CN115576785A - Application program analysis method and device, electronic equipment and storage medium - Google Patents

Application program analysis method and device, electronic equipment and storage medium Download PDF

Info

Publication number
CN115576785A
CN115576785A CN202211190880.4A CN202211190880A CN115576785A CN 115576785 A CN115576785 A CN 115576785A CN 202211190880 A CN202211190880 A CN 202211190880A CN 115576785 A CN115576785 A CN 115576785A
Authority
CN
China
Prior art keywords
target application
application program
time
starting
system call
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211190880.4A
Other languages
Chinese (zh)
Inventor
蒋泽辉
叶立杰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Hubei Topsec Network Security Technology Co Ltd
Original Assignee
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Hubei Topsec Network Security Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Topsec Technology Co Ltd, Beijing Topsec Network Security Technology Co Ltd, Beijing Topsec Software Co Ltd, Hubei Topsec Network Security Technology Co Ltd filed Critical Beijing Topsec Technology Co Ltd
Priority to CN202211190880.4A priority Critical patent/CN115576785A/en
Publication of CN115576785A publication Critical patent/CN115576785A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/34Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment
    • G06F11/3409Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment for performance assessment
    • G06F11/3419Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment for performance assessment by assessing time
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/34Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment
    • G06F11/3409Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment for performance assessment
    • G06F11/3419Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment for performance assessment by assessing time
    • G06F11/3423Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment for performance assessment by assessing time where the assessed time is active or idle time
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/34Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment
    • G06F11/3409Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment for performance assessment
    • G06F11/3428Benchmarking
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Landscapes

  • Engineering & Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Quality & Reliability (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Stored Programmes (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The application provides an application program analysis method, an application program analysis device, electronic equipment and a storage medium, wherein the application program analysis method comprises the following steps: monitoring whether a target application program triggers a start action or not through first system call and monitoring whether the target application program triggers an end action or not through second system call, and recording the start time of the target application program and the end time of the target application program; and calculating the running time length of the target application program based on the starting time of the target application program and the ending time of the target application program. According to the method and the device, the starting time and the ending time of the application program can be obtained on the premise that the source code of the application program is not modified, and then the running duration of the application program is obtained based on the starting time and the ending time of the application program. On the other hand, the current execution progress of the system does not need to be interrupted, so that the starting speed of the system can be prevented from being reduced. On the other hand, the method and the device can simultaneously acquire the end time and the starting time of the plurality of application programs.

Description

Application program analysis method and device, electronic equipment and storage medium
Technical Field
The present application relates to the field of computer technologies, and in particular, to an application analysis method and apparatus, an electronic device, and a storage medium.
Background
In some scenarios, performance analysis of an application is required, for example, when a system is started (or started), the performance analysis of the application is performed to calculate the time consumed for starting the application, and for this scenario, currently, there are two performance analysis methods for the application, the first method is to periodically scan all processes in the system by using system interrupt, so as to measure and calculate the starting time and the ending time of the processes, and the method needs to interrupt the current execution progress of the system, which may cause reduction in system execution efficiency and further reduction in system starting speed. The other method is to obtain the start time and the end time of the process in which the application program is located by modifying the source code of the application program, and the method needs to insert a code for obtaining the start time and the end time of the process into the source code of the application program, so the method needs to modify the source code and recompile the modified source code, and on the other hand, in the method, because the inserted code is only embedded into the source code of a specific application program, the method cannot obtain the start time and the end time of other application programs in the system.
Disclosure of Invention
An object of the embodiments of the present application is to provide an application analysis method, an application analysis device, an electronic device, and a storage medium, which are used to obtain a start time and an end time of an application on the premise of not modifying a source code of the application, and further obtain an operation duration of the application based on the start time and the end time of the application. On the other hand, the current execution progress of the system does not need to be interrupted, so that the starting speed of the system can be prevented from being reduced. On the other hand, the method and the device can simultaneously acquire the end time and the starting time of the plurality of application programs.
In a first aspect, the present invention provides a method for application analysis, the method comprising:
after a first process of the system is started, monitoring whether a target application program triggers a starting action or not through hijacking a first system call and monitoring whether the target application program triggers an ending action or not through hijacking a second system call, wherein the first system call is an exeve system call, and the number of the target application programs is at least one;
when the target application program triggers the starting action, recording the starting time of the target application program;
when the target application program triggers the ending action, recording the ending time of the target application program;
and calculating the running time length of the target application program based on the starting time of the target application program and the ending time of the target application program.
In the first aspect of the application, after a first process of a system is started, whether a target application triggers a start action or not can be monitored by hijacking an execute system call, and on the other hand, whether a target application triggers an end action or not can be monitored by hijacking a second system call, so that the start time of the target application can be recorded when the target application triggers the start action, and the end time of the target application can be recorded when the target application triggers the end action, so that the running time of the target application can be calculated by the start time of the target application and the end time of the target application. Further, since the execave system call and the second system call are hijacked, the starting time and the ending time of at least one target application program can be acquired simultaneously.
Compared with the prior art, the method and the device for obtaining the starting time and the ending time of the application program can obtain the starting time and the ending time of the application program on the premise of not modifying the source code of the application program, and further obtain the running time of the application program based on the starting time and the ending time of the application program. On the other hand, the current execution progress of the system does not need to be interrupted, so that the starting speed of the system can be prevented from being reduced. On the other hand, the method and the device can simultaneously acquire the end time and the starting time of the plurality of application programs.
In the first aspect of the present application, as an optional implementation manner, the method further includes:
acquiring process information of the target application program;
and judging whether the process corresponding to the target application program is a foreground process or not based on the process information of the target application program.
In this optional embodiment, by acquiring the process information of the target application, it can be further determined whether the process corresponding to the target application is a foreground process based on the process information of the target application.
In the first aspect of the present application, as an optional implementation manner, the process information of the target application includes a process session ID of the target application and process standard input file information of the target application;
and the judging whether the process corresponding to the target application program is a foreground process or not based on the process information of the target application program comprises the following steps:
judging whether the process session ID of the target application program belongs to the process ID of the system starting script;
when the process session ID of the target application program is equal to the process ID of the system startup script, judging whether the process standard input of the target application program is empty equipment or not based on the process standard input file information of the target application program;
and when the process standard input of the target application program is not empty equipment, determining the process corresponding to the target application program as a foreground process.
In this optional embodiment, since the process information of the target application includes the process session ID of the target application and the process standard input file information of the target application, it can be determined that the process corresponding to the target application is a foreground process based on the process session ID of the target application and the process standard input file information of the target application, where when the process session ID of the target application is equal to the process ID of the system startup script and the standard input of the process corresponding to the target application is not an empty device, the process corresponding to the target application is the foreground process.
In the first aspect of the present application, as an optional implementation manner, the acquiring process information of the target application includes:
capturing a process descriptor structure of the target application program;
and determining the process information of the target application program based on the process descriptor structure of the target application program.
In this optional embodiment, by capturing the process descriptor structure of the target application, the process information of the target application can be determined based on the process descriptor structure of the target application.
In the first aspect of the present application, as an optional implementation, the method further includes:
