;
the name comparison module is used for comparing the function name of the kernel function to be printed with a blacklist, and the blacklist comprises the function names of all kernel functions to be hidden;
and the function hiding module is used for hiding the function information of the kernel function to be printed when the function name of the kernel function to be printed is the same as any function name in the blacklist and the kernel function to be printed is printed.
11. A terminal device, characterized in that it comprises a processor and a memory, in which at least one instruction, at least one program, set of codes or set of instructions is stored, which is loaded and executed by the processor to implement the kernel function hiding method as claimed in any one of claims 1 to 9.
12. A computer-readable storage medium, having stored therein at least one instruction, at least one program, a set of codes, or a set of instructions, which is loaded and executed by a processor to implement the kernel function hiding method as claimed in any one of claims 1 to 9.
CN202210766898.8A 2022-06-30 2022-06-30 Kernel function hiding method and device, terminal device and storage medium Pending CN115080983A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210766898.8A CN115080983A (en) 2022-06-30 2022-06-30 Kernel function hiding method and device, terminal device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210766898.8A CN115080983A (en) 2022-06-30 2022-06-30 Kernel function hiding method and device, terminal device and storage medium

Publications (1)

Publication Number Publication Date
CN115080983A true CN115080983A (en) 2022-09-20

Family

ID=83257638

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210766898.8A Pending CN115080983A (en) 2022-06-30 2022-06-30 Kernel function hiding method and device, terminal device and storage medium

Country Status (1)

Country Link
CN (1) CN115080983A (en)

Similar Documents

Publication Publication Date Title
EP3123311B1 (en) Malicious code protection for computer systems based on process modification
JP5813884B2 (en) System and method for providing a threshold level for privilege use in a mobile network environment
US8769305B2 (en) Secure execution of unsecured apps on a device
CN103403669B (en) App is made to become safe method and the method preventing app damage equipment
US9405520B2 (en) Method for the dynamic creation of an execution environment for an application to secure the application, associated computer program product and computing apparatus
KR101373986B1 (en) Method and apparatus to vet an executable program using a model
WO2015096695A1 (en) Installation control method, system and device for application program
US20120137364A1 (en) Remote attestation of a mobile device
US7729690B1 (en) Backup and restore of user data for mobile telephone
US7533413B2 (en) Method and system for processing events
CN106687971A (en) Automated code lockdown to reduce attack surface for software
US11409868B2 (en) Ransomware detection and mitigation
Petracca et al. {AWare}: Preventing Abuse of {Privacy-Sensitive} Sensors via Operation Bindings
EP3270318B1 (en) Dynamic security module terminal device and method for operating same
US20190095285A1 (en) Backup and recovery of data files using hard links
Lee et al. Rcryptect: Real-time detection of cryptographic function in the user-space filesystem
CN111062032A (en) Anomaly detection method and system and computer-readable storage medium
Rahimi et al. Android security and its rooting—a possible improvement of its security architecture
Zhang et al. Design and implementation of efficient integrity protection for open mobile platforms
CN111222122A (en) Application authority management method and device and embedded equipment
CN106446682A (en) Security protection method and apparatus
CN115080983A (en) Kernel function hiding method and device, terminal device and storage medium
CN114662090A (en) File processing method, device, storage medium and system
Nazar et al. Rooting Android–Extending the ADB by an auto-connecting WiFi-accessible service
CN106709357A (en) Kernel internal storage monitoring based vulnerability prevention system for Android platform

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination