CN115906066A - Process observation method and device, electronic equipment and readable storage medium - Google Patents

Process observation method and device, electronic equipment and readable storage medium Download PDF

Info

Publication number
CN115906066A
CN115906066A CN202310220220.4A CN202310220220A CN115906066A CN 115906066 A CN115906066 A CN 115906066A CN 202310220220 A CN202310220220 A CN 202310220220A CN 115906066 A CN115906066 A CN 115906066A
Authority
CN
China
Prior art keywords
target
observation
interceptor
virtual machine
interception point
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202310220220.4A
Other languages
Chinese (zh)
Other versions
CN115906066B (en
Inventor
游益锋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tianyi Cloud Technology Co Ltd
Original Assignee
Tianyi Cloud Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tianyi Cloud Technology Co Ltd filed Critical Tianyi Cloud Technology Co Ltd
Priority to CN202310220220.4A priority Critical patent/CN115906066B/en
Publication of CN115906066A publication Critical patent/CN115906066A/en
Application granted granted Critical
Publication of CN115906066B publication Critical patent/CN115906066B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Abstract

The embodiment of the invention provides a process observation method and device, electronic equipment and a readable storage medium, and belongs to the technical field of computers. The process observation method comprises the following steps: acquiring observation parameters input by a user in a user state; under the user state, generating an interceptor corresponding to a preset interception point according to the observation parameters; installing the interceptor into a kernel virtual machine in a kernel state; in the kernel virtual machine, binding the interceptor with a system calling function corresponding to the interception point; and under the condition that the first process calls a system calling function corresponding to any interception point, observing a process tree to which the first process belongs according to the target ancestor process and the target characteristic attribute by using an interceptor bound with the system calling function in the kernel virtual machine, and outputting an observation result to a user state for displaying under the condition that the observation result exists. The observation of the process tree running state corresponding to the target ancestor process can be accurately performed in real time.