when the system finishes the starting of all target application programs, if the target application programs do not trigger the ending action, recording the starting finishing time point of the system as the ending time of the target application programs.
In this optional embodiment, when the system finishes starting all the target applications, if the target application does not trigger the ending action, the starting completion time point of the system may be recorded as the ending time of the target application.
In an optional embodiment, the second system call comprises at least one of an exit system call and a kill system call.
In this optional embodiment, whether the target application triggers an end action can be monitored through exit system call and kill system call.
In a second aspect, the present invention provides an application analysis apparatus, the apparatus comprising:
the monitoring module is used for monitoring whether the target application program triggers a start action or not by hijacking a first system call and monitoring whether the target application program triggers an end action or not by hijacking a second system call after a first process of the system is started, wherein the first system call is an execute system call, and the number of the target application programs is at least one;
the first data processing module is used for recording the starting time of the target application program when the target application program triggers the starting action;
the second data processing module is used for recording the end time of the target application program when the target application program triggers the end action;
and the calculating module is used for calculating the running time length of the target application program based on the starting time of the target application program and the ending time of the target application program.
The device of the second aspect of the present application, by executing the application analysis method, can monitor whether the target application triggers the start action by hijacking the execute system call after the first process of the system is started, and on the other hand, can monitor whether the target application triggers the end action by hijacking the second system call, and can record the start time of the target application when the target application triggers the start action and record the end time of the target application when the target application triggers the end action, so that the running duration of the target application can be calculated by the start time of the target application and the end time of the target application. Further, since the execave system call and the second system call are hijacked, the starting time and the ending time of at least one target application program can be acquired simultaneously.
Compared with the prior art, the method and the device for obtaining the starting time and the ending time of the application program can obtain the starting time and the ending time of the application program on the premise of not modifying the source code of the application program, and further obtain the running time of the application program based on the starting time and the ending time of the application program. On the other hand, the current execution progress of the system does not need to be interrupted, so that the starting speed of the system can be prevented from being reduced. On the other hand, the end time and the start time of the plurality of application programs can be obtained simultaneously.
In a third aspect, the present invention provides an electronic device comprising:
a processor; and
a memory configured to store machine readable instructions that, when executed by the processor, perform an application analysis method as in any one of the preceding embodiments.
The electronic device of the third aspect of the present application, by executing the application analysis method, can monitor whether the target application triggers the start action by hijacking the execute system call after the first process of the system is started, and on the other hand, can monitor whether the target application triggers the end action by hijacking the second system call, and can record the start time of the target application when the target application triggers the start action and record the end time of the target application when the target application triggers the end action, so that the running duration of the target application can be calculated by the start time of the target application and the end time of the target application. Further, since the execave system call and the second system call are hijacked, the starting time and the ending time of at least one target application program can be acquired simultaneously.
Compared with the prior art, the method and the device for obtaining the starting time and the ending time of the application program can obtain the starting time and the ending time of the application program on the premise of not modifying the source code of the application program, and further obtain the running time of the application program based on the starting time and the ending time of the application program. On the other hand, the current execution progress of the system does not need to be interrupted, so that the starting speed of the system can be prevented from being reduced. On the other hand, the method and the device can simultaneously acquire the end time and the starting time of the plurality of application programs.
In a fourth aspect, the present invention provides a storage medium storing a computer program for execution by a processor of an application analysis method according to any one of the preceding embodiments.
The storage medium of the fourth aspect of the present application, by executing the application analysis method, can monitor whether the target application triggers the start action by hijacking the execute system call after the first process of the system is started, and on the other hand, can monitor whether the target application triggers the end action by hijacking the second system call, and can record the start time of the target application when the target application triggers the start action and record the end time of the target application when the target application triggers the end action, so that the running duration of the target application can be calculated by the start time of the target application and the end time of the target application. Further, since the execave system call and the second system call are hijacked, the starting time and the ending time of at least one target application program can be acquired simultaneously.
Compared with the prior art, the method and the device have the advantages that the starting time and the ending time of the application program can be obtained on the premise that the source code of the application program is not modified, and further the running duration of the application program is obtained on the basis of the starting time and the ending time of the application program. On the other hand, the current execution progress of the system does not need to be interrupted, so that the starting speed of the system can be prevented from being reduced. On the other hand, the method and the device can simultaneously acquire the end time and the starting time of the plurality of application programs.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
FIG. 1 is a schematic flow chart diagram illustrating an application analysis method disclosed in an embodiment of the present application;
FIG. 2 is a schematic diagram of an execution process of a target application disclosed in an embodiment of the present application
Fig. 3 is a schematic structural diagram of an application program analysis apparatus according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of an electronic device disclosed in an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
Example one
Referring to fig. 1, fig. 1 is a schematic flow chart of an application analysis method disclosed in an embodiment of the present application, and as shown in fig. 1, the method in the embodiment of the present application includes the following steps:
101. after a first process of the system is started, monitoring whether a target application program triggers a start action or not by hijacking a first system call and monitoring whether a target application program triggers an end action or not by hijacking a second system call, wherein the first system call is an execute system call, and the number of the target application programs is at least one;
102. when the target application program triggers a starting action, recording the starting time of the target application program;
103. when the target application program triggers an ending action, recording the ending time of the target application program;
104. and calculating the running time length of the target application program based on the starting time of the target application program and the ending time of the target application program.
In the embodiment of the application, after a first process of a system is started, whether a target application triggers a start action or not can be monitored by hijacking an exeve system call, on the other hand, whether a target application triggers an end action or not can be monitored by hijacking a second system call, so that the start time of the target application can be recorded when the target application triggers the start action, and the end time of the target application can be recorded when the target application triggers the end action, so that the running duration of the target application can be calculated by the start time of the target application and the end time of the target application. Further, since the execave system call and the second system call are hijacked, the starting time and the ending time of at least one target application program can be acquired simultaneously.
Compared with the prior art, the method and the device for obtaining the starting time and the ending time of the application program can obtain the starting time and the ending time of the application program on the premise of not modifying the source code of the application program, and further obtain the running time of the application program based on the starting time and the ending time of the application program. On the other hand, the embodiment of the application does not need to interrupt the current execution progress of the system, so that the starting speed of the system can be prevented from being reduced. On the other hand, the end time and the start time of the plurality of application programs can be acquired simultaneously.
In the embodiment of the present application, for step 101, the start-up process of the linux system sequentially includes: the method comprises the steps of powering on equipment, carrying out power-on self-test, loading a BIOS (basic input output System), determining starting equipment, loading a Boot loader, loading a kernel, initializing an initrd, running an init program (a first process for starting a system), loading a starting item (starting various application programs), prompting a user to log in and finishing system starting, wherein a target application program is started by the system after the init program is run, namely the target application program is started by the system after a first process of the system is started, and therefore hijacking of a first system call and a second system call needs to be started after the first process of the system.
In the embodiment of the present application, please refer to fig. 2 for step 101, and fig. 2 is a schematic diagram illustrating an execution process of a target application disclosed in the embodiment of the present application. As shown in fig. 2, in the linux system, the starting, ending and running processes of the application program are all realized through a C library function. The library C function is realized based on system call, for example, when an executable program and a script are started, exeve system call is called, in other words, the starting of each target application program is realized by calling the exeve system call, so that whether the target application program triggers a starting action or not can be monitored by hijacking the exeve system call, namely whether the target application program triggers the starting action or not can be monitored by hijacking a first system call. On the other hand, when the starting of each target application program is finished, the second system call is called, so that whether the target application program triggers the ending action or not can be monitored by hijacking the second system call.
In the embodiment of the present application, for step 101, the execute system call is a set of functional interfaces provided by the operating system.
In the embodiment of the present application, the target application refers to a program loaded by the system and oriented to an application layer, for example, the target application may be a browser, file editing software, or the like, and the type of the target application is not particularly limited in this application.
In this embodiment of the application, optionally, the second system call may include an exit system call, or include a kill system call, or include both an exit system call and a kill system call, for example, when the target application is naturally ended, it is started by calling the exit system call, and at this time, by hijacking the exit system call, it can be monitored whether the target application triggers an ending action. And when the target application program is forcibly ended, monitoring whether the target application program triggers an ending action or not through hijacking kill system call. Finally, whether the target application program triggers the ending action or not can be monitored through exit system call and kill system call. It should be noted that the exit system call and the kill system call are both a set of functional interfaces provided by the operating system.
In this embodiment of the application, for step 102, when the target application triggers the start action, the current time of the system may be stored in the specified storage space by acquiring the current time of the system as the start time of the target application, so as to record the start time of the target application.
In this optional embodiment, for step 103, when the target application triggers the ending action, the system current time may be acquired as the ending time of the target application, and then the system current time is stored in the specified storage space, so as to finally record the ending time of the target application.
In this optional embodiment, for step 104, a specific implementation manner of calculating the running duration of the target application based on the start time of the target application and the end time of the target application is as follows:
and subtracting the starting time of the target application program from the ending time of the target application program, and taking an operation result obtained by subtracting the starting time of the target application program from the ending time of the target application program as the running time of the target application program.
In this embodiment, as an optional implementation manner, the method in this embodiment further includes the following steps:
acquiring process information of a target application program;
and judging whether the process corresponding to the target application program is a foreground process or not based on the process information of the target application program.
In this optional embodiment, the process information of the target application refers to information for executing a process of the target application, for example, when the system starts the process a and executes the target application, the process information of the target application refers to the information of the process a.
In this alternative embodiment, the process of the target application may be divided into a background process and a foreground process, where the background process refers to a process running in the background, and the foreground process refers to a process capable of interacting with the user. It should be noted that, for detailed descriptions of the background process and the foreground process, please refer to the prior art, and details thereof are not described in the embodiments of the present application.
In this optional implementation, for some scenarios, the foreground process may block execution of the system start script (that is, the process of system start may be blocked, and the subsequent program may be executed only after the foreground process is executed), so that part of or all of the foreground processes need to be used as an optimization target, and thus the process type of the target application needs to be identified.
In this embodiment, as an optional implementation manner, the process information of the target application includes a process session ID of the target application and process standard input file information of the target application, and accordingly, the steps of: judging whether the process corresponding to the target application program is a foreground process or not based on the process information of the target application program, and comprising the following substeps:
judging whether the process session ID of the target application program belongs to the process ID of the system startup script;
when the process session ID of the target application program is equal to the process ID of the system startup script, judging whether the process standard input of the target application program is empty equipment or not based on the process standard input file information of the target application program;
and when the process standard input of the target application program is not the empty device, determining the process corresponding to the target application program as a foreground process.
For the optional embodiment, when the Linux/Unix system is started, a shell process is obtained by executing a shell script, and a terminal is started, and the terminal becomes a control terminal of the shell process, and the control terminal is information stored in a PCB. On the other hand, when a sub-process needs to be created, if the sub-process is a foreground process, the system can pull up the sub-foreground process based on the parent process of the shell process, wherein the session ID of the sub-foreground process is equal to the shell process ID by copying information in the PCB, in other words, if the created sub-foreground process is the sub-foreground process, the process session ID of the sub-foreground process is the same as the process ID of the shell process, and therefore, whether the process session ID of the target application belongs to the process ID of the system startup script or not can be identified by judging whether the process session ID of the sub-foreground process is the same as the process ID of the shell process or not, namely, whether the process of the target application belongs to the process ID of the system startup script or not. On the other hand, if the created child process is a background process, it will not inherit the session ID of the parent process based on the mechanisms of the linux system.
Based on the above, since the process information of the target application includes the process session ID of the target application and the process standard input file information of the target application, this optional embodiment can determine, based on the process session ID of the target application and the process standard input file information of the target application, that the process corresponding to the target application is determined to be a foreground process, where when the process session ID of the target application is equal to the process ID of the system startup script and the process standard input of the target application is not an empty device, the process corresponding to the target application is a foreground process.
In this optional embodiment, since the background process has no control terminal, the background process may close the standard input in order to avoid resource waste, and the foreground process needs a control terminal, so the foreground process may not close the standard input, in other words, by determining the standard input of one process, it may be determined whether the process is the background process or the foreground process, where when the standard input of one process is not closed, the process is the foreground process. Further, the process standard input file information records the standard input of the process, wherein when the process is a background process, the process standard input file information is "/dev/null", that is, the standard input of the process is a null device. Therefore, because the process information of the target application includes the process standard input file information of the target application, it can be determined whether the process corresponding to the target application is a foreground process by the process standard input file information of the target application, where when the process standard input of the target application is not an empty device and the process session ID is equal to the process ID of the system startup script, the process corresponding to the target application is the foreground process.
In addition, according to the optional embodiment, on the basis of the manner of determining that the process is the foreground process based on the process session ID, it is further determined whether the process corresponding to the target application is the foreground process according to the process standard input file information of the target application, so as to improve the identification accuracy of the foreground process.
In this embodiment, as an optional implementation manner, the obtaining process information of the target application includes:
capturing a process descriptor structure of a target application program;
and determining the process information of the target application program based on the process descriptor structure of the target application program.
In this optional embodiment, the process information of the target application program can be determined based on the process descriptor structure of the target application program by capturing the process descriptor structure of the target application program, where the process descriptor structure refers to struct task _ struct, also referred to as a process descriptor, and for a detailed description of the process descriptor, please refer to the prior art, which is not described in detail in the embodiments of the present application.
Further, since in some scenarios the system is based on a process that the target application starts, and the process does not end in the starting phase, for example, the process that the system starts is a daemon process, and the process does not trigger an end action in the starting phase, such a process cannot record its end time by monitoring whether it triggers the end action. For this scenario, as an optional implementation manner, the method in this embodiment of the present application further includes the following steps:
when the system finishes starting all the target application programs, if the target application programs do not trigger the ending action, recording the starting finishing time point of the system as the ending time of the target application programs.
In this optional embodiment, when the system completes the start of all target applications, if the target application does not trigger the end action, the start completion time point of the system may be recorded as the end time of the target application.
Example two
Referring to fig. 3, fig. 3 is a schematic structural diagram of an application analysis device disclosed in the embodiment of the present application, and as shown in fig. 3, the device in the embodiment of the present application includes the following functional modules:
the monitoring module 201 is configured to monitor whether a target application triggers a start action by hijacking a first system call and whether a target application triggers an end action by hijacking a second system call after a first process of the system is started, where the first system call is an execute system call and the number of the target applications is at least one;
the first data processing module 202 is used for recording the starting time of the target application program when the target application program triggers the starting action;
the second data processing module 203 is used for recording the end time of the target application program when the target application program triggers the end action;
and the calculating module 204 is configured to calculate the running time length of the target application program based on the starting time of the target application program and the ending time of the target application program.