Description

Process observation method and device, electronic equipment and readable storage medium
Technical Field
The invention belongs to the technical field of computers, and particularly relates to a process observation method, a process observation device, electronic equipment and a readable storage medium.
Background
With the development of computer technology, more and more system software is produced at the same time, and the safety and the stability of the system software operation can be ensured by observing the operation process of the system software.
Currently, a process observation tool is generally used to observe a system process.
However, the currently used process observation tool mainly focuses on the observation of a single process, and needs to read a large amount of contents in a specified file directory and frequently perform system call, which has the problems of high performance overhead and limited observation points. In addition, in the aspect of software operation safety, under the condition that the existing time of a malicious process released by a malicious program is short, the malicious process with short existing time cannot be accurately captured, so that the system safety has great hidden danger. .
Disclosure of Invention
The invention provides a process observation method, a process observation device, electronic equipment and a readable storage medium, which are used for solving the technical problems of high performance overhead and limited observation points in the conventional software process observation mode.
In a first aspect, the present invention provides a process observation method, including:
acquiring observation parameters input by a user in a user state; the observation parameters comprise a target ancestor process, target characteristic attributes and preset interception points;
in a user state, generating an interceptor corresponding to the preset interception point according to the observation parameters; installing the interceptor into a kernel virtual machine in a kernel state;
in the kernel virtual machine, binding the interceptor with a system call function corresponding to the interception point;
and under the condition that the first process calls a system calling function corresponding to any interception point, observing a process tree to which the first process belongs according to a target ancestor process and a target characteristic attribute through the interceptor bound with the system calling function in the kernel virtual machine, and outputting an observation result to a user state for displaying under the condition that the observation result exists.
In a second aspect, the present invention provides a process observation system, the system comprising: the system comprises a parameter transmission component, a code installation component, a kernel virtual machine and a result display component;
the parameter transmission component is used for acquiring observation parameters input by a user and sending the observation parameters to the code installation component in a user state; the observation parameters comprise a target ancestor process, target characteristic attributes and preset interception points;
the code installation component is used for receiving the observation parameters sent by the parameter transmission component; under the user state, generating an interceptor corresponding to the preset interception point according to the observation parameters; installing the interceptor into the kernel virtual machine in a kernel state;
the kernel virtual machine is used for binding an interceptor installed by the code installation component with a system call function corresponding to the interception point; under the condition that the first process calls a system calling function corresponding to any interception point, observing a process tree to which the first process belongs according to a target ancestor process and a target characteristic attribute through the interceptor bound with the system calling function in the kernel virtual machine; outputting the observation result to a result display component of a user state for displaying under the condition that the observation result exists;
and the result display component is used for acquiring the observation result output by the kernel virtual machine and displaying the observation result in a user mode.
In a third aspect, the present invention provides an electronic device comprising: a processor, a memory and a computer program stored on the memory and executable on the processor, the processor implementing the process observation method described above when executing the program.
In a fourth aspect, the present invention provides a readable storage medium, wherein instructions of the storage medium, when executed by a processor of an electronic device, enable the electronic device to perform the process observation method described above.
In the embodiment of the invention, the interceptor corresponding to the preset interception point in the observation parameters is generated according to the observation parameters input by the user in the user mode, then the interceptor is installed in the kernel virtual machine in the kernel mode, the interceptor and the system call function corresponding to the interception point are bound in the kernel virtual machine, and the system operation process tree is observed based on the interceptor operating in the kernel virtual machine. Therefore, the kernel function can be adjusted, used and expanded under the condition of not modifying the kernel, the system calling times are reduced, and the low performance overhead of process tree observation is realized; furthermore, the interceptor and the system call function corresponding to the interception point are bound, so that the interceptor bound with the system call function corresponding to the interception point is triggered to observe the process tree when the process runs to the preset interception point, and the running state of the process tree corresponding to the target ancestor process can be accurately observed in real time according to the observation parameters set by the user.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.
FIG. 1 is a flowchart illustrating steps of a process observation method according to an embodiment of the present invention;
FIG. 2 is a flow chart illustrating steps of another method for process observation provided by embodiments of the present invention;
FIG. 3 is a flowchart illustrating steps of a process observation method according to another embodiment of the present invention;
FIG. 4 is a diagram of process creation logic provided by an embodiment of the invention;
FIG. 5 is a logic block diagram of a process observation system according to an embodiment of the present invention;
FIG. 6 is a logic block diagram of another process observation system provided by embodiments of the present invention;
fig. 7 is a logic block diagram of an electronic device according to an embodiment of the present invention.
Reference numerals:
500: a process observation system; 510: a parameter passing component; 520: a code installation component; 530: a kernel virtual machine; 540: a result presentation component; 531: interceptor assembly, 550: a data processing component; 560: a data storage component.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be obtained by a person skilled in the art without inventive step based on the embodiments of the present invention, are within the scope of protection of the present invention.
Fig. 1 is a flowchart of steps of a process observation method according to an embodiment of the present invention, and as shown in fig. 1, the method may include:
and 110, acquiring the observation parameters input by the user in the user state.
The observation parameters comprise a target ancestor process, target characteristic attributes and preset interception points.
In the embodiment of the invention, the target ancestor process is an ancestor process which is selected by a user and needs to be observed, and the target ancestor process can be selected based on the PID (process identification) of the target ancestor process; the target feature attribute is a target feature attribute of a target ancestor process and a descendant process thereof, and it should be noted that the target feature attribute is information of at least one field in a PCB (process ctrl block) which is selected by a user according to process observation requirements from PCBs of the target ancestor process and the descendant process thereof and needs to be acquired during process tree observation.
Specifically, in the Linux system (GNU/Linux, which is a Unix-like operating system free of charge and free of propagation), the characteristic attributes of a process are described by a PCB, and the PCB corresponds to a task structure body including fields such as an identification number (pid) of the process, a process command (comm), a process status (state), and the like. The real _ parent pointer points to a task _ struct structure of a parent process, real _ parent is accessed through task _ struct recursion of any process, the creation relation of the processes can be obtained, and finally the PCB information of the process No. 1 can be obtained. Whether the process will need to be included in the observation scope is determined by comparing whether the process ancestor is the target ancestor process PID.
In the embodiment of the invention, the preset interception point is a corresponding system call when a target process performs a certain system call operation when running, and the target process is a target ancestor process and a descendant process thereof. And when the target ancestor process and the descendant process carry out the system call, carrying out the observation operation of the process tree corresponding to the target ancestor process. The preset interception point is at least one preset interception point, different preset interception points correspond to different system calls, and a user can input different preset interception points to a user state according to different observation requirements.
Step 120, in a user state, generating an interceptor corresponding to the preset interception point according to the observation parameters; and installing the interceptor into a kernel virtual machine in a kernel state.
It should be noted that, in the user mode, after the observation parameters input by the user are obtained, and before the interceptors corresponding to the preset interception points are generated according to the observation parameters, the observation parameters input by the user may be further processed, and after the observation parameters are compiled into the observation parameter codes corresponding to the observation parameters, which can be recognized by the kernel virtual machine in the kernel mode, in combination with the actual service logic codes, the step of generating the interceptors corresponding to the preset interception points according to the observation parameters is performed in the user mode.
Specifically, the interceptors are execution codes corresponding to preset interception points generated based on observation parameters input by a user, and different preset interception points correspond to different interceptors. Illustratively, the first interceptor comprises execution logic corresponding to a first preset interception point corresponding to the first interceptor, and when the target process runs to the first interception point, the first interceptor is executed and the observation result corresponding to the observation parameter is output.
It should be noted that, in the embodiment of the present invention, a kernel Virtual Machine (VM) is an eBPF (Extended Berkeley Packet Filter) Virtual Machine. The eBPF virtual machine is a register-based virtual machine, and can run a BPF (Berkeley Packet Filter) program that is locally compiled in real time within a Linux system kernel using a custom 64-bit RISC (Reduced Instruction Set Computer) Instruction Set, and can access a subset of kernel functions and memory.
In the embodiment of the invention, after the interceptor corresponding to the preset interception point in the observation parameters is generated according to the observation parameters, the interceptor is installed in the kernel virtual machine in the kernel state. The kernel virtual machine may include an interceptor module, and installing the interceptor in the kernel virtual machine in the kernel mode may specifically be writing an execution code corresponding to the interceptor in the kernel virtual machine in the kernel mode.
It should be noted that, specifically, installing the interceptor in the kernel virtual machine in the kernel mode may be copying a code of the interceptor into a space of the kernel virtual machine in the kernel mode.
And step 130, binding the interceptor and the system call function corresponding to the interception point in the kernel virtual machine.
The system call is a set of all system calls implemented by an operating system, i.e., A Program Interface (API) or an Application Programming Interface (API). Is the interface between the application and the system. The main function of the operating system is to provide a good environment for managing hardware resources and for application developers to make applications more compatible, and to this end, the kernel mode provides a series of multi-kernel functions with predefined functions, i.e. system call functions, presented to the user through a set of interfaces called system calls (system calls). The system calls the request of the application program to the kernel mode, calls the corresponding kernel function to complete the required processing, and returns the processing result to the application program.
In the embodiment of the present invention, the binding of the interceptor and the system call function corresponding to the interception point is specifically that, after the interceptor is installed in the kernel virtual machine in the kernel state, the interceptor corresponding to the preset interception point is bound with the system call function corresponding to the preset interception point provided by the kernel virtual machine in the kernel virtual machine, so that in a case that the first process calls the system call function corresponding to the interception point, the execution of the interceptor bound with the system call function is triggered, that is, the execution code of the interceptor is executed, and the observation operation is performed on the process tree to which the first process belongs.
And 140, under the condition that the first process calls a system calling function corresponding to any interception point, observing a process tree to which the first process belongs according to a target ancestor process and a target characteristic attribute through the interceptor bound with the system calling function in the kernel virtual machine, and outputting an observation result to a user state for displaying under the condition that the observation result exists.
It should be noted that the first process is any one of the currently running system processes, and the first process may be any one of the target ancestor process and a descendant process of the target ancestor process, or may be a non-target ancestor process and a descendant process of the non-target ancestor process.
In the embodiment of the invention, when the first process calls the system call function corresponding to any interception point, an interceptor bound with the system call function corresponding to the interception point in the kernel virtual machine is triggered, and the process tree to which the first process belongs is observed by the interceptor according to the target ancestor process and the target characteristic attribute in the observation parameters input by the user.
Specifically, when the first process is a target ancestor process or a descendant process of the target ancestor process, observing the process tree to which the first process belongs according to the target ancestor process and the target characteristic attribute to obtain an observation result, and outputting the observation result to a user state for displaying under the condition that the observation result exists; and when the first process is determined to be not the target ancestor process or the descendant process of the target ancestor process, the interceptor performs observation operation on the process tree to which the first process belongs, and terminates the observation operation on the process tree to which the first process belongs, so that an observation result cannot be obtained, and the step of outputting the observation result to the user state for displaying under the condition that the observation result exists is not required.
In summary, in the embodiment of the present invention, an interceptor corresponding to an interception point preset in an observation parameter is generated according to the observation parameter input by a user in a user mode, then the interceptor is installed in a kernel virtual machine in a kernel mode, the interceptor is bound to a system call function corresponding to the interception point in the kernel virtual machine, and a system running process tree is observed based on the interceptor running in the kernel virtual machine. Therefore, the kernel function can be adjusted, used and expanded under the condition of not modifying the kernel, the system calling times are reduced, and the low performance overhead of process tree observation is realized; furthermore, the interceptor and the system call function corresponding to the interception point are bound, so that the interceptor bound with the system call function corresponding to the interception point is triggered to observe the process tree when the process runs to the preset interception point, and the running state of the process tree corresponding to the target ancestor process can be accurately observed in real time according to the observation parameters set by the user.
Fig. 2 is a flowchart of steps of another process observation method provided in an embodiment of the present invention, and as shown in fig. 2, the method may include:
and step 210, acquiring the observation parameters input by the user in the user state.
This step can refer to the detailed description of step 110, which is not repeated here.
Step 220, generating an interceptor corresponding to the preset interception point according to the observation parameters in a user state; and installing the interceptor into a kernel virtual machine in a kernel state.
This step can refer to the detailed description of step 120, and is not repeated herein.
Step 230, writing the code of the interceptor into the header information of the system call function corresponding to the interception point provided by the kernel virtual machine in the kernel virtual machine.
Specifically, the system call function includes a head space and a tail space in which the system call function executes, and head information of the system call function is stored in the head space of the system call function, and the head information may be empty before step 230 is executed.
In the embodiment of the invention, in the kernel virtual machine, after the code of the interceptor is written into the head information of the system call function corresponding to the interception point provided by the kernel virtual machine, a jump instruction can be set in the head information of the system call function corresponding to the interception point, under the condition that the first process calls the system call function corresponding to the interception point, the jump instruction in the head information of the system call function is executed, the interceptor written into the head information of the system call function is jumped to and the code of the interceptor is executed, and after the code of the interceptor is executed, the code is returned through the jump instruction again.
It should be noted that, when the system call function is empty, and when the first process calls a system call function corresponding to any interception point, that is, when the code of the interceptor is not written into the header information of the system call function corresponding to the interception point provided by the kernel virtual machine, the interceptor is not triggered to execute the code of the interceptor.
Step 240, when the first process calls the process creation function corresponding to the process creation interception point, adding the first process to the target process set by the interceptor bound to the process creation function in the kernel virtual machine under the condition that the ancestor process of the first process is confirmed to be the target ancestor process.
The preset interception point in the observation parameters input by the user comprises a process creation interception point; and the system call function corresponding to the process creation interception point is a process creation function; further, in the user state, generating an interceptor corresponding to a preset interception point according to the observation parameter, specifically, generating a process creation interceptor corresponding to the process creation interception point. After the process creation interceptor is bound to the process creation function corresponding to the process creation interception point in the kernel virtual machine, step 240 is performed.
In the embodiment of the invention, under the condition that the first process calls the process creation function corresponding to the process creation interception point, the first process is added to the target process set under the condition that the ancestor process of the first process is confirmed to be the target ancestor process through the process creation interceptor bound with the process creation function in the kernel virtual machine.
It should be noted that the process creation interception point is a hook point (system call point) for intercepting a creation operation of any process in the system process, specifically, a process creation function corresponding to the process creation interception point is sys _ clone (a system call creation sub-process under linux, and a sub-process copies all flag attributes of a parent process), it should be noted that sys _ execute (a system call creation sub-process under linux, and copies parent process content) and sys _ fork (a system call creation sub-process under linux, and copies parent process content) can also create a process or a thread, and sys _ execute and sys _ fork are encapsulated on the basis of sys _ clone, that is, when sys _ execute and sys _ fork are called, the sys _ clone is eventually called, and therefore, the process creation interception point is located on the sys _ clone, and the process creation operation can be more completely intercepted.
Specifically, the ancestor process of the first process may obtain the PCB information of the first process through the program variable pointer, determine whether the ancestor process of the first process is the target ancestor process based on the PCB information of the ancestor process of the first process in the PCB information of the first process, and determine whether the ancestor process of the ancestor of the first process is the target ancestor process based on the PCB information of the ancestor process of the first process in the PCB information of the ancestor process of the first process, so as to trace back whether all ancestor processes of the first process include the target ancestor process; under the condition that all ancestor processes of the first process comprise the target ancestor process, adding the first process to the target process set; and under the condition that all ancestor processes of the first process do not comprise the target ancestor process, the first process is not the target process needing to be observed, the step of adding the first process to the target process set is not executed, and the execution flow of the current process creation interceptor is ended.
In the embodiment of the invention, the target process set is a target process set which is created based on observation parameters input by a user and corresponds to a target ancestor process, and the target process set comprises a target ancestor process and a descendant process thereof in a running state in the current system process. The target process set may be created according to a target ancestor process in the observation parameters, and the target ancestor process is included in the target process set as a first element of the target process set. And updates the set of target processes after performing step 240 to ensure that all target processes currently in a running state are included in the set of target processes.
It should be noted that all processes in the target process set are stored according to the preset format of the process family relationship. Illustratively, the processes included in the target process are the target ancestor process P1, the direct child process P33 of the target ancestor process, the direct child process P55 of process P33, and the direct child process P66 of process P55, and then the processes P1, P33, P55, and P66 are deposited in the target process set in the format { P1, P1 → P33, P33 → P55, P55 → P66 }. Therefore, through the storage mode of the preset format, the association relation between the target processes corresponding to the target ancestor processes, namely the process tree, can be visually presented in the target process set.
The target ancestor process in the observed parameter may be a plurality of different target ancestor processes, and the plurality of different target ancestor processes correspond to a plurality of different sets of target processes.
In the embodiment of the present invention, in step 240, the first process is added to the target process set, that is, after the target process set is updated, the updated target process set is the observation result when the first process is created, and the observation result is output to the user state for displaying.
In the embodiment of the invention, the preset interception point comprises a process creation interception point, and can be used for accurately intercepting any descendant process of a target ancestor process through a process creation interceptor when the descendant process of the target ancestor process is created, so that the problem that the precise observation cannot be carried out due to short time of some processes is avoided, and the first process is added to the target process set through the interceptor bound with the process creation function in the kernel virtual machine under the condition that the first process calls the process creation function corresponding to the process creation interception point, so that the target process set can be updated in real time when any descendant process of the target ancestor process is created, and the accuracy of an observation result output to a user mode is ensured.
Optionally, step 240 may be followed by the steps of:
241, under the condition that the first process calls a process destroying function corresponding to the process destroying interception point, removing the first process from the target process set under the condition that the first process is confirmed to be in the target process set through the interceptor bound with the process destroying function in the kernel virtual machine.
The preset interception point in the observation parameters input by the user can also comprise a process destruction interception point; and the system calling function corresponding to the process destroying interception point is a process destroying function; further, in the user state, an interceptor corresponding to a preset interception point is generated according to the observation parameters, and specifically, the interceptor is a process destruction interceptor corresponding to the process destruction interception point. And in the kernel virtual machine, after the process destruction interceptor is bound with the process destruction function corresponding to the process destruction interception point, executing the step 241.
In the embodiment of the invention, under the condition that the first process calls the process destroying function corresponding to the process destroying interception point, the first process is removed from the target process set under the condition that the first process is confirmed to be in the target process set through the process destroying interceptor bound with the process destroying function in the kernel virtual machine.
It should be noted that the process destruction interception point is a hook point that intercepts destruction or exit operations of any process in the system process, and specifically, the process destruction function corresponding to the process destruction interception point may be sys _ exit _ group (system call destruction sub-process under linux).
Specifically, when the first process calls the process destruction function corresponding to the process destruction interception point, whether the first process is in the target process set can be determined through the process identification number of the first process. Wherein the process identifier of the first process may be determined based on the PCB information of the first process.
In the embodiment of the invention, under the condition that the first process is confirmed to be in the target process set, the first process is removed from the target process set; and under the condition that the first process is not confirmed to be in the target process set, the first process is not the target process needing to be observed, the step of removing the first process from the target process set is not executed, and the execution flow of the current process destruction interceptor is ended.
In step 241, the first process is removed from the target process set, that is, after the target process set is updated, the updated target process set is the observation result when the first process is destroyed, and the observation result is output to the user state for display.
In the embodiment of the invention, the preset interception point comprises a process creation interception point and a process destruction interception point, the creation and destruction of any descendant process of the target ancestor process can be accurately intercepted by a process creation interceptor and a process destruction interceptor respectively, after the destruction of any descendant process of the target ancestor process, the process destruction operation can be accurately captured by the process interceptor, and the target process set is updated by removing the destroyed process from the target process set, so that the accuracy of the observation result output to the user state is further ensured.
Optionally, step 240 may be followed by the steps of:
step 242, when the first process calls the target function corresponding to the target function interception point, acquiring attribute information of the target characteristic attribute of each process in the target process set by the interceptor bound to the target function in the kernel virtual machine under the condition that the first process is confirmed to be in the target process set.
The preset interception points in the observation parameters input by the user can also comprise at least one target function interception point; and respectively taking a system calling function corresponding to each target function interception point as a target function; it should be noted that one target function interception point corresponds to one target function, and different target function interception points correspond to different target function.
Further, in the user state, an interceptor corresponding to a preset interception point is generated according to the observation parameters, and specifically, the interceptor is a target function interceptor corresponding to the target function interception point. After the target function interceptor is bound to the target function corresponding to the target function interception point in the kernel virtual machine, step 242 is performed.
In the embodiment of the invention, under the condition that the first process calls the target function corresponding to the target function interception point, the attribute information of the target characteristic attribute of each process in the target process set is obtained through the target function interceptor bound with the target function in the kernel virtual machine under the condition that the first process is confirmed to be in the target process set.
It should be noted that the target function interception point is a hook point for intercepting any process in the system process when executing a target function, specifically, the target function interception point corresponds to a different target function, and specifically, when the target function is a write function, the target function corresponding to the target function interception point may be sys _ write (system call write under linux); when the target function is a read function, the target function corresponding to the target function interception point may be sys _ read (system call read under linux); when the target function is a function of opening a file, the target function corresponding to the target function interception point may be sys _ open (system call opens the file under linux); the specific target function may be set by a user according to different process observation needs, which is not specifically limited in the embodiment of the present invention.
Specifically, when the first process calls a target function corresponding to the target function interception point, whether the first process is in the target process set can be confirmed through the process identifier of the first process. Wherein the process identifier of the first process may be determined based on the PCB information of the first process.
In the embodiment of the invention, under the condition that a first process is confirmed to be in the target process set, the attribute information of the target characteristic attribute of each process in the target process set is obtained; and under the condition that the first process is not confirmed to be in the target process set, the first process is not a target process needing to be observed, the step of acquiring the attribute information of the target characteristic attribute of each process in the target process set is not executed, and the execution flow of the current target function interceptor is ended.
It should be noted that the attribute information of the target feature attribute of each process in the target process set is acquired from the PCB information of each process in the target process set according to the target feature attribute in the observation parameter. It should be noted that the attribute information of the target feature attribute of a certain process may be information of all feature attributes in the PCB information of the process, or may also be information of a part of feature attributes in the PCB information of the process, and a user may set the target feature attribute according to actual process observation and analysis needs, which is not specifically limited in this embodiment of the present invention.
In the embodiment of the present invention, the preset interception point may include a process creation interception point, and may also include a target function interception point, and after the first process is created, and in a case where the first process calls a target function corresponding to the target function interception point, the attribute information of the target characteristic attribute of each process in the target process set is acquired by using a target function interceptor bound to the target function in the kernel virtual machine, and in a case where the first process is confirmed to be in the target process set. The target ancestor process and the descendant process can be accurately intercepted under the condition that the target function corresponding to the target function interception point is called by the target function interception point input by the user, and the attribute information of the target characteristic attribute of each target process in the target process set at the moment is acquired, so that the accurate observation of the running state of the process tree corresponding to the target ancestor process is realized; in addition, the target function interception point can be adjusted according to actual observation requirements, so that the accuracy of process tree observation is ensured while the diversity and flexibility of process tree observation are improved.
Optionally, the outputting the observation result to the user state for presentation in the case that the observation result exists may include:
substep 2421, adjusting the attribute information of the target feature attributes of each process into the observation result in the preset format.
It should be noted that, when acquiring the attribute information of the target feature attribute of each process in the target process set, the specific time when the first process calls the target function corresponding to the target function interception point may also be acquired, and the process identification number of the first process, the specific time when the first process calls the target function corresponding to the target function interception point, and the acquired attribute information of the target feature attribute of each process in the target process set are arranged into the observation result in the preset format. The observation result in the preset format may be set according to specific presentation requirements, which is not specifically limited in the embodiment of the present invention. Illustratively, when the number of processes included in the target process set is N, the observation result in the preset format may be [ { process 1, time 1, attribute information 1}, { process 2, time 2, attribute information 2}, \8230; { process N, time N, attribute information N } ].
And substep 2422, outputting the observation result to a user mode for displaying.
In the embodiment of the present invention, the observation result is output to the user mode for displaying, specifically, the observation result is output to the data processing component of the user mode, the data processing component processes the observation result, generates the log corresponding to the observation result, and delivers the log to the result displaying component, and the result displaying component formats and displays the log corresponding to the observation result.
It should be noted that, the processing of the observation by the data processing component may specifically include processing operations such as sorting, deduplication, normalization, and formatting of the observation.
And step 250, sending the observation result to a target storage area of the kernel mode, and providing a target file handle based on the target storage area.
It should be noted that the target file handle is a target file handle corresponding to the target storage area, and the user-mode presentation process obtains the observation result from the target storage area through the target file handle.
And step 260, the user-mode display process accesses the target file handle, acquires the observation result from the target storage area, and displays the observation result.
In the embodiment of the invention, after the kernel virtual machine sends the observation result to the target storage area of the kernel mode, the observation result is obtained from the target storage area by the display process of the user mode through accessing the target file handle. The user mode display process may specifically include an observation processing process and an observation display process.
Optionally, sending the observation result to a target storage area in a kernel mode, and providing a target file handle based on the target storage area may include:
substep 2601, when the observation result is the target process set, sending the target process set to a first target storage sub-region in a kernel state, and providing a first target file handle based on the first target storage sub-region.
Sub-step 2602, when the observation result is the attribute information of the target characteristic attribute of each process, sending the attribute information of the target characteristic attribute of each process to a second target storage sub-region in a kernel state, and providing a second target file handle based on the second target storage sub-region.
Wherein the target memory region may include a first target memory sub-region and a second target memory sub-region; specifically, the first target sub-storage area is used for storing a target process set, and the second target sub-storage area is used for storing attribute information of target feature attributes of processes.
In the embodiment of the present invention, the observation result may include a target process set and attribute information of a target feature attribute of each process.
Specifically, when the first process calls a process creation function corresponding to the process creation interception point, the first process is added to the target process set by an interceptor bound to the process creation function in the kernel virtual machine under the condition that the ancestor process of the first process is determined to be the target ancestor process, and at this time, the observation result is the target process set after the first process is added to the target process set.
Under the condition that the first process calls a process destroying function corresponding to the process destroying interception point, removing the first process from the target process set under the condition that the first process is confirmed to be in the target process set through an interceptor bound with the process destroying function in the kernel virtual machine, wherein at the moment, the observation result is the target process set after the first process is removed from the target process set.
And under the condition that the first process calls a target function corresponding to the target function interception point, acquiring attribute information of target characteristic attributes of all processes in the target process set by the interceptor bound with the target function in the kernel virtual machine under the condition that the first process is confirmed to be in the target process set, wherein at the moment, the observation result is the attribute information of the target characteristic attributes of all processes in the target process set.
In the embodiment of the invention, based on the corresponding relation between the target storage area and the target file handle, a first target file handle based on a first target storage sub-area and a second target file handle based on a second target storage sub-area are provided, so that a user-state display process can access the first target file handle and the second target file handle, respectively obtain observation results from the first target storage area and the second target storage area, and display the observation results.
Optionally, after sub-step 262, it may further include:
and a substep 263, releasing the memory corresponding to the attribute information of the target characteristic attribute of each process in the second target storage sub-area when the target storage area is the second target storage sub-area.
In the embodiment of the present invention, after the user-mode presentation process accesses the second target file handle to obtain the observation result from the second target storage region, and processes and presents the observation result, the memory of the observation result in the second target storage sub-region may be released. Because the memory capacity of the target storage area has an upper limit, after the attribute information of the target characteristic attribute of each process stored in the second target storage area is acquired from the second target storage area by the user-mode display process by accessing the second target file handle, the attribute information of the target characteristic attribute of each process is processed, and the problem that the newly generated observation result is lost because the second target storage area is occupied is avoided.
Optionally, the observing, by the interceptor bound to the system call function in the kernel virtual machine, the process tree to which the first process belongs according to the target ancestor process and the target feature attribute when the first process calls the system call function corresponding to any interception point may include:
in sub-step 1401, when the first process calls a system call function corresponding to any interception point, the first information in the process control block of the first process is read by the interceptor bound to the system call function in the kernel virtual machine.
It should be noted that the first information in the process control block of the first process is PCB information of the first process.
Substep 1402 acquires second information in the process control block of each ancestor process corresponding to the first process based on the first information.
In the embodiment of the present invention, the process control block of the first process and the process control block of the immediate ancestor process of the first process are connected by a doubly linked list, and similarly, the immediate ancestor process of the first process and the process control block of the immediate ancestor process of the first process are also connected by a doubly linked list. Therefore, based on the first information of the first process, the second information of all ancestor processes corresponding to the first process can be acquired through recursion of the doubly linked list.
It should be noted that the ancestor processes corresponding to the first process may include { a direct ancestor process of the first process, a direct ancestor process of the first process, \8230 \ 8230;, process No. 1 corresponding to the first process }. For example, when the first process is a P66 process, the creation relationship of the P66 process is: p1 → P33 → P55 → P66, then the ancestor processes of the P66 process comprise { P1, P33, P55}; when the first process is a P66 process, the creating relationship of the P66 process is as follows: p1 → P2 → P10 → P23 → P34 → P66, then the ancestor processes of the P66 process comprise { P1, P2, P10, P23, P34}.
The second information in the process control block of each ancestor process corresponding to the first process may be PCB information of each ancestor process corresponding to the first process.
And a substep 1403, performing observation operation on the process tree to which the first process belongs based on the second information and the target characteristic attribute.
Specifically, the second information and the target characteristic attribute in the process control block of each ancestor process corresponding to the first process perform observation operation on the process tree to which the first process belongs.
Optionally, before step 130, the method may further include:
step 131, in the user mode, receiving an observation enable instruction.
In the embodiment of the invention, the observation enabling instruction is an enabling instruction for controlling the kernel virtual machine to carry out process observation. In step 120, in the user mode, generating an interceptor corresponding to a preset interception point according to the observation parameters; and after installing the interceptor into the kernel-mode kernel virtual machine, step 130 is performed based on the received observation enabling instruction.
Step 132, inputting the observation enabling instruction into the kernel virtual machine.
And step 133, binding the interceptor corresponding to the observation enabling instruction and the system call function corresponding to the interception point by the kernel virtual machine.
In the embodiment of the invention, a user can input the enabling observation instruction corresponding to a certain preset interception point based on different preset interception points. After the kernel virtual machine receives the enabling observation instruction, based on an enabling observation instruction which is input by a user and corresponds to a certain preset interception point, an interceptor corresponding to the observing enabling instruction is bound with a system call function corresponding to the interception point; after the interceptor corresponding to the observation enabling instruction is bound with the system calling function corresponding to the interception point, under the condition that the first process calls the system calling function corresponding to the interception point, the process tree corresponding to the target ancestor process can be observed through the interceptor bound with the system calling function in the kernel virtual machine.
Fig. 3 is a flowchart of steps of another process observation method provided in an embodiment of the present invention, and as shown in fig. 3, the method may include:
step 301, start.
Step 302, obtaining the observation parameters input by the user.
In the embodiment of the invention, in the user state, the observation parameters input by the user are obtained; the observation parameters can comprise a target ancestor process, a target characteristic attribute and a preset interception point.
Step 303, opening up a target storage area.
Specifically, a target storage area is opened up according to the target characteristic attribute in the observation parameters transferred in step 302 and the memory capacity of the current terminal device; and the target storage area is used for storing an observation result obtained by observing and outputting the process tree by the kernel virtual machine.
And 304, installing the interceptor into the kernel virtual machine, and binding the interceptor with a system call function corresponding to a preset interception point.
Specifically, the interceptor is an interceptor which generates interception points corresponding to preset interception points in the observation parameters according to the observation parameters; an interceptor is essentially a code that has some functional significance.
Installing the interceptor into the kernel virtual machine may specifically be copying a code of the interceptor into a space of the kernel virtual machine in a kernel state; the specific binding of the interceptor and the system call function corresponding to the preset interception point may be writing a code of the interceptor into header information of the system call function corresponding to the interception point provided by the kernel virtual machine in the kernel virtual machine.
And step 305, determining whether a preset interception point is reached.
Specifically, in the running process of the system process, monitoring the calling condition of the first process to the system calling function corresponding to any interception point, and in the condition that the first process calls the system calling function corresponding to any interception point, determining to execute the preset interception point, then executing step 306; if the first process does not call the system call function corresponding to any intercept point, it is determined that the preset intercept point is not reached, then step 308 is executed.
And step 306, observing the process tree.
It should be noted that, when the first process calls a system call function corresponding to any interception point, the process tree is observed after the first process determines that the system call function is executed to a preset interception point.
Specifically, when a first process calls a system call function corresponding to any interception point, the interceptor bound to the system call function in the kernel virtual machine performs observation operation on a process tree to which the first process belongs according to a target ancestor process and a target feature attribute.
Step 307, the observation result is sent to the target storage area.
Specifically, the observation is sent to the target storage area in the presence of the observation. The method comprises the steps that an observation result exists when a first process is a target ancestor process or a descendant process of the target ancestor process, and the observation result is sent to a target storage area; and under the condition that the first process is not the target ancestor process and the descendant process of the target ancestor process, indicating that the first process is not the target process needing to be observed, and ending the execution flow of the current target function interceptor without an observation result.
And step 308, determining whether the process tree is finished.
Specifically, in case it is determined that the process tree ends, step 309 is executed; in the event that a determination is made that the process tree has not ended, then step 305 is performed.
The process tree termination may be a case where both the target ancestor process and the descendant process of the target ancestor process are terminated, and in the case of the process tree termination, it indicates that the process tree observation task based on the target ancestor process is terminated, and step 309 is executed to terminate the observation on the process tree corresponding to the target ancestor process.
In the case that the process tree is determined not to be ended, the process returns to step 305 to continue monitoring and determining whether the system process is executed to the preset interception point.
And step 309, ending.
Illustratively, the embodiment of the present invention further provides a process observation method, which may include:
step 401, in the user state, acquiring an observation parameter input by a user.
The observation parameters comprise a target ancestor process, target characteristic attributes and preset interception points; specifically, the PID of the target ancestor process is P1; the preset interception points comprise process creation interception points corresponding to the descendant process creation of the P1 of the target ancestor process, process creation functions corresponding to the process creation interception points can be sys _ clone and destruction interception points corresponding to the descendant process destruction of the P1 of the target ancestor process, process functions corresponding to the process destruction interception points can be sys _ exit _ group and target function interception points, and target function functions corresponding to the target function interception points are sys _ open; the target feature attribute includes the process command comm and the file name filename (file name) of the open.
Step 402, opening up a target storage area.
This step can refer to the detailed description of step 303, which is not repeated herein.
And step 403, installing an interceptor to the kernel virtual machine.
Specifically, the interceptor is an interceptor which generates interception points corresponding to preset interception points in the observation parameters according to the observation parameters; an interceptor is essentially a code that has some functional meaning.
The installing the interceptor into the kernel virtual machine may specifically be copying a code of the interceptor into a space of the kernel virtual machine in a kernel state.
Step 404, enable interceptor, enable result presentation component.
In the embodiment of the present invention, the enabling interceptor may bind the interceptor with the system call function corresponding to the preset interception point, and further, specifically, binding the interceptor with the system call function corresponding to the preset interception point may specifically bind the interceptor with the system call function corresponding to the preset interception point, and may specifically write a code of the interceptor into header information of the system call function corresponding to the interception point provided by the kernel virtual machine in the kernel virtual machine.
After the interceptor is enabled, when the first process calls the system call function corresponding to any interception point, the interceptor bound to the system call function in the kernel virtual machine may perform an observation operation on the process tree to which the first process belongs according to the target ancestor process and the target feature attribute, and when the first process is a descendant process of the target ancestor process, an observation result is output. Therefore, after the interceptor is enabled, the result presentation component is also enabled, so that the observation result output by the kernel virtual machine is presented in the user mode in time through the result presentation component.
Step 405, under the condition that the first process calls the process creation function sys _ clone corresponding to the process creation interception point, adding the first process to the target process set through the interceptor bound with the process creation function in the kernel virtual machine under the condition that the ancestor process of the first process is confirmed to be the target ancestor process.
Exemplarily, fig. 4 is a schematic diagram of a process creation logic provided by an embodiment of the present invention, as shown in fig. 4, a first process may be a P2 process, and by confirming that an ancestor process of the P2 process is a P1 process, that is, a target ancestor process, the P2 process may be added to a target process set, and after the P2 process is added to the target process set, the target process set may be represented as { P1, P1 → P2}; similarly, the first process may be a P4 process, and by confirming that the ancestors of the P4 process are the P2 process and the P1 process is the target ancestor process, the P4 process may be added to the set of target processes, and after the P4 process is added to the set of target processes, the set of target processes may be represented as { P1, P1 → P2, P1 → P3, P2 → P4}.
Step 406, under the condition that the first process calls a process destruction function sys _ exit _ group corresponding to the process destruction interception point, removing the first process from the target process set under the condition that the first process is confirmed to be in the target process set through the interceptor bound to the process destruction function in the kernel virtual machine.
Illustratively, as shown in FIG. 4, the first process may be a P4 process, and by identifying that the P4 process is in the set of target processes { P1, P1 → P2, P1 → P3, P2 → P4}, the P4 process may thus be removed from the set of target processes { P1, P1 → P2, P1 → P3, P2 → P4}, and after removing the P4 process from the set of target processes, the set of target processes may be represented as { P1, P1 → P2, P1 → P3 }.
Step 407, when the first process calls a target function sys _ open corresponding to the target function interception point, acquiring attribute information of the target characteristic attribute of each process in the target process set by using the interceptor bound to the target function in the kernel virtual machine under the condition that the first process is confirmed to be in the target process set.
Illustratively, as shown in fig. 4, the first process may be a P4 process, and by confirming that the P4 process is in the target process set { P1, P1 → P2, P1 → P3, P2 → P4}, it is possible to obtain attribute information of the target feature attribute of each process in the target process set, that is, obtain attribute information of the target feature attributes of the P1 process, the P2 process, the P3 process, and the P4 process, respectively, and use the attribute information of the target feature attributes of the P1 process, the P2 process, the P3 process, and the P4 process as the observation result at the time T4. The observation result adjusted to the preset format at the time T4 may be [ { P1, T1, attribute information 1}, { P2, T2, attribute information 2}, { P3, T3, attribute information 3}, { P4, T4, attribute information 4} ]; it should be noted that, in the case where the P3 process is destroyed at time T4, the obtained observation result may be [ { P1, T1, attribute information 1}, { P2, T2, attribute information 2}, { P4, T4, attribute information 4} ].
It should be noted that the time T1, the time T2, the time T3, and the time T4 are respectively the time when the P1 process, the P2 process, the P3 process, and the P4 process call the system call function sys _ open corresponding to the interception point; and when the file 2, the file 3 and the file 4 respectively call a system call function sys _ open corresponding to the interception point by a P2 process, a P3 process and a P4 process, opening the filename of the file.
Step 408, the observation result is sent to the target storage area.
This step can refer to the detailed description of step 307, which is not repeated here.
Step 409, the data processing component extracts the observation results from the target storage area.
Specifically, the data processing component in the user mode extracts the observation result in the target storage area, processes the observation result, generates a log corresponding to the observation result, and sends the log to the result display component.
And step 410, the result display component formats and displays the obtained observation result.
Specifically, after the result display component in the user mode obtains the log corresponding to the observation result sent by the data processing component, the log is formatted and displayed.
In summary, in the embodiment of the present invention, an interceptor corresponding to an interception point preset in an observation parameter is generated according to the observation parameter input by a user in a user mode, then the interceptor is installed in a kernel virtual machine in a kernel mode, the interceptor is bound to a system call function corresponding to the interception point in the kernel virtual machine, and a system running process tree is observed based on the interceptor running in the kernel virtual machine. Therefore, the kernel function can be adjusted, used and expanded under the condition of not modifying the kernel, the system calling times are reduced, and the low performance overhead of process tree observation is realized; furthermore, the interceptor and the system call function corresponding to the interception point are bound, so that when the process runs to the preset interception point, the interceptor bound with the system call function corresponding to the interception point is triggered to observe the process tree, and the running state of the process tree corresponding to the target ancestor process can be accurately observed in real time according to the observation parameters set by the user.
Fig. 5 is a logic block diagram of a process observation system according to an embodiment of the present invention, and as shown in fig. 5, the process observation system 500 may include: a parameter passing component 510, a code installation component 520, a kernel virtual machine 530, and a result presentation component 540;
the parameter transmission component 510 is configured to, in a user mode, obtain an observation parameter input by a user and send the observation parameter to the code installation component 520; the observation parameters comprise a target ancestor process, target characteristic attributes and preset interception points;
the code installation component 520 is configured to receive the observed parameters sent by the parameter delivery component 510; in a user state, generating an interceptor corresponding to the preset interception point according to the observation parameters; and install the interceptor into the kernel virtual machine 530 in kernel mode;
the kernel virtual machine 530 is configured to bind the interceptor installed by the code installation component 520 with the system call function corresponding to the interception point; under the condition that the first process calls a system calling function corresponding to any interception point, observing a process tree to which the first process belongs according to a target ancestor process and a target characteristic attribute through the interceptor bound with the system calling function in the kernel virtual machine 530; and outputting the observation result to a user-mode result presentation component 540 for presentation if the observation result exists;
the result display component 540 is configured to obtain the observation result output by the kernel virtual machine 530, and display the observation result in a user mode.
Optionally, the process observation system 500 may further include a data storage component;
the data storage component is used for opening up a target storage area in a kernel mode, and the target storage area is used for receiving an observation result output by the kernel virtual machine;
the result displaying component 540 is specifically configured to obtain an observation result output by the kernel virtual machine 530 from the target storage area of the data storage component, and display the observation result in a user mode;
the kernel virtual machine 530 is specifically configured to, in the presence of an observation result, output the observation result to the target storage area of the data storage component, so that the user-mode result presentation component 540 obtains the observation result from the target storage area of the data storage component and presents the observation result in the user mode.
Optionally, the preset interception point may include: establishing an interception point by the process; the system calling function corresponding to the process creation interception point is a process creation function;
the kernel virtual machine 530 is specifically configured to, when the first process calls a process creation function corresponding to the process creation interception point, add the first process to the target process set by using the interceptor bound to the process creation function in the kernel virtual machine 530, and when it is determined that an ancestor process of the first process is a target ancestor process.
Optionally, the preset interception point may further include: the process destroys the interception point; the system calling function corresponding to the process destroying interception point is a process destroying function;
the kernel virtual machine 530 is specifically configured to, when the first process calls a process destruction function corresponding to the process destruction interception point, remove the first process from the target process set by using the interceptor bound to the process destruction function in the kernel virtual machine 530, and when it is determined that the first process is in the target process set.
Optionally, the preset interception point may further include: at least one target function intercept point; the system calling function corresponding to each target function interception point is a target function;
the kernel virtual machine 530 is specifically configured to, when the first process calls a target function corresponding to the target function interception point, obtain, through the interceptor bound to the target function in the kernel virtual machine 530, attribute information of the target characteristic attribute of each process in the target process set when the first process is determined to be in the target process set.
Optionally, the kernel virtual machine 530 is specifically configured to adjust attribute information of the target feature attribute of each process to an observation result in a preset format; and outputting the observation result to a result display component 540 of a user state for display.
Optionally, the kernel virtual machine 530 is specifically configured to, when the first process calls a system call function corresponding to any interception point, read first information in a process control block of the first process through the interceptor bound to the system call function in the kernel virtual machine 530; acquiring second information in the process control block of each ancestor process corresponding to the first process based on the first information; and carrying out observation operation on the process tree to which the first process belongs based on the second information and the target characteristic attribute.
Optionally, the kernel virtual machine 530 is specifically configured to write the code of the interceptor into header information of a system call function corresponding to the interception point provided by the kernel virtual machine 530.
Optionally, the parameter passing component 510 is further configured to, in the user mode, receive an observation enabling instruction and send the observation enabling instruction to the code installing component 520;
the code installation component 520 is further configured to receive an observation enabling instruction sent by the parameter passing component 510, and input the observation enabling instruction into the kernel virtual machine 530;
the kernel virtual machine 530 is further configured to receive an observation enabling instruction input by the code installation component 520, and bind an interceptor corresponding to the observation enabling instruction with a system call function corresponding to the interception point.
Optionally, fig. 6 is a logic block diagram of another process observation system provided in the embodiment of the present invention, and as shown in fig. 6, the process observation system 500 may further include: an interceptor component 531, a data processing component 550, and a data storage component 560 located in the kernel virtual machine 530;
wherein the kernel virtual machine 530 can include an interceptor component 531;
the code installation component 520 is specifically configured to install the interceptor into an interceptor component 531 in the kernel virtual machine 530 in a kernel mode;
the kernel virtual machine 530 is specifically configured to bind, through an interceptor component 531, an interceptor installed by the code installation component 520 with a system call function corresponding to the interception point; under the condition that the first process calls a system calling function corresponding to any interception point, observing a process tree to which the first process belongs according to a target ancestor process and a target characteristic attribute through an interceptor bound with the system calling function of an interceptor component 531 in the kernel virtual machine 530; and outputting, by the interceptor component, the observation to the target storage region in the kernel-state data storage component 560 if the observation exists