The device provided by the embodiment of the application can monitor whether the target application program triggers the starting action or not by hijacking the exeve system call after the first process of the system is started, on the other hand, can monitor whether the target application program triggers the ending action or not by hijacking the second system call, and further can record the starting time of the target application program when the target application program triggers the starting action and record the ending time of the target application program when the target application program triggers the ending action, so that the running time of the target application program can be calculated by the starting time of the target application program and the ending time of the target application program. Further, since the execave system call and the second system call are hijacked, the starting time and the ending time of at least one target application program can be acquired simultaneously.
Compared with the prior art, the method and the device for obtaining the starting time and the ending time of the application program can obtain the starting time and the ending time of the application program on the premise of not modifying the source code of the application program, and further obtain the running time of the application program based on the starting time and the ending time of the application program. On the other hand, the embodiment of the application does not need to interrupt the current execution progress of the system, so that the starting speed of the system can be prevented from being reduced. On the other hand, the end time and the start time of the plurality of application programs can be acquired simultaneously.
Please refer to the related description of the first embodiment of the present application for other detailed descriptions of the apparatus in the embodiments of the present application, which are not repeated herein.
EXAMPLE III
Referring to fig. 4, fig. 4 is a schematic structural diagram of an electronic device disclosed in an embodiment of the present application, and as shown in fig. 4, the electronic device in the embodiment of the present application includes:
a processor 301; and
a memory 302 configured to store machine readable instructions that, when executed by the processor 301, perform the application analysis method of any of the preceding embodiments.
The electronic equipment provided by the embodiment of the application can monitor whether the target application triggers the starting action or not by hijacking the execute system call after the first process of the system is started, and on the other hand, can monitor whether the target application triggers the ending action or not by hijacking the second system call, so that the starting time of the target application can be recorded when the target application triggers the starting action, and the ending time of the target application can be recorded when the target application triggers the ending action, so that the running time of the target application can be calculated by the starting time of the target application and the ending time of the target application. Further, since the execave system call and the second system call are hijacked, the starting time and the ending time of at least one target application program can be acquired simultaneously.
Compared with the prior art, the method and the device for obtaining the starting time and the ending time of the application program can obtain the starting time and the ending time of the application program on the premise of not modifying the source code of the application program, and further obtain the running time of the application program based on the starting time and the ending time of the application program. On the other hand, the embodiment of the application does not need to interrupt the current execution progress of the system, so that the starting speed of the system can be prevented from being reduced. On the other hand, the end time and the start time of the plurality of application programs can be acquired simultaneously.
Example four
An embodiment of the present application provides a storage medium, in which a computer program is stored, and the computer program is executed by a processor to perform the application program analysis method according to any one of the foregoing embodiments.
The storage medium of the embodiment of the application can monitor whether the target application triggers the starting action or not by hijacking the execute system call after the first process of the system is started, and on the other hand, can monitor whether the target application triggers the ending action or not by hijacking the second system call, and further can record the starting time of the target application when the target application triggers the starting action and record the ending time of the target application when the target application triggers the ending action, so that the running time of the target application can be calculated by the starting time of the target application and the ending time of the target application. Further, since the execave system call and the second system call are hijacked, the starting time and the ending time of at least one target application program can be acquired simultaneously.
Compared with the prior art, the method and the device for obtaining the starting time and the ending time of the application program can obtain the starting time and the ending time of the application program on the premise of not modifying the source code of the application program, and further obtain the running time of the application program based on the starting time and the ending time of the application program. On the other hand, the embodiment of the application does not need to interrupt the current execution progress of the system, so that the starting speed of the system can be prevented from being reduced. On the other hand, the end time and the start time of the plurality of application programs can be acquired simultaneously.
In the embodiments provided in the present application, it should be noted that the disclosed apparatus, method, and storage medium can be applied in the following scenarios: the method is applied to performance optimization of a system startup starting item, wherein the startup starting item refers to a loading item which is triggered by equipment after startup without user operation and runs, and comprises various services and application programs. Second, the method is applied to performance analysis of the system, for example, the method is combined with CPU performance data to comprehensively analyze the performance of the system, so as to obtain a performance analysis report, where the CPU performance data can be obtained through a performance analysis tool perf, which is an open-source performance analysis tool and is mainly used to collect CPU time consumed by processes, and the principle is that an interrupt is generated on the CPU (each core) at intervals (set by a user), which process the current CPU runs is detected in an interrupt callback function, and then a sampling point is added to the corresponding process, and finally, the sampling points of all processes are counted to obtain sampling data of all processes on the CPU.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, a division of a unit is merely a division of one logic function, and there may be other divisions when actually implemented, and for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of devices or units through some communication interfaces, and may be in an electrical, mechanical or other form.
In addition, units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
Furthermore, the functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
It should be noted that the functions, if implemented in the form of software functional modules and sold or used as independent products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
In this document, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions.
The above embodiments are merely examples of the present application and are not intended to limit the scope of the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application.