The data storage component 560 is configured to open a target storage area in the kernel mode, and receive an observation result output by the interceptor component 531 in the kernel virtual machine 530 through the target storage area.
The data processing component 550 is configured to obtain an observation result from a target storage area in the kernel-state data storage component 560, process the observation result to generate a log corresponding to the observation result, and send the log to the result presentation component.
The result displaying component 540 is configured to receive the log corresponding to the observation result sent by the data processing component 550, format the log corresponding to the observation result, and display the observation result.
Optionally, the kernel virtual machine 530 is specifically configured to send the observation result to a target storage area in the kernel-mode data storage component 560 through the interceptor component 531;
the data storage component 560 is specifically configured to, after receiving the observation result sent by the interceptor component 531 in the kernel virtual machine 530, provide a target file handle based on the target storage area; the observations are obtained from the target storage area by accessing the target file handle by the user-mode data processing component 550.
Optionally, the target memory region comprises a first target memory sub-region and a second target memory sub-region;
the kernel virtual machine 530 is specifically configured to, when the observation result is the target process set, send the target process set to a first target storage sub-region in the kernel-state data storage component 560 through the interceptor component 531; under the condition that the observation result is the attribute information of the target characteristic attribute of each process, the interceptor component 531 sends the attribute information of the target characteristic attribute of each process to a second target storage sub-region in the kernel-mode data storage component 560;
the data storage component 560 is specifically configured to, after receiving an observation result sent by the interceptor component 531 in the kernel virtual machine 530, provide a first target file handle based on the first target storage sub-region; and providing a second target file handle based on the second target memory sub-region.
Optionally, the data storage component 560 is further configured to, after the user-state data processing component 550 accesses the target file handle, acquire the observation result from the target storage region, and display the observation result through the result display component 540, and if the target storage region is a second target storage sub-region, release the memory corresponding to the attribute information of the target feature attribute of each process in the second target storage sub-region.
To sum up, in the embodiment of the present invention, the parameter passing component 510 in the user mode obtains the observation parameters input by the user, and sends the observation parameters to the code installing component 520, the code installing component 520 generates the interceptor corresponding to the interception point preset in the observation parameters according to the observation parameters input by the user, then installs the interceptor into the kernel virtual machine 530 in the kernel mode, binds the interceptor and the system call function corresponding to the interception point in the kernel virtual machine 530, observes the system running process tree based on the interceptor running in the kernel virtual machine 530, outputs the observation result to the result displaying component 540, and displays the observation result through the result displaying component 540. Therefore, the kernel function can be adjusted, used and expanded under the condition of not modifying the kernel, the system calling times are reduced, and the low performance overhead of process tree observation is realized; furthermore, the interceptor and the system call function corresponding to the interception point are bound, so that the interceptor bound with the system call function corresponding to the interception point is triggered to observe the process tree when the process runs to the preset interception point, and the running state of the process tree corresponding to the target ancestor process can be accurately observed in real time according to the observation parameters set by the user.
The embodiment of the present invention provides a process monitoring apparatus, where the process monitoring apparatus may include:
the observation parameter acquisition module is used for acquiring observation parameters input by a user in a user state; the observation parameters comprise a target ancestor process, target characteristic attributes and preset interception points;
the interceptor installation module is used for generating an interceptor corresponding to the preset interception point according to the observation parameters in a user state; installing the interceptor into a kernel virtual machine in a kernel mode;
the first interceptor binding module is used for binding the interceptor and a system calling function corresponding to the interception point in the kernel virtual machine;
and the process observation module is used for observing a process tree to which the first process belongs according to the target ancestor process and the target characteristic attribute through the interceptor bound with the system calling function in the kernel virtual machine under the condition that the first process calls the system calling function corresponding to any interception point, and outputting the observation result to a user state for displaying under the condition that the observation result exists.
Optionally, the process observation module may include:
the first process observation submodule is used for adding the first process to a target process set under the condition that the first process calls a process creation function corresponding to the process creation interception point and the ancestor process of the first process is confirmed to be a target ancestor process through the interceptor bound with the process creation function in the kernel virtual machine;
wherein the predetermined interception point comprises: a process creates an interception point; and the system calling function corresponding to the process creation interception point is a process creation function.
Optionally, the process observation module may include:
the second process observation submodule is used for removing the first process from the target process set under the condition that the first process calls a process destroying function corresponding to the process destroying interception point and the first process is confirmed to be in the target process set through the interceptor bound with the process destroying function in the kernel virtual machine;
wherein, the predetermined interception point further comprises: destroying interception points in the process; and the system calling function corresponding to the process destruction interception point is a process destruction function.
Optionally, the process observation module may include:
the third process observation sub-module is used for acquiring the attribute information of the target characteristic attribute of each process in the target process set under the condition that the first process confirms that the first process is in the target process set through the interceptor bound with the target function in the kernel virtual machine under the condition that the first process calls the target function corresponding to the target function interception point;
wherein, the predetermined interception point further comprises: at least one target function intercept point; and the system calling function corresponding to each target function interception point is a target function.
Optionally, the process observation module may include:
the observation result adjusting submodule is used for adjusting the attribute information of the target characteristic attribute of each process into an observation result in a preset format;
and the first observation result output submodule is used for outputting the observation result to a user state for displaying.
Optionally, the process observation module may include:
the file handle generation submodule is used for sending the observation result to a target storage area of a kernel state and providing a target file handle based on the target storage area;
and the second observation result output submodule is used for accessing the target file handle by a user-mode display process, acquiring the observation result from the target storage area and displaying the observation result.
Optionally, the file handle generation sub-module may include:
a first file handle generating unit, configured to, in a case that the observation result is the target process set, send the target process set to a first target memory sub-region in a kernel state, and provide a first target file handle based on the first target memory sub-region;
a second file handle generating unit, configured to send, when the observation result is the attribute information of the target feature attribute of each process, the attribute information of the target feature attribute of each process to a second target storage sub-region in a kernel state, and provide a second target file handle based on the second target storage sub-region;
wherein the target memory region comprises a first target memory sub-region and a second target memory sub-region.
Optionally, the process observation module may include:
the information reading sub-module is used for reading first information in a process control block of a first process through an interceptor bound with a system calling function in a kernel virtual machine under the condition that the first process calls the system calling function corresponding to any intercepting point;
the information acquisition submodule is used for acquiring second information in the process control block of each ancestor process corresponding to the first process based on the first information;
and the fourth process observation submodule is used for carrying out observation operation on the process tree to which the first process belongs based on the second information and the target characteristic attribute.
Optionally, the interceptor binding module may include:
and the code writing submodule is used for writing the code of the interceptor into the head information of the system call function corresponding to the interception point provided by the kernel virtual machine in the kernel virtual machine.
Optionally, the process monitoring apparatus may further include:
the instruction receiving module is used for receiving an observation enabling instruction in a user state;
the instruction input module is used for inputting the observation enabling instruction into the kernel virtual machine;
and the second interceptor binding module is used for binding the interceptor corresponding to the observation enabling instruction and the system calling function corresponding to the interception point by the kernel virtual machine.
Optionally, the process monitoring apparatus may further include:
and the memory releasing module is used for releasing the memory corresponding to the attribute information of the target characteristic attribute of each process in the second target storage sub-area under the condition that the target storage area is the second target storage sub-area.
To sum up, in the embodiment of the present invention, the observation parameter input by the user is obtained by the observation parameter obtaining module in the user state, the interceptor corresponding to the interception point preset in the observation parameter is generated by the interceptor installing module in the user state according to the observation parameter input by the user, the interceptor is installed in the kernel virtual machine in the kernel state, the interceptor is bound with the system call function corresponding to the interception point in the kernel virtual machine by the first interceptor binding module in the kernel state, and the system running process tree is observed by the process observation module in the kernel state based on the interceptor running in the kernel virtual machine. Therefore, the kernel function can be adjusted, used and expanded under the condition of not modifying the kernel, the system calling times are reduced, and the low performance overhead of process tree observation is realized; furthermore, the interceptor and the system call function corresponding to the interception point are bound, so that when the process runs to the preset interception point, the interceptor bound with the system call function corresponding to the interception point is triggered to observe the process tree, and the running state of the process tree corresponding to the target ancestor process can be accurately observed in real time according to the observation parameters set by the user.
The present invention also provides an electronic device, see fig. 7, including: a processor 701, a memory 702, and a computer program 7021 stored on the memory and executable on the processor, the processor implementing the process observation method of the foregoing embodiment when executing the program.
The present invention also provides a readable storage medium, in which instructions, when executed by a processor of an electronic device, enable the electronic device to perform the process observation method of the foregoing embodiment.
For the device embodiment, since it is basically similar to the method embodiment, the description is simple, and for the relevant points, refer to the partial description of the method embodiment.
It should be noted that various information and data acquired in the embodiment of the present invention are acquired under the authorization of the information/data holder.
The algorithms and displays presented herein are not inherently related to any particular computer, virtual machine, or other apparatus. Various general purpose systems may also be used with the teachings herein. The required structure for constructing such a system will be apparent from the description above. Moreover, the present invention is not directed to any particular programming language. It is appreciated that a variety of programming languages may be used to implement the teachings of the present invention as described herein, and any descriptions of specific languages are provided above to disclose the best mode of the invention.
In the description provided herein, numerous specific details are set forth. It is understood, however, that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the invention and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be interpreted as reflecting an intention that: that the invention as claimed requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this invention.
Those skilled in the art will appreciate that the components in the devices in the embodiments may be adaptively changed and disposed in one or more devices different from the embodiments. The components or units or components of the embodiments may be combined into one component or unit or component, and further, may be divided into a plurality of sub-components or sub-units or sub-components. All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or elements of any method or apparatus so disclosed, may be combined in any combination, except combinations where at least some of such features and/or processes or elements are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
The various component embodiments of the invention may be implemented in hardware, or in software components running on one or more processors, or in a combination thereof. It will be appreciated by those skilled in the art that a microprocessor or Digital Signal Processor (DSP) may be used in practice to implement some or all of the functions of some or all of the components in a sequencing device according to the present invention. The present invention may also be embodied as an apparatus or device program for carrying out a portion or all of the methods described herein. Such programs implementing the present invention may be stored on computer-readable media or may be in the form of one or more signals. Such a signal may be downloaded from an internet website, or provided on a carrier signal, or provided in any other form.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention can be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The usage of the words first, second and third, etcetera do not indicate any ordering. These words may be interpreted as names.
The user information (including but not limited to the device information of the user, the personal information of the user, etc.), related data, etc. related to the present invention are all information authorized by the user or authorized by each party.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
The above description is intended to be illustrative of the preferred embodiment of the present invention and should not be taken as limiting the invention, but rather, the intention is to cover all modifications, equivalents, and alternatives falling within the spirit and scope of the invention.
The above description is only for the specific embodiments of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily think of the changes or substitutions within the technical scope of the present invention, and shall cover the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (15)