Claims (10)

1. An application analysis method, the method comprising:
after a first process of the system is started, monitoring whether a target application program triggers a start action or not by hijacking a first system call and monitoring whether the target application program triggers an end action or not by hijacking a second system call, wherein the first system call is an exeve system call, and the number of the target application programs is at least one;
when the target application program triggers the starting action, recording the starting time of the target application program;
when the target application program triggers the ending action, recording the ending time of the target application program;
and calculating the running time length of the target application program based on the starting time of the target application program and the ending time of the target application program.
2. The method of claim 1, wherein the method further comprises:
acquiring process information of the target application program; and judging whether the process corresponding to the target application program is a foreground process or not based on the process information of the target application program.
3. The method of claim 2, wherein the process information of the target application includes process standard input file information of the target application and a process session ID of the target application.
4. The method of claim 3, wherein the determining whether the process corresponding to the target application is a foreground process based on the process information of the target application comprises:
judging whether the process session ID of the target application program belongs to the process ID of the system starting script;
when the process session ID of the target application program is equal to the process ID of the system startup script, judging whether the process standard input of the target application program is empty equipment or not based on the process standard input file information of the target application program;
and when the process standard input of the target application program is not the empty device, determining the process corresponding to the target application program as a foreground process.
5. The method of any of claims 2-4, wherein the obtaining process information for the target application comprises:
capturing a process descriptor structure of the target application program;
and determining the process information of the target application program based on the process descriptor structure of the target application program.
6. The method of claim 1, wherein the method further comprises:
when the system finishes starting all the target application programs, if the target application programs do not trigger the ending action, recording the starting finishing time point of the system as the ending time of the target application programs.
7. The method of claim 1, wherein the second system call comprises at least one of an exit system call, a kill system call.
8. An application analysis apparatus, the apparatus comprising:
the monitoring module is used for monitoring whether the target application program triggers a start action or not by hijacking a first system call and monitoring whether the target application program triggers an end action or not by hijacking a second system call after a first process of the system is started, wherein the first system call is an execute system call, and the number of the target application programs is at least one;
the first data processing module is used for recording the starting time of the target application program when the target application program triggers the starting action;
the second data processing module is used for recording the end time of the target application program when the target application program triggers the end action;
and the calculating module is used for calculating the running time length of the target application program based on the starting time of the target application program and the ending time of the target application program.
9. An electronic device, comprising:
a processor; and
a memory configured to store machine readable instructions that, when executed by the processor, perform the application analysis method of any of claims 1-7.
10. A storage medium, characterized in that the storage medium stores a computer program which is executed by a processor to perform the application analysis method according to any one of claims 1 to 7.
CN202211190880.4A 2022-09-28 2022-09-28 Application program analysis method and device, electronic equipment and storage medium Pending CN115576785A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211190880.4A CN115576785A (en) 2022-09-28 2022-09-28 Application program analysis method and device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211190880.4A CN115576785A (en) 2022-09-28 2022-09-28 Application program analysis method and device, electronic equipment and storage medium