1. A process observation method, comprising:
acquiring observation parameters input by a user in a user state; the observation parameters comprise a target ancestor process, target characteristic attributes and preset interception points;
under the user state, generating an interceptor corresponding to the preset interception point according to the observation parameters; installing the interceptor into a kernel virtual machine in a kernel mode;
in the kernel virtual machine, binding the interceptor with a system call function corresponding to the interception point;
and under the condition that the first process calls a system calling function corresponding to any interception point, observing a process tree to which the first process belongs according to a target ancestor process and a target characteristic attribute through the interceptor bound with the system calling function in the kernel virtual machine, and outputting an observation result to a user state for displaying under the condition that the observation result exists.
2. The method of claim 1, wherein the predetermined interception point comprises: establishing an interception point by the process; the system calling function corresponding to the process creation interception point is a process creation function;
the method comprises the following steps that when a first process calls a system calling function corresponding to any interception point, an interceptor which is bound with the system calling function in a kernel virtual machine is used for observing a process tree to which the first process belongs according to a target ancestor process and a target characteristic attribute, and comprises the following steps:
and under the condition that the first process calls a process creation function corresponding to the process creation interception point, adding the first process to a target process set under the condition that an ancestor process of the first process is confirmed to be a target ancestor process through the interceptor bound with the process creation function in the kernel virtual machine.
3. The method of claim 2, wherein the predetermined interception point further comprises: the process destroys the interception point; the system calling function corresponding to the process destroying interception point is a process destroying function;
the method comprises the following steps that when a first process calls a system calling function corresponding to any interception point, observation operation is carried out on a process tree to which the first process belongs according to a target ancestor process and a target characteristic attribute through an interceptor bound with the system calling function in a kernel virtual machine, and the method comprises the following steps:
and under the condition that the first process calls a process destroying function corresponding to the process destroying interception point, removing the first process from the target process set under the condition that the first process is confirmed to be in the target process set through the interceptor bound with the process destroying function in the kernel virtual machine.
4. The method of claim 2, wherein the predetermined interception point further comprises: at least one target function intercept point; the system calling function corresponding to each target function interception point is a target function;
the method comprises the following steps that when a first process calls a system calling function corresponding to any interception point, an interceptor which is bound with the system calling function in a kernel virtual machine is used for observing a process tree to which the first process belongs according to a target ancestor process and a target characteristic attribute, and comprises the following steps:
and under the condition that the first process calls a target function corresponding to the target function interception point, acquiring attribute information of the target characteristic attribute of each process in the target process set by the interceptor bound with the target function in the kernel virtual machine under the condition that the first process is confirmed to be in the target process set.
5. The method of claim 4, wherein outputting the observation to a user state for presentation in the presence of the observation comprises:
adjusting the attribute information of the target characteristic attribute of each process into an observation result in a preset format;
and outputting the observation result to a user mode for displaying.
6. The method of claim 4, wherein outputting the observation to a user state for presentation in the presence of the observation comprises:
sending the observation result to a target storage area of a kernel state, and providing a target file handle based on the target storage area;
and the observation result is obtained from the target storage area by the user-mode display process through accessing the target file handle, and is displayed.
7. The method of claim 6, wherein the target memory region comprises a first target memory sub-region and a second target memory sub-region;
the sending the observation result to a target storage area of a kernel mode and providing a target file handle based on the target storage area includes:
under the condition that the observation result is the target process set, sending the target process set to a first target storage sub-region of a kernel state, and providing a first target file handle based on the first target storage sub-region;
and under the condition that the observation result is the attribute information of the target characteristic attribute of each process, sending the attribute information of the target characteristic attribute of each process to a second target storage sub-region of the kernel mode, and providing a second target file handle based on the second target storage sub-region.
8. The method according to claim 1, wherein, in a case where the first process calls a system call function corresponding to any interception point, the observing, by the interceptor bound to the system call function in the kernel virtual machine, the process tree to which the first process belongs according to the target ancestor process and the target feature attribute comprises:
under the condition that a first process calls a system call function corresponding to any interception point, reading first information in a process control block of the first process through an interceptor bound with the system call function in a kernel virtual machine;
acquiring second information in the process control block of each ancestor process corresponding to the first process based on the first information;
and carrying out observation operation on the process tree to which the first process belongs based on the second information and the target characteristic attribute.
9. The method of claim 1, wherein binding, in the kernel virtual machine, the interceptor with a system call function corresponding to the interception point comprises:
and in the kernel virtual machine, writing the code of the interceptor into the head information of the system call function corresponding to the interception point provided by the kernel virtual machine.
10. The method according to claim 1, wherein before binding, in the kernel virtual machine, the interceptor with a system call function corresponding to the interception point, the method further comprises:
receiving an observation enabling instruction in a user state;
inputting the observation enabling instruction into the kernel virtual machine;
and binding an interceptor corresponding to the observation enabling instruction and a system call function corresponding to the interception point by the kernel virtual machine.
11. The method of claim 7, wherein after the obtaining of the observation from the target storage area and the displaying by the user-mode displaying process by accessing the target file handle, further comprising:
and releasing the memory corresponding to the attribute information of the target characteristic attribute of each process in the second target storage sub-area under the condition that the target storage area is the second target storage sub-area.
12. A process observation system, comprising: the system comprises a parameter transmission component, a code installation component, a kernel virtual machine and a result display component;
the parameter transmission component is used for acquiring observation parameters input by a user and sending the observation parameters to the code installation component in a user state; the observation parameters comprise a target ancestor process, target characteristic attributes and preset interception points;
the code installation component is used for receiving the observation parameters sent by the parameter transmission component; under the user state, generating an interceptor corresponding to the preset interception point according to the observation parameters; installing the interceptor into the kernel virtual machine in a kernel state;
the kernel virtual machine is used for binding an interceptor installed by the code installation component with a system call function corresponding to the interception point; under the condition that the first process calls a system calling function corresponding to any interception point, observing a process tree to which the first process belongs according to a target ancestor process and a target characteristic attribute through the interceptor bound with the system calling function in the kernel virtual machine; outputting the observation result to a result display component of a user state for displaying under the condition that the observation result exists;
and the result display component is used for acquiring the observation result output by the kernel virtual machine and displaying the observation result in a user mode.
13. The process observation system of claim 12, further comprising a data storage component;
the data storage component is used for opening up a target storage area in a kernel mode, and the target storage area is used for receiving an observation result output by the kernel virtual machine;
the result display component is specifically used for acquiring an observation result output by the kernel virtual machine from the target storage area of the data storage component and displaying the observation result in a user mode;
the kernel virtual machine is specifically configured to, in the presence of an observation result, output the observation result to the target storage area of the data storage component, so that the user mode result display component obtains the observation result from the target storage area of the data storage component and displays the observation result in the user mode.
14. An electronic device, comprising:
a processor, a memory and a computer program stored on the memory and executable on the processor, the processor implementing the process observation method of any one of claims 1-11 when executing the program.
15. A readable storage medium, wherein instructions in the storage medium, when executed by a processor of an electronic device, enable the electronic device to perform the process observation method of any of claims 1-11.
CN202310220220.4A 2023-03-09 2023-03-09 Process observation method, device, electronic equipment and readable storage medium Active CN115906066B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310220220.4A CN115906066B (en) 2023-03-09 2023-03-09 Process observation method, device, electronic equipment and readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310220220.4A CN115906066B (en) 2023-03-09 2023-03-09 Process observation method, device, electronic equipment and readable storage medium

Publications (2)

Publication Number Publication Date
CN115906066A true CN115906066A (en) 2023-04-04
CN115906066B CN115906066B (en) 2023-06-23

Family

ID=86489985

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310220220.4A Active CN115906066B (en) 2023-03-09 2023-03-09 Process observation method, device, electronic equipment and readable storage medium

Country Status (1)

Country Link
CN (1) CN115906066B (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030088807A1 (en) * 2001-11-07 2003-05-08 Mathiske Bernd J.W. Method and apparatus for facilitating checkpointing of an application through an interceptor library
CN101414277A (en) * 2008-11-06 2009-04-22 清华大学 Need-based increment recovery disaster-containing system and method based on virtual machine
CN103077353A (en) * 2013-01-24 2013-05-01 北京奇虎科技有限公司 Method and device for actively defending rogue program
CN104156662A (en) * 2014-08-28 2014-11-19 北京奇虎科技有限公司 Process monitoring method and device and intelligent terminal
CN104573422A (en) * 2015-01-08 2015-04-29 浪潮软件股份有限公司 Virtual machine-based application process operation method and device
CN114969744A (en) * 2022-06-23 2022-08-30 北京天融信网络安全技术有限公司 Process interception method and system, electronic device and storage medium

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030088807A1 (en) * 2001-11-07 2003-05-08 Mathiske Bernd J.W. Method and apparatus for facilitating checkpointing of an application through an interceptor library
CN101414277A (en) * 2008-11-06 2009-04-22 清华大学 Need-based increment recovery disaster-containing system and method based on virtual machine
CN103077353A (en) * 2013-01-24 2013-05-01 北京奇虎科技有限公司 Method and device for actively defending rogue program
CN104156662A (en) * 2014-08-28 2014-11-19 北京奇虎科技有限公司 Process monitoring method and device and intelligent terminal
CN104573422A (en) * 2015-01-08 2015-04-29 浪潮软件股份有限公司 Virtual machine-based application process operation method and device
CN114969744A (en) * 2022-06-23 2022-08-30 北京天融信网络安全技术有限公司 Process interception method and system, electronic device and storage medium

Also Published As

Publication number Publication date
CN115906066B (en) 2023-06-23

Similar Documents

Publication Publication Date Title
US10223080B2 (en) Method and system for automated, static instrumentation for applications designed for execution in environments with restricted resources
AU658413B2 (en) System and method for transforming procedure calls in a cross-debugging environment
US6529985B1 (en) Selective interception of system calls
CN101297280B (en) Configuration of isolated extensions and device drivers
US8156476B2 (en) Debugging support for tasks in multithreaded environments
US6584487B1 (en) Method, system, and apparatus for managing tasks
US20060288106A1 (en) Method and apparatus for protecting HTTP session data from data crossover using aspect-oriented programming
JP2000029713A (en) Actualizing technology for framework for expandable applications
WO1995003577A1 (en) Object-oriented operating system
EP1722300A1 (en) Reifying generic types
WO2000010081A2 (en) Method and apparatus of translating and executing native code in a virtual machine environment
US20080133214A1 (en) Method and system for child-parent mechanism emulation via a general interface
CN110543789B (en) Method, device and storage medium for adapting handle and third party application program
US9021456B2 (en) Using collaborative annotations to specify real-time process flows and system constraints
CN111427782B (en) Android dynamic link library operation method, device, equipment and storage medium
CN110737892B (en) Detection method aiming at APC injection and related device
US7032219B2 (en) System and method for implementing a project facility
US7966562B1 (en) System and method for providing domain-sensitive help
US7502822B2 (en) Using collaborative annotations to specify real-time process flows and system constraints
CN115906066B (en) Process observation method, device, electronic equipment and readable storage medium
KR20180058579A (en) Method for generating a test senario based on activity stack
CN115859280A (en) Memory horse detection method, device, equipment and storage medium
CA2545047A1 (en) Software service application and method of servicing a software application
CN113282487A (en) Programming language debugging method and device and terminal equipment
Lawall et al. Tarantula: Killing driver bugs before they hatch

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP02 Change in the address of a patent holder
CP02 Change in the address of a patent holder

Address after: 100007 room 205-32, floor 2, building 2, No. 1 and No. 3, qinglonghutong a, Dongcheng District, Beijing

Patentee after: Tianyiyun Technology Co.,Ltd.

Address before: 100093 Floor 4, Block E, Xishan Yingfu Business Center, Haidian District, Beijing

Patentee before: Tianyiyun Technology Co.,Ltd.