Publications (1)

Publication Number Publication Date
CN115576785A true CN115576785A (en) 2023-01-06

Family

ID=84582457

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211190880.4A Pending CN115576785A (en) 2022-09-28 2022-09-28 Application program analysis method and device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN115576785A (en)

Similar Documents

Publication Publication Date Title
US10838838B2 (en) Method and apparatus for dealing with abnormality of application program and storage medium
US10303490B2 (en) Apparatus and method for optimizing startup of embedded system
JP2009540464A (en) Iterative static and dynamic software analysis
CN108776595B (en) Method, device, equipment and medium for identifying display card of GPU (graphics processing Unit) server
CN112882769A (en) Skill pack data processing method, skill pack data processing device, computer equipment and storage medium
CN108090352B (en) Detection system and detection method
CN115017505A (en) PE virus detection method and device, electronic equipment and storage medium
CN114115884B (en) Method and related device for managing programming service
CN113742224A (en) Test system, method, device, computer equipment and storage medium
CN112181388B (en) Initializing method and device of SDK (software development kit) component, storage medium and control terminal
CN115292201B (en) Function call stack parsing and backtracking method and device
CN115576785A (en) Application program analysis method and device, electronic equipment and storage medium
CN111352631A (en) Interface compatibility detection method and device
CN113672458B (en) Application program monitoring method, electronic equipment and storage medium
CN114356290A (en) Data processing method and device and computer readable storage medium
US11307920B2 (en) Automated crash recovery
CN110442380B (en) Data preheating method and computing equipment
CN112148318A (en) Application package issuing method, application method, device, medium, server and equipment
CN110837433A (en) Performance optimization method and device and electronic equipment
CN116775147B (en) Executable file processing method, device, equipment and storage medium
CN111045891A (en) Java multithreading-based monitoring method, device, equipment and storage medium
CN110888771A (en) Method and device for monitoring and analyzing process, electronic equipment and storage medium
CN115705294B (en) Method, device, electronic equipment and medium for acquiring function call information
CN112464228B (en) Application layer command auditing method, device and system and storage medium
CN112817663B (en) SECCOMP rule acquisition method and device for application program

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination