WO2020019482A1 - Function hook detection method, function hook detection device, and computer-readable medium - Google Patents

Function hook detection method, function hook detection device, and computer-readable medium Download PDF

Info

Publication number
WO2020019482A1
WO2020019482A1 PCT/CN2018/107745 CN2018107745W WO2020019482A1 WO 2020019482 A1 WO2020019482 A1 WO 2020019482A1 CN 2018107745 W CN2018107745 W CN 2018107745W WO 2020019482 A1 WO2020019482 A1 WO 2020019482A1
Authority
WO
WIPO (PCT)
Prior art keywords
function
device information
hooked
preset
target
Prior art date
Application number
PCT/CN2018/107745
Other languages
French (fr)
Chinese (zh)
Inventor
刘瑞恺
Original Assignee
平安科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 平安科技(深圳)有限公司 filed Critical 平安科技(深圳)有限公司
Publication of WO2020019482A1 publication Critical patent/WO2020019482A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/563Static detection by source code analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/033Test or assess software

Abstract

A function hook detection method, a function hook detection device, and a computer-readable medium. The method comprises: when it is detected that a target terminal has an Xposed plug-in installed, acquiring a flag value of an objective function in the target terminal (101); determining whether the objective function has been hooked according to the flag value (102); when it is determined that the objective function has been hooked, acquiring, from a memory of the objective function, an objective function pointer corresponding to the objective function (103); and determining, according to pre-stored correlations between various function pointers and functions, an original function corresponding to the objective function pointer, and using the original function to replace the objective function (104). The method facilitates avoiding a false positive of a hook behavior, and enhancing the accuracy of hook detection.

Description

一种函数hook检测方法、检测设备及计算机可读介质Function hook detection method, detection device and computer-readable medium
本申请要求于2018年07月27日提交中国专利局、申请号为201810841834.3、申请名称为“一种函数hook检测方法、检测设备及计算机可读介质”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of a Chinese patent application filed on July 27, 2018 with the Chinese Patent Office, application number 201810841834.3, and application name "A Function Hook Detection Method, Detection Equipment, and Computer-readable Media", its entire content Incorporated by reference in this application.
技术领域Technical field
本申请涉及通信技术领域,尤其涉及一种函数hook检测方法、检测设备及计算机可读介质。The present application relates to the field of communication technologies, and in particular, to a function hook detection method, a detection device, and a computer-readable medium.
背景技术Background technique
Xposed是一种开源框架,其提供了一种可以在不修改Android安装包(Android Package,APK)源码的情况下,通过自己编写的模块或代码来影响程序运行的框架服务。一些非法分子会利用Xposed插件篡改设备信息,而目前市面上的设备风险识别类型的产品对上述的篡改行为普遍无法识别,一般仅是通过检测终端中是否安装Xposed插件来确定是否存在hook行为。该仅检测Xposed插件是否安装来确定hook行为的方式,误报率较高。Xposed is an open source framework, which provides a framework service that can affect the operation of programs through modules or code written by yourself without modifying the source code of the Android installation package (APK). Some illegal elements will use the Xposed plug-in to tamper with the device information, and the current equipment risk identification type products on the market generally cannot identify the above tampering behavior. Generally, it is only by detecting whether the Xposed plug-in is installed in the terminal to determine whether there is a hook behavior. This method only detects whether the Xposed plugin is installed to determine the hook behavior, and has a high false alarm rate.
发明内容Summary of the Invention
本申请提供一种函数hook检测方法、检测设备及计算机可读介质,有助于避免hook行为的误报,提升hook检测的准确性。The present application provides a function hook detection method, a detection device, and a computer-readable medium, which can help avoid false reports of hook behavior and improve the accuracy of hook detection.
第一方面,本申请提供了一种函数hook检测方法,包括:In a first aspect, the present application provides a function hook detection method, including:
当检测到目标终端安装有Xposed插件时,获取所述目标终端中的目标函数的flag值,所述flag值用于标记所述目标函数的状态;When it is detected that the Xposed plug-in is installed on the target terminal, obtaining a flag value of an objective function in the target terminal, where the flag value is used to mark a state of the objective function;
根据所述flag值确定所述目标函数是否被hook;Determining whether the objective function is hooked according to the flag value;
当确定所述目标函数被hook时,从所述目标函数的内存中获取所述目标函数对应的目标函数指针;When it is determined that the objective function is hooked, obtaining an objective function pointer corresponding to the objective function from the memory of the objective function;
根据预先存储的各函数指针和函数的对应关系,确定出所述目标函数指针对应的原始函数,并利用所述原始函数替换所述目标函数。An original function corresponding to the target function pointer is determined according to a corresponding relationship between each function pointer and a function stored in advance, and the original function is used to replace the target function.
第二方面,本申请提供了一种检测设备,该检测设备包括用于执行上述第一方面的方法的单元。In a second aspect, the present application provides a detection device that includes a unit for performing the method of the first aspect.
第三方面,本申请提供了另一种检测设备,包括处理器、用户接口、通信接口和存储器,所述处理器、用户接口、通信接口和存储器相互连接,其中,所述存储器用于存储支持检测设备执行上述方法的计算机程序,所述计算机程序包括程序指令,所述处理器被配置用于调用所述程序指令,执行上述第一方 面的方法。According to a third aspect, the present application provides another detection device, including a processor, a user interface, a communication interface, and a memory. The processor, the user interface, the communication interface, and the memory are connected to each other. The memory is used for storing support. The detection device executes the computer program of the method, the computer program includes program instructions, and the processor is configured to call the program instructions to execute the method of the first aspect.
第四方面,本申请提供了一种计算机可读存储介质,所述计算机存储介质存储有计算机程序,所述计算机程序包括程序指令,所述程序指令当被处理器执行时使所述处理器执行上述第一方面的方法。In a fourth aspect, the present application provides a computer-readable storage medium, where the computer storage medium stores a computer program, the computer program includes program instructions, and the program instructions, when executed by a processor, cause the processor to execute The method of the first aspect described above.
本申请实施例能够通过获取终端中待进行hook检测的函数的flag值,以根据该flag值确定该函数是否被hook,并在确定该函数被hook时,能够通过获取该函数对应的函数指针,以根据该函数指针确定出真实的原始函数并替换该被hook的函数,这就有助于避免hook行为的误报,提升hook检测的准确性,并能够通过还原真实函数,提升终端安全性。In the embodiment of the present application, a flag value of a function to be hook-detected in a terminal can be obtained to determine whether the function is hooked according to the flag value, and when it is determined that the function is hooked, a function pointer corresponding to the function can be obtained, In order to determine the true original function and replace the hooked function according to the function pointer, this helps to avoid false positives of hook behavior, improves the accuracy of hook detection, and can restore the real function to improve terminal security.
附图说明BRIEF DESCRIPTION OF THE DRAWINGS
为了更清楚地说明本申请实施例技术方案,下面将对实施例描述中所需要使用的附图进行说明。In order to explain the technical solution of the embodiment of the present application more clearly, the accompanying drawings used in the description of the embodiment will be described below.
图1是本申请实施例提供的一种函数hook检测方法的流程示意图;FIG. 1 is a schematic flowchart of a function hook detection method according to an embodiment of the present application; FIG.
图2是本申请实施例提供的另一种函数hook检测方法的流程示意图;2 is a schematic flowchart of another function hook detection method according to an embodiment of the present application;
图3是本申请实施例提供的又一种函数hook检测方法的流程示意图;FIG. 3 is a schematic flowchart of another function hook detection method according to an embodiment of the present application; FIG.
图4是本申请实施例提供的一种检测设备的结构示意图;4 is a schematic structural diagram of a detection device according to an embodiment of the present application;
图5是本申请实施例提供的另一种检测设备的结构示意图。FIG. 5 is a schematic structural diagram of another detection device according to an embodiment of the present application.
具体实施方式detailed description
下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行描述。The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
本申请的技术方案可应用于检测设备中,该检测设备可包括各种终端、服务器或与终端连接的风险识别产品(设备)等等,用于对终端中的hook行为进行检测。本申请涉及的终端可以是手机、电脑、平板、智能手表等,本申请不做限定。该终端中部署有Xposed开源框架(或称为“安装有Xposed插件”),或其他开源框架,该开源框架中经常存在hook行为。其中,hook即“挂钩”或“钩子”,其可以改变函数执行的结果,比如应用程序编程接口(Application Programming Interface,API)函数的执行结果,由此,非法分子可通过hook技术修改设备信息,以达到非法目的。通过本申请能够以及时发现该hook行为。The technical solution of the present application can be applied to a detection device, and the detection device may include various terminals, servers, or risk identification products (devices) connected to the terminal, etc., for detecting hook behavior in the terminal. The terminals involved in this application may be mobile phones, computers, tablets, smart watches, etc., and this application is not limited. An Xposed open source framework (or "installed with an Xposed plug-in"), or other open source framework is deployed in the terminal. Hook behavior often exists in this open source framework. Among them, hook is "hook" or "hook", which can change the result of function execution, such as the execution result of Application Programming Interface (API) functions. Therefore, illegal elements can modify device information through hook technology. For illegal purposes. This application can be found in time through this application.
在本申请中,函数还可以叫做不同的名称,比如其还可以叫做Method、ArtMethod、方法、结构、Method结构、ArtMethod结构或者其余名称。In this application, functions can also be called different names, for example, they can also be called Method, ArtMethod, method, structure, Method structure, ArtMethod structure, or other names.
具体的,本申请可通过获取终端中的函数的flag值,以根据该flag值确定 该函数是否被hook,这就有助于避免hook行为的误报,提升hook检测的准确性。在获取函数的flag值之前,可以通过检测该终端是否安装有Xposed或其他开源框架或插件,并在确定安装有该Xposed或其他开源框架或插件时,再获取该函数的flag值,以减小设备开销。进一步的,在确定某一函数被hook时,能够通过获取该函数对应的函数指针,并根据该函数指针确定出其对应的真实的原始函数以替换该被hook的函数,从而能够实现还原真实函数,提升终端安全性。以下分别详细说明。Specifically, in this application, a flag value of a function in a terminal can be obtained to determine whether the function is hooked according to the flag value, which helps to avoid false positives of hook behavior and improves the accuracy of hook detection. Before obtaining the flag value of a function, you can reduce the value of the function by detecting whether Xposed or other open source frameworks or plug-ins are installed on the terminal, and when determining that Xposed or other open source frameworks or plug-ins are installed. Equipment overhead. Further, when it is determined that a function is hooked, it is possible to obtain a function pointer corresponding to the function, and determine the corresponding original original function to replace the hooked function according to the function pointer, thereby realizing the restoration of the real function. To improve terminal security. The details are described below.
请参见图1,图1是本申请实施例提供的一种函数hook检测方法的流程示意图。具体的,如图1所示,该函数hook检测方法可以包括以下步骤:Please refer to FIG. 1. FIG. 1 is a schematic flowchart of a function hook detection method according to an embodiment of the present application. Specifically, as shown in FIG. 1, the function hook detection method may include the following steps:
101、获取目标终端中的目标函数的flag值。101. Obtain a flag value of an objective function in a target terminal.
其中,该目标终端可以是指需要进行hook检测的任一终端,比如与风险检测设备连接的终端,或者处于特定风控场景下的终端,或者触发(比如通过预设按键或手势或预设的其他触发方式)了hook检测的终端,等等,本申请不做限定。该风控场景可以包括登录场景、交易场景、APP优惠领取场景等等。The target terminal may refer to any terminal that needs to perform hook detection, such as a terminal connected to a risk detection device, or a terminal in a specific risk control scenario, or triggered (such as by a preset button or gesture or a preset Other triggering methods) terminals for hook detection, etc. are not limited in this application. The risk control scenario may include a login scenario, a transaction scenario, an APP discount collection scenario, and so on.
该目标函数可以是指任一API函数,在本申请中,检测设备可对终端中的所有函数如所有API函数进行hook检测;或者可以仅对该终端中的部分指定函数,比如预设的函数列表中的函数,或者一些容易被hook的函数等等进行hook检测,以减小设备的检测开销,提升hook检测效率。该指定函数通常是特定需求或风控场景所需的信息函数。例如,该指定函数可以为定位函数,即定位信息对应的函数,为了防止打车软件伪造定位,可对定位函数如GPS函数进行hook检测;又如,该指定函数可以为设备ID的函数,为了获取设备的真实的设备ID,可对获取该设备ID的函数进行hook检测;又如,该指定函数可以为终端环境信息如电池信息、Wi-Fi信息、4G网络基站信息、已经安装的App列表、通讯录内容、开机时间等的函数,为了判断目标终端是否运行在模拟器环境,可以对目标终端的环境信息,例如对电池信息、Wi-Fi信息、4G网络基站信息、已经安装的App列表、通讯录内容、开机时间等的函数进行hook检测,等等,此处不一一列举。The objective function may refer to any API function. In this application, the detection device may perform hook detection on all functions in the terminal, such as all API functions; or may specify only functions in the terminal, such as preset functions Functions in the list, or some functions that are easy to be hooked, etc., are used to perform hook detection to reduce the detection overhead of the device and improve the efficiency of hook detection. The specified function is usually an information function required for a specific demand or risk control scenario. For example, the specified function may be a positioning function, that is, a function corresponding to the positioning information. In order to prevent the taxi software from falsifying the positioning, a hook function may be performed on the positioning function such as the GPS function; for another example, the specified function may be a function of the device ID. The real device ID of the device can perform hook detection on the function that gets the device ID; for another example, the specified function can be terminal environment information such as battery information, Wi-Fi information, 4G network base station information, list of installed apps, Functions such as address book content, boot time, etc., in order to determine whether the target terminal is running in the simulator environment, the environmental information of the target terminal, such as battery information, Wi-Fi information, 4G network base station information, list of installed apps, Functions such as address book content, boot time, etc. are used for hook detection, etc., which are not listed here one by one.
可选的,在获取目标终端中的目标函数即待进行hook检测函数(需要进行hook检测的函数)的flag值之前,检测设备还可检测该目标终端是否安装有Xposed插件(部署有Xposed框架),并在确定安装有该Xposed插件时,再获取该目标函数的flag值。从而能够实现特定环境下的hook检测,提升hook检测的可靠性,降低设备开销。Optionally, before obtaining the flag value of the target function in the target terminal, that is, the pending hook detection function (function requiring hook detection), the detection device can also detect whether the target terminal has an Xposed plug-in installed (the Xposed framework is deployed) , And when it is determined that the Xposed plug-in is installed, then obtain the flag value of the objective function. Therefore, it is possible to implement hook detection in a specific environment, improve the reliability of hook detection, and reduce equipment overhead.
102、根据该flag值确定该目标函数是否被hook。102. Determine whether the objective function is hooked according to the flag value.
其中,该flag值可用于标记所述目标函数的状态,该状态可以是指是否被 篡改的状态,或者可以是指读写状态、阻塞与非阻塞状态、退出进程或程序的状态和/或更改文件的内容的状态等等,从而能够根据该flag值确定出该目标函数是否被hook。具体的,每一个函数都有对应的flag,该flag为一个变量,当某一函数被篡改时,该函数对应的flag会发生改变。由此,检测设备可通过检测函数的flag是否发生改变,来确定该函数是否被hook,比如可将获取的flag(或按照预设逻辑算法处理后的flag)值与默认值(未被篡改时的固定值)进行比较,如果flag(或按照预设逻辑算法处理后的flag)的值发生改变,即与该默认值不同,则表明该函数被hook,也即该函数对应的设备信息被篡改。其中,该flag的值可以是存储于该目标函数对应的内存中。The flag value can be used to mark the state of the objective function. The state can refer to a state that has been tampered with, or can refer to a read-write state, a blocking and non-blocking state, an exit process or program state, and / or changes. The status of the content of the file, etc., so that whether the objective function is hooked can be determined according to the flag value. Specifically, each function has a corresponding flag. The flag is a variable. When a function is tampered, the flag corresponding to the function will change. Therefore, the detection device can determine whether the function is hooked by detecting whether the flag of the function has been changed. For example, the value of the obtained flag (or the flag processed according to a preset logical algorithm) and the default value (when not tampered) can be determined. Fixed value), if the value of flag (or the flag processed according to the preset logic algorithm) changes, that is, different from the default value, it means that the function is hooked, that is, the device information corresponding to the function has been tampered with . The value of the flag may be stored in a memory corresponding to the objective function.
103、当确定该目标函数被hook时,从该目标函数的内存中获取该目标函数对应的目标函数指针。103. When it is determined that the objective function is hooked, obtain an objective function pointer corresponding to the objective function from the memory of the objective function.
其中,该函数指针和被hook的函数是存储于同一块内存的不同字段中的,且不同函数指针和原始函数存在映射关系,或者说不同函数指针和原始函数的存储地址存在映射关系。Among them, the function pointer and the hooked function are stored in different fields in the same block of memory, and there is a mapping relationship between different function pointers and the original function, or a mapping relationship between different function pointers and the storage address of the original function.
可选的,在确定该目标函数被hook之后,检测设备还可对该被hook的目标函数进行还原,以便于确定出该目标函数对应的真实设备信息。具体的,在确定某一函数如该目标函数被hook之后,可从其内存中快速获取该目标函数对应的函数指针,即上述的目标函数指针,以便于根据该目标函数指针确定出该目标函数对应的原始函数如原生API,即未被hook的真实函数。Optionally, after it is determined that the target function is hooked, the detection device may further restore the hooked target function, so as to determine the real device information corresponding to the target function. Specifically, after determining that a function such as the objective function is hooked, a function pointer corresponding to the objective function can be quickly obtained from its memory, that is, the objective function pointer described above, so as to determine the objective function according to the objective function pointer. Corresponding primitive functions, such as native APIs, are real functions that have not been hooked.
104、根据预先存储的各函数指针和函数的对应关系,确定出该目标函数指针对应的原始函数,并利用该原始函数替换该目标函数。104. Determine the original function corresponding to the target function pointer according to the corresponding relationship between the function pointers and functions stored in advance, and use the original function to replace the target function.
在确定出该目标函数对应的内存中的目标函数指针之后,即可进一步确定出该目标函数指针对应的原始函数,即真实的Method。进而可通过该原始函数替换该目标函数,实现对被hook的函数的还原。从而检测设备可通过该原始函数确定出该目标终端的真实设备信息,以基于真实的设备信息对该目标终端的操作进行控制,比如指示目标终端输出提示,要求用户输入验证信息;禁止用户在对应的风控场景的一切请求访问操作,等等,此处不一一列举。After the target function pointer in the memory corresponding to the target function is determined, the original function corresponding to the target function pointer can be further determined, that is, the actual Method. Furthermore, the original function can be used to replace the objective function to achieve the reduction of the hooked function. Therefore, the detection device can determine the real device information of the target terminal through the original function, and control the operation of the target terminal based on the real device information, such as instructing the target terminal to output a prompt and requiring the user to input verification information; the user is prohibited from responding All request access operations in the risk control scenario, etc., are not listed here one by one.
应理解,该内存中存储的原始函数指针是不会被篡改的,根据Xposed插件的工作原理,在篡改目标函数之前,会将函数的原始信息备份下来,并保存在内存中的特定地址,即该目标函数指针指向的地址。而一旦这些备份信息也被篡改,那Xposed插件将无法正常工作。因此,在该目标函数指针指向的特定地址获取到的原始函数,一定是正确的函数,其不会被篡改。It should be understood that the original function pointer stored in the memory will not be tampered with. According to the working principle of the Xposed plugin, before tampering with the target function, the original information of the function will be backed up and stored at a specific address in memory, that is, The address to which the objective function pointer points. Once these backup information has also been tampered with, the Xposed plugin will not work properly. Therefore, the original function obtained at the specific address pointed by the target function pointer must be the correct function, and it cannot be tampered with.
在本申请实施例中,检测设备可通过获取终端中的函数的flag值,以根据该flag值确定该函数是否被hook,并在确定该函数被hook时,能够通过获取 该函数对应的函数指针,以根据该函数指针确定出真实的原始函数并替换该被hook的函数,这就有助于避免hook行为的误报,提升hook检测的准确性,并能够通过还原真实函数,提升终端安全性。In the embodiment of the present application, the detection device can obtain a flag value of a function in the terminal to determine whether the function is hooked according to the flag value, and when determining that the function is hooked, it can obtain a function pointer corresponding to the function In order to determine the real original function and replace the hooked function according to the function pointer, this will help to avoid false positives of hook behavior, improve the accuracy of hook detection, and improve terminal security by restoring the real function. .
请参见图2,图2是本申请实施例提供的另一种函数hook检测方法的流程示意图。具体的,如图2所示,该函数hook检测方法可以包括以下步骤:Please refer to FIG. 2, which is a schematic flowchart of another function hook detection method according to an embodiment of the present application. Specifically, as shown in FIG. 2, the function hook detection method may include the following steps:
201、获取目标终端的当前设备信息。201. Acquire current device information of a target terminal.
可选的,该当前设备信息可包括该目标终端的型号、品牌、系统版本、风控场景信息等设备信息中的一项或多项。其中,该风控场景信息可以包括风控场景标识和/或场景描述信息等等,用于指示终端所在的风控场景。例如,该风控场景标识可以包括登录标识、交易标识等等;又如,该场景描述信息可以包括终端处于登录状态的描述信息、终端处于交易状态的描述信息等等,此处不一一列举。Optionally, the current device information may include one or more of the device information such as the model, brand, system version, and wind control scenario information of the target terminal. The wind control scene information may include a wind control scene identifier and / or scene description information, etc., and is used to indicate a wind control scene in which the terminal is located. For example, the risk control scenario identifier may include a login identifier, a transaction identifier, and the like; for another example, the scenario description information may include description information in which the terminal is in a login state, description information in which a terminal is in a transaction state, and the like, which are not listed here one by one .
202、根据预置的不同设备信息和函数列表的对应关系,确定出该当前设备信息对应的函数列表。202. Determine a function list corresponding to the current device information according to a preset correspondence between different device information and a function list.
其中,该设备信息与上述的当前设备信息相对应,其可包括终端的型号、品牌、系统版本、风控场景信息等信息中的一项或多项。每一个函数列表包括对应的设备信息下被hook的频率较高的至少一个函数,比如被hook的频率最高的前M(M为大于0的整数,如取8)个函数,或者被hook的频率大于预设频率阈值的函数;和/或,包括对应的设备信息下被hook的次数较多的函数,比如被hook的次数最多的前N(N为大于0的整数,如取10)个函数,或者被hook的次数大于预设数目阈值的函数,等等。The device information corresponds to the above-mentioned current device information, which may include one or more of information such as a terminal model, a brand, a system version, and risk control scenario information. Each function list includes at least one function that has a higher frequency of being hooked under the corresponding device information, such as the top M (M is an integer greater than 0, such as taking 8) functions with the highest frequency of being hooked, or the frequency of being hooked Functions that are greater than a preset frequency threshold; and / or, including functions that are more frequently hooked under the corresponding device information, such as the first N (N is an integer greater than 0, such as 10) functions that have been most frequently hooked , Or a function whose number of hooks is greater than a preset number of thresholds, and so on.
203、获取该目标终端中的目标函数的flag值,该目标函数为该当前设备信息对应的函数列表中的函数。203: Obtain a flag value of an objective function in the target terminal, where the objective function is a function in a function list corresponding to the current device information.
具体的,可预先根据不同设备信息对历史记录中被hook的函数进行分组,确定出每组设备信息下对应的函数分组,并根据该函数分组预先设置得到多个函数列表,即每个函数列表包括一组设备信息对应的函数分组,以预置得到不同设备信息和函数列表的对应关系。进而检测设备可根据当前设备信息查找出其对应的函数列表后,对该函数列表中的函数进行hook检测,而无需针对终端中的所有函数进行hook检测,这就提升了hook检测的效率,减小了设备开销。Specifically, the functions that are hooked in the history can be grouped according to different device information in advance, the corresponding function grouping under each group of device information is determined, and multiple function lists are set in advance according to the function grouping, that is, each function list It includes a group of functions corresponding to a set of device information to preset the correspondence between different device information and function list. Furthermore, the detection device can find out its corresponding function list according to the current device information, and then perform hook detection on the functions in the function list without performing hook detection on all functions in the terminal, which improves the efficiency of hook detection and reduces Reduced equipment overhead.
例如,该设备信息为终端的系统版本,并预先配置有不同系统版本对应的多个函数列表。则检测设备在对目标终端进行hook检测时,可以通过获取该目标终端的当前系统版本,进而查找出该当前系统版本对应的函数列表,该函数列表中的函数即为需要进行hook函数的函数。For example, the device information is the system version of the terminal, and multiple function lists corresponding to different system versions are pre-configured. Then, when the detection device performs a hook detection on the target terminal, it can obtain the current system version of the target terminal, and then find out a function list corresponding to the current system version. The functions in the function list are functions that need to perform a hook function.
又如,该设备信息为终端的风控场景信息,并预先配置有不同风控场景信息对应的多个函数列表。则检测设备在对目标终端进行hook检测时,可以通过获取该目标终端的当前风控场景信息,进而查找出该当前风控场景信息对应的函数列表,该函数列表中的函数即为需要进行hook函数的函数。In another example, the device information is wind control scenario information of the terminal, and multiple function lists corresponding to different wind control scenario information are pre-configured. When the detection device performs a hook detection on the target terminal, it can obtain the current wind control scenario information of the target terminal, and then find out the function list corresponding to the current wind control scenario information. The functions in the function list are hooks that need to be performed Functions of functions.
又如,该设备信息为终端的型号和风控场景信息,并预先配置有不同型号和风控场景信息对应的多个函数列表。则检测设备在对目标终端进行hook检测时,可以通过获取该目标终端的型号和当前风控场景信息,进而查找出与该目标终端的型号和当前风控场景信息对应的函数列表,该函数列表中的函数即为需要进行hook函数的函数。In another example, the device information is a model of a terminal and information on a wind control scenario, and multiple function lists corresponding to different models and information on a wind control scenario are pre-configured. Then when the detection device performs a hook detection on the target terminal, it can obtain the function list corresponding to the model of the target terminal and the current risk control scenario by obtaining the model of the target terminal and the current risk control scenario information. The function list The function in is the function that needs to perform the hook function.
204、根据该flag值确定该目标函数是否被hook。204. Determine whether the objective function is hooked according to the flag value.
可选的,在根据该flag值确定该目标函数是否被hook时,检测设备可以将该flag值中的预设位置处的字符与预设的固定字符进行比较;当比较得到该预设位置处的字符与该固定字符不同时,确定该目标函数被hook。其中,该预设位置处的字符的字符数与该固定字符的字符数相同,以便于匹配比较。也就是说,该flag的值发生改变可以是指该flag的一位或多位发生改变,且该一位或多位可以是指flag的预设位置处的一位或多位。从而检测设备可以通过将获取的flag值预设位置处的一位或多位与未被篡改时的固定字符进行比较,如果flag值的该一位或多位发生改变,即flag值的一位或多位与该固定字符不同,则表明该函数被hook,即该函数对应的设备信息被篡改。Optionally, when determining whether the objective function is hooked according to the flag value, the detection device may compare a character at a preset position in the flag value with a preset fixed character; when the comparison obtains the preset position When the character of is different from the fixed character, it is determined that the objective function is hooked. The number of characters of the character at the preset position is the same as the number of characters of the fixed character, so as to facilitate matching and comparison. That is, a change in the value of the flag may refer to a change in one or more bits of the flag, and the one or more bits may refer to one or more bits in a preset position of the flag. Therefore, the detection device can compare one or more bits at the preset position of the obtained flag value with a fixed character that has not been tampered with. If the one or more bits of the flag value change, that is, one bit of the flag value If one or more bits are different from the fixed character, it indicates that the function is hooked, that is, the device information corresponding to the function has been tampered with.
例如,针对Android版本在4.4以上及5.0以下的系统或其他系统,有的Xposed插件对某函数进行hook时,会将该函数的flag值的固定位置处的1位(bit)设置为1;而正常未被篡改的函数,flag值的该位是0(即上述的固定字符)。因此,可通过检测函数的flag值的该固定位是否是0,就可以知道该函数是否被Xposed插件进行了hook。也即,如果该测函数的flag值的该固定位不为0,即可表明该函数被hook,该函数被篡改。For example, for systems with Android versions above 4.4 and below 5.0 or other systems, some Xposed plug-ins will set a bit at a fixed position of the flag value of the function to 1 when they hook a function; and For a function that has not been tampered with normally, this bit of the flag value is 0 (that is, the fixed character described above). Therefore, by detecting whether the fixed bit of the flag value of the function is 0, it can be known whether the function is hooked by the Xposed plugin. That is, if the fixed bit of the flag value of the measurement function is not 0, it can indicate that the function is hooked and the function is tampered with.
可选的,在根据该flag值确定该目标函数是否被hook时,检测设备还可以按照预设的逻辑算法对该flag值进行逻辑运算,以得到运算结果值,其中,该逻辑算法是根据预设字符串和系统中的原生函数执行时的跳转地址确定的;当该运算结果值为正整数时,确定该目标函数被hook。也就是说,还可将按照预设逻辑算法对flag处理后的值与未被篡改时的固定字符如0进行比较,如果处理后的该值发生改变,即不为0,比如为某一正整数时,则表明该函数被hook。Optionally, when determining whether the objective function is hooked according to the flag value, the detection device may further perform a logical operation on the flag value according to a preset logical algorithm to obtain an operation result value, where the logical algorithm is Let the string and the jump address of the native function in the system be determined; when the result of the operation is a positive integer, determine that the target function is hooked. That is to say, the value processed by the flag can also be compared with a fixed character such as 0 when it has not been tampered with according to a preset logic algorithm. If the value after processing changes, it is not 0, such as a positive value. An integer indicates that the function is hooked.
例如,针对Android版本在5.0及其以上的系统或其他系统,如果按照逻辑算法如逻辑算式EntryPointFromJni&&AccessFlags&0x10000000结果等于 正整数,则可表明该函数被篡改;如果该逻辑算式结果等于0(即为固定字符),则可表明该函数未被篡改。其中,该EntryPointFromJni可以是指原生函数如native函数执行时的跳转地址,AccessFlags即为上述的flag。For example, for systems with Android version 5.0 and above or other systems, if the result of a logical algorithm such as the logical expression EntryPointFromJni && AccessFlags & 0x10000000 is equal to a positive integer, the function can be tampered with; if the result of the logical expression is equal to 0 (that is, a fixed character) , It indicates that the function has not been tampered with. The EntryPointFromJni may refer to a jump address when a native function such as a native function is executed, and AccessFlags is the above-mentioned flag.
进一步可选的,检测设备在根据该flag值确定该目标函数是否被hook之前,还可确定该目标终端当前使用的系统版本,进而根据该目标终端的系统版本去选择根据该flag值确定该目标函数是否被hook的方式,以提升hook检测的效率。该系统版本和hook检测的方式的对应关系可预先设置得到。例如,在上述的Android版本4.4以上及5.0以下系统,检测设备可根据flag值中的预设位置处的字符与预设的固定字符的比较来进行hook检测;又如,在上述的Android版本在5.0及其以上的系统,检测设备可按照预设的逻辑算法对该flag值进行逻辑运算后进行hook检测。或者,可选的,检测设备可以通过上述两种hook检测方式进行函数hook检测,满足任一种方式对应的条件时,即可确定该函数被hook。Further optionally, before determining whether the target function is hooked according to the flag value, the detection device may determine a system version currently used by the target terminal, and then select the target terminal to determine the target according to the flag value. Whether the function is hooked to improve the efficiency of hook detection. The correspondence between the system version and the way of hook detection can be preset. For example, in the above Android version 4.4 and below 5.0, the detection device can perform hook detection according to the comparison of the character at the preset position in the flag value with the preset fixed character; for example, in the above Android version in For systems of 5.0 and above, the detection device can perform a hook detection after performing a logical operation on the flag value according to a preset logic algorithm. Alternatively, optionally, the detection device may perform function hook detection through the two hook detection methods mentioned above, and when the conditions corresponding to any of the methods are met, the function may be determined to be hooked.
205、当确定该目标函数被hook时,从该目标函数的内存中获取该目标函数对应的目标函数指针。205. When it is determined that the objective function is hooked, obtain an objective function pointer corresponding to the objective function from the memory of the objective function.
206、根据预先存储的各函数指针和函数的对应关系,确定出该目标函数指针对应的原始函数,并利用该原始函数替换该目标函数。206: Determine the original function corresponding to the target function pointer according to the corresponding relationship between the function pointers and functions stored in advance, and use the original function to replace the target function.
具体的,该步骤205-206的描述请参照上述图1所示实施例中的相关描述,此处不赘述。Specifically, for the description of the steps 205-206, please refer to the related description in the embodiment shown in FIG. 1 above, and details are not described herein.
207、确定目标终端的目标风险等级,根据预设的不同风险等级与控制策略的对应关系,确定与该目标风险等级对应的控制策略,并按照确定出的该控制策略对该目标终端的操作进行控制。207: Determine a target risk level of the target terminal, determine a control strategy corresponding to the target risk level according to a preset corresponding relationship between different risk levels and control strategies, and perform operations on the target terminal according to the determined control strategy. control.
在一些可选的实施例中,通过原始函数获得真实信息之后,可以结合风控规则识别得到函数被篡改的风险等级,进而对于不同风险等级,可以采取不同的控制策略。In some optional embodiments, after obtaining the real information through the original function, the risk level of the function being tampered can be obtained by combining the risk control rules to identify, and then different control strategies can be adopted for different risk levels.
可选的,在该利用该原始函数替换该目标函数之后,检测设备还可获取该原始函数对应的设备信息,并确定该设备信息的优先级,进而根据该设备信息的优先级确定该目标函数被hook的目标风险等级,从而能够根据预设的不同风险等级与控制策略的对应关系,确定与该目标风险等级对应的控制策略,并按照确定出的该控制策略对该目标终端的操作进行控制。也就是说,可预置得到各设备信息的优先级(重要等级),以及各优先级分别对应的风险等级,以及各风险等级分别对应的控制策略。其中,设备信息的优先级越高,风险等级越高。从而检测设备可根据被篡改的设备信息的优先级来确定对该目标终端的控制策略,灵活性较高。Optionally, after replacing the objective function with the original function, the detection device may also obtain device information corresponding to the original function and determine the priority of the device information, and then determine the objective function according to the priority of the device information The target risk level of the hook can determine the control strategy corresponding to the target risk level according to the preset corresponding relationship between different risk levels and control strategies, and control the operation of the target terminal according to the determined control strategy. . That is, the priority (importance level) of each piece of equipment information, the risk level corresponding to each priority, and the control strategy corresponding to each risk level can be preset. The higher the priority of the device information, the higher the risk level. Therefore, the detection device can determine the control strategy for the target terminal according to the priority of the tampered device information, which has high flexibility.
可选的,检测设备还可统计预设时间范围内该目标终端被hook的函数的数目,并根据该数目确定该目标终端的目标风险等级,进而根据预设的不同风险等级与控制策略的对应关系,确定与该目标风险等级对应的控制策略,并按照确定出的该控制策略对该目标终端的操作进行控制。也就是说,该风险等级还可以根据该终端预设时间范围内被hook的函数的数目确定出,如被hook的函数的数目越多,风险等级越高。或者,可选的,该风险等级还可根据预设时间范围内发生函数被hook的次数确定出,如该预设时间范围内被被hook的函数的次数越多,风险等级越高,等等。从而检测设备可根据被hook的函数的数目或函数被hook的发生次数来确定对该目标终端的控制策略,灵活性较高。Optionally, the detection device can also count the number of hooked functions of the target terminal within a preset time range, and determine the target risk level of the target terminal according to the number, and then according to the preset different risk levels corresponding to the control strategy Relationship, determine a control strategy corresponding to the target risk level, and control the operation of the target terminal according to the determined control strategy. That is, the risk level may also be determined according to the number of hooked functions within a preset time range of the terminal. For example, the greater the number of hooked functions, the higher the risk level. Alternatively, optionally, the risk level may also be determined according to the number of times the function is hooked within a preset time range. For example, the more times the function is hooked within the preset time range, the higher the risk level, etc. . Therefore, the detection device can determine the control strategy for the target terminal according to the number of functions that are hooked or the number of times the functions are hooked, which has high flexibility.
举例来说,该风险等级可以分为低危、中危、高危,或者可以分为一级、二级、三级等等。对于风险等级的划分和确定方式,本申请不做限定。控制策略可包括指示终端输出提示,要求用户输入验证信息(风险等级较低时,如低危场景);指示终端禁止用户在特定的风控场景(例如登录,APP优惠领取如领取红包、兑换优惠券,或交易如消费、转账等等)下的请求访问操作(风险等级较高时,如中危场景);指示终端禁止用户一切请求访问操作(风险等级很高时,如高危场景),等等,此处不一一列举。For example, the risk level can be divided into low-risk, medium-risk, high-risk, or can be divided into first-level, second-level, third-level, and so on. There is no limitation on the classification and determination of risk levels in this application. The control strategy may include instructing the terminal to output a prompt, requiring the user to enter verification information (when the risk level is low, such as low-risk scenarios); instructing the terminal to prohibit users from using certain risk control scenarios (such as logging in, receiving APP benefits such as red envelopes, and redeeming benefits) Coupons, or transactions (such as consumption, transfers, etc.) under the access request operation (when the risk level is high, such as medium-risk scenarios); instruct the terminal to prohibit users from all request access operations (when the risk level is high, such as high-risk scenarios), etc. Wait, not list them here.
非法分子通过篡改设备信息,影响的主要是App的服务提供方。例如,许多“薅羊毛”的攻击者通过hook框架修改手机信息,从而只需少量手机就可以模拟出许多伪造的手机,绕过设备领取次数的限制,大量领取并转卖服务方提供的活动福利,例如满减券、话费券等。这样,原本用于宣传推广的福利,就被少数攻击者领取获利了,而没有起到应有的效果。通过本申请的函数hook检测方案,能够及时地发现终端中的hook行为,并可对真实设备信息进行还原,以减小篡改行为带来的影响。By tampering with device information, illegal elements mainly affect app service providers. For example, many "wool" attackers modify mobile phone information through the hook framework, so that only a small number of mobile phones can simulate many fake mobile phones, bypass the restrictions on the number of times the device can be obtained, and receive and resell a lot of activity benefits provided by service providers. For example, full discount coupons, call coupons, etc. In this way, the benefits originally used for publicity were received by a small number of attackers, but did not have the desired effect. Through the function hook detection scheme of this application, the hook behavior in the terminal can be discovered in time, and the real device information can be restored to reduce the impact of tampering behavior.
例如,针对hook终端GPS信息,将终端定位在特定地点的场景。假设司机使用打车APP并伪造在热点地区附近(即hook GPS到该热点区域)抢单;或者实际上没有在行驶,但通过伪造行驶路径刷单冒领补贴;又或者伪造运动步数信息,冒领活动奖励等等。通过本申请的hook检测方式,能够及时检测到该GPS函数被hook,终端GPS信息被篡改,进而还原真实GPS信息后,如果发现不符,可禁止其领取奖励,或取消其领取的奖励,甚至及时的禁止其类似操作行为。For example, for the GPS information of a hook terminal, a scene in which the terminal is located at a specific place. Assume that the driver uses a taxi app and fakes a ticket near a hotspot area (ie, hooks GPS to the hotspot area); or he is not actually driving, but swipes the counterfeit subsidy to obtain a subsidy; or forges the movement step information, Receive event rewards and more. Through the hook detection method of this application, it can be detected in time that the GPS function is hooked and the terminal GPS information is tampered with. After restoring the real GPS information, if it is found to be inconsistent, it can be barred from receiving rewards, or its rewards can be cancelled, or even promptly. Prohibits similar operations.
又如,针对hook设备ID的场景,为防止恶意用户大量注册账号刷单领活动福利,有些App根据设备ID来识别唯一设备,并限制每台手机只能参加一次活动。通过hook修改设备ID信息,就可以在不更换手机的情况下,伪造 成其他手机,多次领取福利。通过本申请的hook检测方式,能够及时检测到该设备ID的函数被hook,该设备ID被篡改,还原真实的设备ID之后,可及时的禁止其操作行为。比如用户使用某一账号登录了一APP重复领取活动福利,检测设备识别出设备ID被篡改并获取到真实的设备ID之后,可以将该真实的设备ID和该登录账号都返回服务端,并与已有数据(包括各设备ID、登录账号等等)进行比较,从而识别出哪些账号实际是运行在同一台设备上(比如设备ID相同的设备为同一设备)的。接下来,就可以对这些账号领取的活动福利进行取消、提现请求进行人工审核、或者封禁这批账号,以实现对设备操作的控制。For another example, in the scenario of hook device ID, in order to prevent malicious users from registering for a large number of accounts and redeeming event benefits, some apps identify unique devices based on the device ID and restrict each mobile phone to participate in the event only once. By modifying the device ID information through a hook, you can forge other mobile phones without receiving a mobile phone change and receive benefits multiple times. Through the hook detection method of this application, the function of the device ID can be detected in time, the device ID has been tampered with, and the operation behavior can be prohibited in time after the real device ID is restored. For example, after a user logs in to an APP with an account to repeatedly receive activity benefits, the detection device recognizes that the device ID has been tampered with and obtains the real device ID, and then returns the real device ID and the login account to the server and communicates with the server. Existing data (including each device ID, login account, etc.) is compared to identify which accounts are actually running on the same device (for example, devices with the same device ID are the same device). Next, you can cancel the activity benefits received by these accounts, manually review the withdrawal request, or ban these accounts to control the operation of the device.
又如,针对hook其他环境信息的场景。目前许多App风控规则会考虑到当前App运行的环境。例如,正常用户不会通过终端上的Android模拟器来运行APP,使用模拟器的通常是恶意用户,进而禁止在模拟器环境运行APP。而系统会明确指出当前是真的终端还是模拟器,由此恶意用户可能会hook系统信息;或者,由于在正常终端上看到的Wi-Fi信息也会和在模拟器中看到的不一样,由此,用户可能会hook Wi-Fi信息。通过以上篡改方式可以将APP运行环境篡改为模拟器,使得难以区分正常用户还是可能的恶意用户。通过本申请的hook检测方式,能够及时检测到该运行环境被篡改,并及时地还原真实的运行环境,进而可及时地发现并禁止其操作行为,比如禁止该APP运行,或者禁止该APP上的一切访问请求。Another example is the scenario of hooking other environmental information. At present, many App risk control rules will take into account the current environment in which the App is running. For example, normal users will not run the APP through the Android emulator on the terminal, and it is usually a malicious user who uses the emulator, and thus prohibits running the APP in the emulator environment. The system will clearly indicate whether it is a real terminal or an emulator, so a malicious user may hook system information; or, because the Wi-Fi information seen on a normal terminal is different from what is seen in the emulator As a result, users may hook up Wi-Fi information. Through the above tampering methods, the APP operating environment can be tampered with into an emulator, making it difficult to distinguish between normal users and possible malicious users. Through the hook detection method of this application, it is possible to detect that the operating environment has been tampered with in a timely manner, and to restore the real operating environment in a timely manner, so that it can timely detect and prohibit its operating behaviors, such as prohibiting the APP from running, or prohibiting the APP from All access requests.
进一步可选的,检测设备还可以将该被hook的函数和该真实的原始函数发送到服务器,或者可以将该原始函数的返回值和hook篡改后的目标函数的返回值发送给服务器,以便于帮助业务风控人员检测设备风险。进一步的,检测设备或服务器还可关联存储该被hook的函数(的返回值)和该原始函数(的返回值)的信息,使得后续能够快速锁定被hook的函数以及根据该关联关系快速找回正确的原始函数,并可提升函数还原的效率。Further optionally, the detection device may also send the hooked function and the real original function to the server, or may return the return value of the original function and the return value of the tampered target function to the server in order to facilitate Help business risk control personnel detect equipment risks. Further, the detection device or the server may also associate and store information of the hooked function (return value) and the original function (return value), so that the hooked function can be quickly locked and retrieved quickly according to the association relationship. The correct original function can improve the efficiency of function reduction.
在本申请实施例中,检测设备可通过获取目标终端的当前设备信息,对预置的与当前设备信息对应的函数列表中的函数进行hook检测,而不必对该目标终端中的所有函数进行hook检测,这就提升了hook检测的效率,节省了设备开销。进而通过分别获取这些函数的flag值,以根据该flag值确定各函数是否被hook,并在确定该函数被hook时,能够通过获取该函数对应的函数指针,快速确定出真实的原始函数并还原,这就有助于避免hook行为的误报,提升hook检测的准确性,并能够通过还原真实函数,来提升终端安全性。In the embodiment of the present application, the detection device may perform hook detection on the functions in the preset function list corresponding to the current device information by acquiring the current device information of the target terminal without having to hook all functions in the target terminal. Detection, which improves the efficiency of hook detection and saves equipment overhead. Furthermore, by obtaining the flag values of these functions, to determine whether each function is hooked according to the flag value, and when determining that the function is hooked, the real original function can be quickly determined and restored by obtaining the function pointer corresponding to the function. This will help to avoid false positives of hook behavior, improve the accuracy of hook detection, and improve terminal security by restoring real functions.
请参见图3,图3是本申请实施例提供的又一种函数hook检测方法的流程示意图。具体的,如图3所示,该函数hook检测方法可以包括以下步骤:Please refer to FIG. 3, which is a schematic flowchart of another function hook detection method according to an embodiment of the present application. Specifically, as shown in FIG. 3, the function hook detection method may include the following steps:
301、根据统计的历史数据中不同设备信息下被hook的函数,建立函数检测模型。301. Establish a function detection model based on functions that are hooked under different device information in statistical historical data.
可选的,该设备信息可包括设备型号、品牌、系统版本、风控场景信息中的一项或多项。Optionally, the device information may include one or more of device model, brand, system version, and risk control scenario information.
具体的,检测设备可预先收集历史记录中被hook的函数,并根据各被hook的函数对应终端的设备信息进行分组,确定出不同设备信息下对应的函数分组。进而可以以不同的设备信息为输入,其对应的函数分组中的函数为输出,训练得到函数检测模型。从而能够通过大数据分析不同型号、不同品牌、不同系统、不同风控场景的终端容易被hook的函数,来建立函数检测模型,使得后续能够通过将设备信息输入该函数检测模型,获取到需要进行hook检测的目标函数。Specifically, the detection device may collect the hooked functions in the historical record in advance, and group according to the device information of the terminal corresponding to each hooked function, to determine the corresponding function grouping under different device information. Furthermore, different device information can be used as input, and functions in corresponding function groupings can be used as output, and a function detection model can be obtained by training. Therefore, a function detection model can be established by analyzing functions that are easily hooked by terminals of different models, different brands, different systems, and different wind control scenarios through big data, so that subsequent device information can be entered into the function detection model to obtain the required detection Objective function of hook detection.
302、获取该目标终端的当前设备信息,并将该当前设备信息输入该函数检测模型,以得到需要进行hook检测的目标函数。302: Acquire current device information of the target terminal, and input the current device information into the function detection model to obtain an object function that needs to be detected by a hook.
在建立得到函数检测模型之后,在需要对某一终端进行hook检测时,即可通过获取该终端的当前设备信息,如该终端的型号、品牌、当前系统版本、当前风控场景信息等信息,并将该当前设备信息输入该函数检测模型,以得到该终端中的目标函数,这就提升了hook检测的效率,针对性较强,且节省了设备开销。After the function detection model is established, when a terminal is required to perform hook detection, the current device information of the terminal can be obtained, such as the model, brand, current system version, and current risk control scenario information of the terminal. The current device information is input into the function detection model to obtain an objective function in the terminal, which improves the efficiency of hook detection, is more targeted, and saves equipment overhead.
可选的,检测设备在不同检测场景下,比如目标终端运行了不同类型的APP时,可以根据不同的检测场景获取不同的设备信息,并根据上述的函数检测模型获取到该设备信息对应的目标函数,以进一步提升hook检测的效率和可靠性。Optionally, in different detection scenarios, such as when the target terminal runs different types of APPs, different device information can be obtained according to different detection scenarios, and the target corresponding to the device information can be obtained according to the function detection model described above. Function to further improve the efficiency and reliability of hook detection.
例如,检测到目标终端运行某一需要进行风控的APP时,检测设备可获取该目标终端的当前风控场景信息,并可输入该当前风控场景信息到该函数检测模型,以获取得到该当前风控场景信息对应的目标函数以进行hook检测。其中,该需要进行风控的APP可预先标记得到,比如通过预置一个包括各需要风控的APP的应用列表,通过检测运行的APP是否为该应用列表中的APP来确定该APP是否为需要进行风控的APP。进一步的,该当前风控场景信息可以是针对该APP下的风控场景的信息。For example, when it is detected that the target terminal is running an APP that requires wind control, the detection device can obtain the current wind control scene information of the target terminal, and can input the current wind control scene information into the function detection model to obtain the obtained The objective function corresponding to the current wind control scene information is used for hook detection. Wherein, the APP requiring risk control can be marked in advance, for example, by presetting an application list including each APP requiring risk control, and determining whether the APP is required by detecting whether the running APP is an APP in the application list. APP for risk control. Further, the current wind control scenario information may be information for a wind control scenario under the APP.
又如,检测到目标终端运行打车APP时,检测设备可获取该目标终端的型号和系统版本,并可将该型号和当前系统版本输入到该函数检测模型,以获取得到该型号和当前系统版本对应的目标函数以进行hook检测。As another example, when it is detected that the target terminal runs a taxi app, the detection device can obtain the model and system version of the target terminal, and can input the model and the current system version into the function detection model to obtain the model and the current system version. Corresponding objective function for hook detection.
303、获取该目标函数的flag值。303. Obtain a flag value of the objective function.
304、根据该flag值确定该目标函数是否被hook。304. Determine whether the objective function is hooked according to the flag value.
305、当确定该目标函数被hook时,从该目标函数的内存中获取该目标函数对应的目标函数指针。305. When it is determined that the objective function is hooked, obtain an objective function pointer corresponding to the objective function from the memory of the objective function.
306、根据预先存储的各函数指针和函数的对应关系,确定出该目标函数指针对应的原始函数,并利用该原始函数替换该目标函数。306: Determine an original function corresponding to the target function pointer according to the corresponding relationship between the function pointers and functions stored in advance, and use the original function to replace the target function.
307、确定目标终端的目标风险等级,根据预设的不同风险等级与控制策略的对应关系,确定与该目标风险等级对应的控制策略,并按照确定出的该控制策略对该目标终端的操作进行控制。307: Determine a target risk level of the target terminal, determine a control strategy corresponding to the target risk level according to a preset corresponding relationship between different risk levels and control strategies, and perform operations on the target terminal according to the determined control strategy. control.
具体的,该步骤304-307的描述请参照上述图2所示实施例中步骤204-207的相关描述,此处不赘述。Specifically, for the description of steps 304-307, refer to the related description of steps 204-207 in the embodiment shown in FIG. 2 above, and details are not described herein.
在本申请实施例中,检测设备可通过统计历史数据中不同设备信息对应的被hook的函数建立函数检测模型,进而在进行hook检测时,能够通过获取目标终端的当前设备信息并输入该函数检测模型后得到对应的输出函数之后,针对该输出的目标函数进行hook检测,而不必对该目标终端中的所有函数进行hook检测,这就提升了hook检测的效率,节省了设备开销。进而通过分别获取这些函数的flag值,以根据该flag值确定各函数是否被hook,并在确定该函数被hook时,能够通过获取该函数对应的函数指针,快速确定出真实的原始函数并还原,这就有助于避免hook行为的误报,提升hook检测的准确性,并能够通过还原真实函数,来提升终端安全性。In the embodiment of the present application, the detection device may establish a function detection model by counting hooked functions corresponding to different device information in historical data, and further, when performing hook detection, it is possible to obtain the current device information of the target terminal and enter the function to detect After the corresponding output function is obtained after the model, a hook detection is performed on the output target function without having to perform a hook detection on all functions in the target terminal, which improves the efficiency of hook detection and saves equipment overhead. Furthermore, by obtaining the flag values of these functions, to determine whether each function is hooked according to the flag value, and when determining that the function is hooked, the real original function can be quickly determined and restored by obtaining the function pointer corresponding to the function. This will help to avoid false positives of hook behavior, improve the accuracy of hook detection, and improve terminal security by restoring real functions.
上述方法实施例都是对本申请的函数hook检测方法的举例说明,对各个实施例的描述都各有侧重,某个实施例中没有详述的部分,可以参见其他实施例的相关描述。The foregoing method embodiments are examples of the function hook detection method of the present application. The description of each embodiment has its own emphasis. For a part that is not described in detail in an embodiment, reference may be made to related descriptions in other embodiments.
请参见图4,图4是本申请实施例提供的一种检测设备的结构示意图。本申请实施例的检测设备包括用于执行上述函数hook检测方法的单元。具体的,本实施例的检测设备400可包括:获取单元401和处理单元402。其中,Please refer to FIG. 4, which is a schematic structural diagram of a detection device according to an embodiment of the present application. The detection device in the embodiment of the present application includes a unit for performing the foregoing function hook detection method. Specifically, the detection device 400 in this embodiment may include: an obtaining unit 401 and a processing unit 402. among them,
获取单元401,用于获取所述目标终端中的目标函数的flag值,所述flag值用于标记所述目标函数的状态;An obtaining unit 401, configured to obtain a flag value of an objective function in the target terminal, where the flag value is used to mark a state of the objective function;
处理单元402,用于根据所述flag值确定所述目标函数是否被hook;A processing unit 402, configured to determine whether the objective function is hooked according to the flag value;
所述获取单元401,还用于当确定所述目标函数被hook时,从所述目标函数的内存中获取所述目标函数对应的目标函数指针;The obtaining unit 401 is further configured to obtain an objective function pointer corresponding to the objective function from the memory of the objective function when it is determined that the objective function is hooked;
所述处理单元402,还用于根据预先存储的各函数指针和函数的对应关系,确定出所述目标函数指针对应的原始函数,并利用所述原始函数替换所述目标函数。The processing unit 402 is further configured to determine an original function corresponding to the objective function pointer according to a corresponding relationship between each function pointer and a function stored in advance, and replace the objective function with the original function.
可选的,获取单元401可在检测到目标终端安装有Xposed插件时,再获取该目标终端中的目标函数的flag值,此处不赘述。Optionally, the obtaining unit 401 may obtain a flag value of an objective function in the target terminal when detecting that the Xposed plug-in is installed on the target terminal, and details are not described herein.
可选的,所述获取单元401,还用于获取所述目标终端的当前设备信息,所述当前设备信息包括所述目标终端的型号、系统版本、风控场景信息中的一项或多项;Optionally, the obtaining unit 401 is further configured to obtain current device information of the target terminal, where the current device information includes one or more of a model, a system version, and risk control scenario information of the target terminal. ;
所述处理单元402,还用于根据预置的不同设备信息和函数列表的对应关系,确定出所述当前设备信息对应的函数列表,将所述当前设备信息对应的函数列表中的函数作为所述目标函数。The processing unit 402 is further configured to determine a function list corresponding to the current device information according to a preset corresponding relationship between different device information and a function list, and use a function in the function list corresponding to the current device information as a function. The objective function is described.
其中,每一个函数列表可包括对应的设备信息下被hook的频率大于预设频率阈值的函数和/或被hook的次数大于预设数目阈值的函数。Each function list may include a function whose frequency of being hooked under the corresponding device information is greater than a preset frequency threshold and / or a function whose number of times of hooking is greater than a preset number of thresholds.
可选的,所述检测设备还包括:模型建立单元403;Optionally, the detection device further includes: a model establishing unit 403;
所述模型建立单元403,用于根据统计的历史数据中不同设备信息下被hook的函数,建立函数检测模型,所述设备信息包括设备型号、系统版本、风控场景信息中的一项或多项;The model establishing unit 403 is configured to establish a function detection model according to functions that are hooked under different device information in the statistical historical data, and the device information includes one or more of a device model, a system version, and risk control scenario information. item;
所述获取单元401,还用于获取所述目标终端的当前设备信息,并将所述当前设备信息输入所述函数检测模型,以得到所述目标函数。The obtaining unit 401 is further configured to obtain current device information of the target terminal, and input the current device information into the function detection model to obtain the target function.
可选的,所述处理单元402,具体用于将所述flag值中的预设位置处的字符与预设的固定字符进行比较,所述预设位置处的字符的字符数与所述固定字符的字符数相同;当比较得到所述预设位置处的字符与所述固定字符不同时,确定所述目标函数被hook。Optionally, the processing unit 402 is specifically configured to compare a character at a preset position in the flag value with a preset fixed character, and the number of characters of the character at the preset position is the same as the fixed value. The number of characters of the character is the same; when the character at the preset position is different from the fixed character, it is determined that the objective function is hooked.
可选的,所述处理单元402,具体用于按照预设的逻辑算法对所述flag值进行逻辑运算,以得到运算结果值,其中,所述逻辑算法是根据预设字符串和系统中的原生函数执行时的跳转地址确定的;当所述运算结果值为正整数时,确定所述目标函数被hook。Optionally, the processing unit 402 is specifically configured to perform a logical operation on the flag value according to a preset logical algorithm to obtain an operation result value, wherein the logical algorithm is based on a preset character string and a value in the system. The jump address when the native function is executed is determined; when the value of the operation result is a positive integer, it is determined that the target function is hooked.
可选的,所述处理单元402,还用于根据所述原始函数获取所述原始函数对应的设备信息,并确定所述设备信息的优先级;根据所述设备信息的优先级确定所述目标函数被hook的目标风险等级;根据预设的不同风险等级与控制策略的对应关系,确定与所述目标风险等级对应的控制策略,并按照确定出的所述控制策略对所述目标终端的操作进行控制。Optionally, the processing unit 402 is further configured to obtain device information corresponding to the original function according to the original function, and determine a priority of the device information; and determine the target according to the priority of the device information. The target risk level of the function being hooked; according to the preset corresponding relationship between different risk levels and control strategies, determine a control strategy corresponding to the target risk level, and operate the target terminal according to the determined control strategy Take control.
可选的,所述处理单元402,还用于统计预设时间范围内所述目标终端被hook的函数的数目,并根据所述数目确定所述目标终端的目标风险等级;根据预设的不同风险等级与控制策略的对应关系,确定与所述目标风险等级对应的控制策略,并按照确定出的所述控制策略对所述目标终端的操作进行控制。Optionally, the processing unit 402 is further configured to count the number of hooked functions of the target terminal within a preset time range, and determine the target risk level of the target terminal according to the number; according to different presets, The corresponding relationship between the risk level and the control strategy determines a control strategy corresponding to the target risk level, and controls the operation of the target terminal according to the determined control strategy.
具体的,该检测设备可通过上述单元实现上述图1至图3所示实施例中的函数hook检测方法中的部分或全部步骤。应理解,本申请实施例是对应方法实施例的装置实施例,对方法实施例的描述,也适用于本申请实施例。Specifically, the detection device may implement some or all steps in the function hook detection method in the embodiments shown in FIG. 1 to FIG. 3 by using the foregoing units. It should be understood that the embodiments of the present application are device embodiments corresponding to the method embodiments, and the description of the method embodiments is also applicable to the embodiments of the present application.
请参见图5,图5是本申请实施例提供的另一种检测设备的结构示意图。该检测设备用于执行上述的方法。如图5所示,本实施例中的检测设备500可以包括:一个或多个处理器501和存储器502。可选的,该检测设备还可包括一个或多个用户接口503,和/或,一个或多个通信接口504。上述处理器501、用户接口503、通信接口504和存储器502可通过总线505连接,或者可以通过其他方式连接,图5中以总线方式进行示例说明。其中,存储器502用于存储计算机程序,所述计算机程序包括程序指令,处理器501用于执行存储器502存储的程序指令。Please refer to FIG. 5, which is a schematic structural diagram of another detection device according to an embodiment of the present application. The detection device is used to perform the method described above. As shown in FIG. 5, the detection device 500 in this embodiment may include: one or more processors 501 and a memory 502. Optionally, the detection device may further include one or more user interfaces 503, and / or, one or more communication interfaces 504. The processor 501, the user interface 503, the communication interface 504, and the memory 502 may be connected through a bus 505, or may be connected through other methods. FIG. 5 illustrates the examples by using a bus method. The memory 502 is configured to store a computer program, where the computer program includes program instructions, and the processor 501 is configured to execute the program instructions stored in the memory 502.
其中,处理器501可用于调用所述程序指令执行以下步骤:当检测到目标终端安装有Xposed插件时,获取所述目标终端中的目标函数的flag值,所述flag值用于标记所述目标函数的状态;根据所述flag值确定所述目标函数是否被hook;当确定所述目标函数被hook时,从所述目标函数的内存中获取所述目标函数对应的目标函数指针;根据预先存储的各函数指针和函数的对应关系,确定出所述目标函数指针对应的原始函数,并利用所述原始函数替换所述目标函数。The processor 501 may be used to call the program instructions to perform the following steps: when it is detected that the target terminal has an Xposed plug-in installed, obtain a flag value of the target function in the target terminal, and the flag value is used to mark the target Status of the function; determining whether the objective function is hooked according to the flag value; when determining that the objective function is hooked, obtaining an objective function pointer corresponding to the objective function from the memory of the objective function; according to a pre-store The corresponding relationship between each function pointer and the function determines the original function corresponding to the target function pointer, and replaces the target function with the original function.
可选的,处理器501还可调用所述程序指令执行以下步骤:获取所述目标终端的当前设备信息,所述当前设备信息包括所述目标终端的型号、系统版本、风控场景信息中的一项或多项;根据预置的不同设备信息和函数列表的对应关系,确定出所述当前设备信息对应的函数列表,其中,每一个函数列表包括对应的设备信息下被hook的频率大于预设频率阈值的函数和/或被hook的次数大于预设数目阈值的函数;将所述当前设备信息对应的函数列表中的函数作为所述目标函数。Optionally, the processor 501 may also call the program instructions to perform the following steps: obtaining the current device information of the target terminal, where the current device information includes the model, system version, and risk control scenario information of the target terminal. One or more items; according to preset correspondence between different device information and function lists, a function list corresponding to the current device information is determined, where each function list includes the corresponding device information and is more frequently hooked than the Set the function of the frequency threshold and / or the function of being hooked more than the preset number of thresholds; and use the function in the function list corresponding to the current device information as the target function.
可选的,处理器501还可调用所述程序指令执行以下步骤:根据统计的历史数据中不同设备信息下被hook的函数,建立函数检测模型,所述设备信息包括设备型号、系统版本、风控场景信息中的一项或多项;获取所述目标终端的当前设备信息,并将所述当前设备信息输入所述函数检测模型,以得到所述目标函数。Optionally, the processor 501 may also call the program instructions to perform the following steps: According to a function that is hooked under different device information in the statistical historical data, a function detection model is established. The device information includes a device model, a system version, a Control one or more of the scene information; acquire current device information of the target terminal, and input the current device information into the function detection model to obtain the target function.
可选的,处理器501在调用所述程序指令执行所述根据所述flag值确定所述目标函数是否被hook时,具体执行以下步骤:将所述flag值中的预设位置处的字符与预设的固定字符进行比较,所述预设位置处的字符的字符数与所述固定字符的字符数相同;当比较得到所述预设位置处的字符与所述固定字符不同时,确定所述目标函数被hook。Optionally, when the processor 501 calls the program instruction to execute the determination of whether the objective function is hooked according to the flag value, the processor 501 specifically executes the following steps: the character at a preset position in the flag value and The preset fixed characters are compared, and the number of characters of the character at the preset position is the same as the number of characters of the fixed character; when the comparison obtains that the character at the preset position is different from the fixed character, the determined The objective function is hooked.
可选的,处理器501在调用所述程序指令执行所述根据所述flag值确定所 述目标函数是否被hook时,具体执行以下步骤:按照预设的逻辑算法对所述flag值进行逻辑运算,以得到运算结果值,其中,所述逻辑算法是根据预设字符串和系统中的原生函数执行时的跳转地址确定的;当所述运算结果值为正整数时,确定所述目标函数被hook。Optionally, when the processor 501 invokes the program instruction to execute the determining whether the objective function is hooked according to the flag value, the processor 501 specifically performs the following steps: performing a logical operation on the flag value according to a preset logic algorithm To obtain an operation result value, wherein the logical algorithm is determined according to a preset character string and a jump address when a native function in the system is executed; when the operation result value is a positive integer, the objective function is determined Was hooked.
可选的,处理器501还可调用所述程序指令执行所述利用所述原始函数替换所述目标函数之后,还可执行以下步骤:根据所述原始函数获取所述原始函数对应的设备信息,并确定所述设备信息的优先级;根据所述设备信息的优先级确定所述目标函数被hook的目标风险等级;根据预设的不同风险等级与控制策略的对应关系,确定与所述目标风险等级对应的控制策略,并按照确定出的所述控制策略对所述目标终端的操作进行控制。Optionally, the processor 501 may also call the program instructions to execute the replacement of the target function with the original function, and may further perform the following steps: obtaining device information corresponding to the original function according to the original function, And determine the priority of the device information; determine the target risk level of the target function being hooked according to the priority of the device information; determine the target risk with the target risk according to the preset corresponding relationship between different risk levels and control strategies A control strategy corresponding to the level, and controlling the operation of the target terminal according to the determined control strategy.
可选的,处理器501还可调用所述程序指令执行以下步骤:统计预设时间范围内所述目标终端被hook的函数的数目,并根据所述数目确定所述目标终端的目标风险等级;根据预设的不同风险等级与控制策略的对应关系,确定与所述目标风险等级对应的控制策略,并按照确定出的所述控制策略对所述目标终端的操作进行控制。Optionally, the processor 501 may also call the program instructions to perform the following steps: Count the number of hooked functions of the target terminal within a preset time range, and determine the target risk level of the target terminal according to the number; A control strategy corresponding to the target risk level is determined according to a preset corresponding relationship between different risk levels and control strategies, and the operation of the target terminal is controlled according to the determined control strategy.
其中,所述处理器501可以是中央处理单元(Central Processing Unit,CPU),该处理器还可以是其他通用处理器、数字信号处理器(Digital Signal Processor,DSP)、专用集成电路(Application Specific Integrated Circuit,ASIC)、现成可编程门阵列(Field-Programmable Gate Array,FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。The processor 501 may be a central processing unit (CPU), and the processor may also be another general-purpose processor, digital signal processor (DSP), or application specific integrated circuit (Application Specific Integrated). Circuit (ASIC), ready-made programmable gate array (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. A general-purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
用户接口503可包括输入设备和输出设备,输入设备可以包括触控板、麦克风等,输出设备可以包括显示器(LCD等)、扬声器等。The user interface 503 may include an input device and an output device, the input device may include a touch panel, a microphone, and the like, and the output device may include a display (LCD, etc.), a speaker, and the like.
通信接口504可包括接收器和发射器,用于与其他设备进行通信。The communication interface 504 may include a receiver and a transmitter for communicating with other devices.
存储器502可以包括只读存储器和随机存取存储器,并向处理器501提供指令和数据。存储器502的一部分还可以包括非易失性随机存取存储器。例如,存储器502还可以存储上述的函数指针和函数的对应关系等等。The memory 502 may include a read-only memory and a random access memory, and provide instructions and data to the processor 501. A part of the memory 502 may further include a non-volatile random access memory. For example, the memory 502 may further store the corresponding relationship between the function pointer and the function, and so on.
具体实现中,本申请实施例中所描述的处理器501等可执行上述图1至图3所示的方法实施例中所描述的实现方式,也可执行本申请实施例图4所描述的各单元的实现方式,此处不赘述。In specific implementation, the processor 501 and the like described in the embodiment of the present application may execute the implementation manners described in the method embodiments shown in FIG. 1 to FIG. 3 described above, and may also execute each of the methods described in FIG. 4 of the embodiment of the present application. The implementation of the unit is not repeated here.
本申请实施例还提供了一种计算机可读存储介质,所述计算机可读存储介质存储有计算机程序,所述计算机程序被处理器执行时可实现图1至图3所对应实施例中描述的函数hook检测方法中的部分或全部步骤,也可实现本申请图4或图5所示实施例的检测设备的功能,此处不赘述。An embodiment of the present application further provides a computer-readable storage medium, where the computer-readable storage medium stores a computer program, and when the computer program is executed by a processor, the computer program described in the embodiments corresponding to FIG. 1 to FIG. 3 can be implemented. Some or all of the steps in the function hook detection method may also implement the function of the detection device in the embodiment shown in FIG. 4 or FIG. 5 of the application, and details are not described herein.
本申请实施例还提供了一种包含指令的计算机程序产品,当其在计算机上运行时,使得计算机执行上述方法中的部分或全部步骤。An embodiment of the present application further provides a computer program product containing instructions, which when executed on a computer, causes the computer to execute part or all of the steps in the above method.
所述计算机可读存储介质可以是前述任一实施例所述的检测设备的内部存储单元,例如检测设备的硬盘或内存。所述计算机可读存储介质也可以是所述检测设备的外部存储设备,例如所述检测设备上配备的插接式硬盘,智能存储卡(Smart Media Card,SMC),安全数字(Secure Digital,SD)卡,闪存卡(Flash Card)等。The computer-readable storage medium may be an internal storage unit of the detection device according to any of the foregoing embodiments, such as a hard disk or a memory of the detection device. The computer-readable storage medium may also be an external storage device of the detection device, such as a plug-in hard disk, a Smart Media Card (SMC), and a Secure Digital (SD) device. ) Cards, flash cards, etc.
在本申请中,术语“和/或”,仅仅是一种描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况。另外,本文中字符“/”,一般表示前后关联对象是一种“或”的关系。In the present application, the term "and / or" is merely an association relationship describing an associated object, which means that there can be three kinds of relationships, for example, A and / or B can mean: A exists alone, and A and B exist simultaneously. There are three cases of B alone. In addition, the character "/" in this article generally indicates that the related objects are an "or" relationship.
在本申请的各种实施例中,上述各过程的序号的大小并不意味着执行顺序的先后,各过程的执行顺序应以其功能和内在逻辑确定,而不应对本申请实施例的实施过程构成任何限定。In various embodiments of the present application, the size of the sequence numbers of the above processes does not mean the order of execution. The execution order of each process should be determined by its function and internal logic, and should not deal with the implementation process of the embodiments of the present application. Constitute any limitation.
以上所述,仅为本申请的部分实施方式,但本申请的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本申请揭露的技术范围内,可轻易想到各种等效的修改或替换,这些修改或替换都应涵盖在本申请的保护范围之内。The above description is only part of the implementation of this application, but the scope of protection of this application is not limited to this. Any person skilled in the art can easily think of various equivalents within the technical scope disclosed in this application. Modifications or replacements, and these modifications or replacements should be covered by the protection scope of this application.

Claims (20)

  1. 一种函数hook检测方法,其特征在于,包括:A function hook detection method is characterized in that it includes:
    当检测到目标终端安装有Xposed插件时,获取所述目标终端中的目标函数的flag值,所述flag值用于标记所述目标函数的状态;When it is detected that the Xposed plug-in is installed on the target terminal, obtaining a flag value of an objective function in the target terminal, where the flag value is used to mark a state of the objective function;
    根据所述flag值确定所述目标函数是否被hook;Determining whether the objective function is hooked according to the flag value;
    当确定所述目标函数被hook时,从所述目标函数的内存中获取所述目标函数对应的目标函数指针;When it is determined that the objective function is hooked, obtaining an objective function pointer corresponding to the objective function from the memory of the objective function;
    根据预先存储的各函数指针和函数的对应关系,确定出所述目标函数指针对应的原始函数,并利用所述原始函数替换所述目标函数。An original function corresponding to the target function pointer is determined according to a corresponding relationship between each function pointer and a function stored in advance, and the original function is used to replace the target function.
  2. 根据权利要求1所述的方法,其特征在于,所述方法还包括:The method according to claim 1, further comprising:
    获取所述目标终端的当前设备信息,所述当前设备信息包括所述目标终端的型号、系统版本、风控场景信息中的一项或多项;Acquiring current device information of the target terminal, where the current device information includes one or more of a model, a system version, and a wind control scenario information of the target terminal;
    根据预置的设备信息和函数列表的对应关系,确定出所述当前设备信息对应的函数列表,其中,每一个函数列表包括对应的设备信息下被hook的频率大于预设频率阈值的函数和/或被hook的次数大于预设数目阈值的函数;The function list corresponding to the current device information is determined according to the correspondence between the preset device information and the function list, where each function list includes a function whose frequency of being hooked under the corresponding device information is greater than a preset frequency threshold and / Or a function whose number of hooks is greater than a preset number threshold;
    将所述当前设备信息对应的函数列表中的函数作为所述目标函数。The function in the function list corresponding to the current device information is used as the target function.
  3. 根据权利要求1所述的方法,其特征在于,所述方法还包括:The method according to claim 1, further comprising:
    根据统计的历史数据中不同设备信息下被hook的函数,建立函数检测模型,所述设备信息包括设备型号、系统版本、风控场景信息中的一项或多项;Establish a function detection model according to the hooked function under different device information in the statistical historical data, where the device information includes one or more of the device model, system version, and risk control scenario information;
    获取所述目标终端的当前设备信息,并将所述当前设备信息输入所述函数检测模型,以得到所述目标函数。Acquiring the current device information of the target terminal, and entering the current device information into the function detection model to obtain the target function.
  4. 根据权利要求1-3任一项所述的方法,其特征在于,所述根据所述flag值确定所述目标函数是否被hook,包括:The method according to any one of claims 1-3, wherein the determining whether the objective function is hooked according to the flag value comprises:
    将所述flag值中的预设位置处的字符与预设的固定字符进行比较,所述预设位置处的字符的字符数与所述固定字符的字符数相同;Comparing a character at a preset position in the flag value with a preset fixed character, and the number of characters of the character at the preset position is the same as the number of characters of the fixed character;
    当比较得到所述预设位置处的字符与所述固定字符不同时,确定所述目标函数被hook。When the character at the preset position is different from the fixed character, it is determined that the objective function is hooked.
  5. 根据权利要求1-3任一项所述的方法,其特征在于,所述根据所述flag值确定所述目标函数是否被hook,包括:The method according to any one of claims 1-3, wherein the determining whether the objective function is hooked according to the flag value comprises:
    按照预设的逻辑算法对所述flag值进行逻辑运算,以得到运算结果值,其中,所述逻辑算法是根据预设字符串和系统中的原生函数执行时的跳转地址确定的;Perform logical operation on the flag value according to a preset logical algorithm to obtain an operation result value, wherein the logical algorithm is determined according to a preset string and a jump address when a native function in the system is executed;
    当所述运算结果值为正整数时,确定所述目标函数被hook。When the operation result value is a positive integer, it is determined that the objective function is hooked.
  6. 根据权利要求1所述的方法,其特征在于,在所述利用所述原始函数替换所述目标函数之后,所述方法还包括:The method according to claim 1, wherein after replacing the objective function with the original function, the method further comprises:
    根据所述原始函数获取所述原始函数对应的设备信息,并确定所述设备信息的优先级;Obtaining device information corresponding to the original function according to the original function, and determining a priority of the device information;
    根据所述设备信息的优先级确定所述目标函数被hook的目标风险等级;Determining the target risk level of the target function being hooked according to the priority of the device information;
    根据预设的不同风险等级与控制策略的对应关系,确定与所述目标风险等级对应的控制策略,并按照确定出的所述控制策略对所述目标终端的操作进行控制。A control strategy corresponding to the target risk level is determined according to a preset corresponding relationship between different risk levels and control strategies, and the operation of the target terminal is controlled according to the determined control strategy.
  7. 根据权利要求1所述的方法,其特征在于,所述方法还包括:The method according to claim 1, further comprising:
    统计预设时间范围内所述目标终端被hook的函数的数目,并根据所述数目确定所述目标终端的目标风险等级;Counting the number of hooked functions of the target terminal within a preset time range, and determining a target risk level of the target terminal according to the number;
    根据预设的不同风险等级与控制策略的对应关系,确定与所述目标风险等级对应的控制策略,并按照确定出的所述控制策略对所述目标终端的操作进行控制。A control strategy corresponding to the target risk level is determined according to a preset corresponding relationship between different risk levels and control strategies, and the operation of the target terminal is controlled according to the determined control strategy.
  8. 一种检测设备,其特征在于,包括:获取单元和处理单元;A detection device, comprising: an acquisition unit and a processing unit;
    所述获取单元,用于获取目标终端中的目标函数的flag值,所述flag值用于标记所述目标函数的状态;The acquiring unit is configured to acquire a flag value of an objective function in a target terminal, and the flag value is used to mark a state of the objective function;
    所述处理单元,用于根据所述flag值确定所述目标函数是否被hook;The processing unit is configured to determine whether the objective function is hooked according to the flag value;
    所述获取单元,还用于当确定所述目标函数被hook时,从所述目标函数的内存中获取所述目标函数对应的目标函数指针;The obtaining unit is further configured to obtain an objective function pointer corresponding to the objective function from the memory of the objective function when it is determined that the objective function is hooked;
    所述处理单元,还用于根据预先存储的各函数指针和函数的对应关系,确定出所述目标函数指针对应的原始函数,并利用所述原始函数替换所述目标函数。The processing unit is further configured to determine an original function corresponding to the target function pointer according to a corresponding relationship between function pointers and functions stored in advance, and replace the target function with the original function.
  9. 根据权利要求8所述的检测设备,其特征在于,The detection device according to claim 8, characterized in that:
    所述获取单元,还用于获取所述目标终端的当前设备信息,所述当前设备信息包括所述目标终端的型号、系统版本、风控场景信息中的一项或多项;The obtaining unit is further configured to obtain current device information of the target terminal, where the current device information includes one or more of a model, a system version, and risk control scenario information of the target terminal;
    所述处理单元,还用于根据预置的设备信息和函数列表的对应关系,确定出所述当前设备信息对应的函数列表,将所述当前设备信息对应的函数列表中的函数作为所述目标函数;The processing unit is further configured to determine a function list corresponding to the current device information according to a preset correspondence between the device information and a function list, and use the function in the function list corresponding to the current device information as the target. function;
    其中,每一个函数列表包括对应的设备信息下被hook的频率大于预设频率阈值的函数和/或被hook的次数大于预设数目阈值的函数。Each function list includes a function whose frequency of being hooked under the corresponding device information is greater than a preset frequency threshold and / or a function whose number of times of hooking is greater than a preset number of thresholds.
  10. 根据权利要求8所述的检测设备,其特征在于,所述检测设备还包括:模型建立单元;The detection device according to claim 8, further comprising: a model establishing unit;
    所述模型建立单元,用于根据统计的历史数据中不同设备信息下被hook 的函数,建立函数检测模型,所述设备信息包括设备型号、系统版本、风控场景信息中的一项或多项;The model establishing unit is configured to establish a function detection model according to a function that is hooked under different device information in the statistical historical data, and the device information includes one or more of a device model, a system version, and risk control scenario information. ;
    所述获取单元,还用于获取所述目标终端的当前设备信息,并将所述当前设备信息输入所述函数检测模型,以得到所述目标函数。The obtaining unit is further configured to obtain current device information of the target terminal, and input the current device information into the function detection model to obtain the target function.
  11. 根据权利要求8-10任一项所述的检测设备,其特征在于,The detection device according to any one of claims 8 to 10, wherein
    所述处理单元,具体用于将所述flag值中的预设位置处的字符与预设的固定字符进行比较,所述预设位置处的字符的字符数与所述固定字符的字符数相同;当比较得到所述预设位置处的字符与所述固定字符不同时,确定所述目标函数被hook。The processing unit is specifically configured to compare a character at a preset position in the flag value with a preset fixed character, and the number of characters of the character at the preset position is the same as the number of characters of the fixed character When it is determined that the character at the preset position is different from the fixed character, determining that the objective function is hooked.
  12. 根据权利要求8-10任一项所述的检测设备,其特征在于,The detection device according to any one of claims 8 to 10, wherein
    所述处理单元,具体用于按照预设的逻辑算法对所述flag值进行逻辑运算,以得到运算结果值,其中,所述逻辑算法是根据预设字符串和系统中的原生函数执行时的跳转地址确定的;当所述运算结果值为正整数时,确定所述目标函数被hook。The processing unit is specifically configured to perform a logical operation on the flag value according to a preset logical algorithm to obtain an operation result value, wherein the logical algorithm is executed according to a preset string and a native function in the system. The jump address is determined; when the operation result value is a positive integer, it is determined that the objective function is hooked.
  13. 根据权利要求8所述的检测设备,其特征在于,The detection device according to claim 8, characterized in that:
    所述处理单元,还用于根据所述原始函数获取所述原始函数对应的设备信息,并确定所述设备信息的优先级;根据所述设备信息的优先级确定所述目标函数被hook的目标风险等级;根据预设的不同风险等级与控制策略的对应关系,确定与所述目标风险等级对应的控制策略,并按照确定出的所述控制策略对所述目标终端的操作进行控制。The processing unit is further configured to obtain device information corresponding to the original function according to the original function, and determine a priority of the device information; and determine a target of the target function to be hooked according to the priority of the device information. Risk level; determining a control strategy corresponding to the target risk level according to a preset corresponding relationship between different risk levels and control strategies, and controlling the operation of the target terminal according to the determined control strategy.
  14. 根据权利要求8所述的检测设备,其特征在于,The detection device according to claim 8, characterized in that:
    所述处理单元,还用于统计预设时间范围内所述目标终端被hook的函数的数目,并根据所述数目确定所述目标终端的目标风险等级;根据预设的不同风险等级与控制策略的对应关系,确定与所述目标风险等级对应的控制策略,并按照确定出的所述控制策略对所述目标终端的操作进行控制。The processing unit is further configured to count the number of hooked functions of the target terminal within a preset time range, and determine the target risk level of the target terminal according to the number; according to preset different risk levels and control strategies Corresponding relationship, determine a control strategy corresponding to the target risk level, and control the operation of the target terminal according to the determined control strategy.
  15. 一种检测设备,其特征在于,包括处理器和存储器,所述处理器和存储器相互连接,其中,所述存储器用于存储计算机程序,所述计算机程序包括程序指令,所述处理器被配置用于调用所述程序指令,执行以下步骤:A detection device, comprising a processor and a memory, wherein the processor and the memory are connected to each other, wherein the memory is used to store a computer program, the computer program includes program instructions, and the processor is configured for When calling the program instruction, the following steps are performed:
    当检测到目标终端安装有Xposed插件时,获取所述目标终端中的目标函数的flag值,所述flag值用于标记所述目标函数的状态;根据所述flag值确定所述目标函数是否被hook;当确定所述目标函数被hook时,从所述目标函数的内存中获取所述目标函数对应的目标函数指针;根据预先存储的各函数指针和函数的对应关系,确定出所述目标函数指针对应的原始函数,并利用所述原始函数替换所述目标函数。When it is detected that the Xposed plug-in is installed on the target terminal, a flag value of an objective function in the target terminal is obtained, and the flag value is used to mark a state of the objective function; and whether the objective function is determined according to the flag value hook; when it is determined that the objective function is hooked, obtain an objective function pointer corresponding to the objective function from the memory of the objective function; and determine the objective function according to the corresponding relationship between the function pointers and functions stored in advance Pointer to the original function, and replace the target function with the original function.
  16. 根据权利要求15所述的检测设备,其特征在于,所述处理器还调用所述程序指令执行以下步骤:The detection device according to claim 15, wherein the processor further calls the program instructions to perform the following steps:
    获取所述目标终端的当前设备信息,所述当前设备信息包括所述目标终端的型号、系统版本、风控场景信息中的一项或多项;根据预置的设备信息和函数列表的对应关系,确定出所述当前设备信息对应的函数列表,其中,每一个函数列表包括对应的设备信息下被hook的频率大于预设频率阈值的函数和/或被hook的次数大于预设数目阈值的函数;将所述当前设备信息对应的函数列表中的函数作为所述目标函数。Acquire current device information of the target terminal, where the current device information includes one or more of the model, system version, and wind control scenario information of the target terminal; according to the preset correspondence between the device information and the function list To determine a function list corresponding to the current device information, where each function list includes a function whose frequency of being hooked under the corresponding device information is greater than a preset frequency threshold and / or a function whose number of hooks is greater than a preset number of thresholds Taking the function in the function list corresponding to the current device information as the target function.
  17. 根据权利要求15所述的检测设备,其特征在于,所述处理器还调用所述程序指令执行以下步骤:The detection device according to claim 15, wherein the processor further calls the program instructions to perform the following steps:
    根据统计的历史数据中不同设备信息下被hook的函数,建立函数检测模型,所述设备信息包括设备型号、系统版本、风控场景信息中的一项或多项;获取所述目标终端的当前设备信息,并将所述当前设备信息输入所述函数检测模型,以得到所述目标函数。Establish a function detection model based on the hooked functions under different device information in the statistical historical data, where the device information includes one or more of the device model, system version, and risk control scenario information; obtain the current target terminal's current Device information, and inputting the current device information into the function detection model to obtain the objective function.
  18. 根据权利要求15-17任一项所述的检测设备,其特征在于,所述处理器在调用所述程序指令执行所述根据所述flag值确定所述目标函数是否被hook时,具体执行以下步骤:The detection device according to any one of claims 15-17, wherein when the processor invokes the program instruction to execute the determining according to the flag value whether the objective function is hooked, specifically executes the following step:
    将所述flag值中的预设位置处的字符与预设的固定字符进行比较,所述预设位置处的字符的字符数与所述固定字符的字符数相同;当比较得到所述预设位置处的字符与所述固定字符不同时,确定所述目标函数被hook。Comparing the character at a preset position in the flag value with a preset fixed character, and the number of characters of the character at the preset position is the same as the number of characters of the fixed character; when the preset is obtained by comparison When the character at the position is different from the fixed character, it is determined that the objective function is hooked.
  19. 根据权利要求15-17任一项所述的检测设备,其特征在于,所述处理器在调用所述程序指令执行所述根据所述flag值确定所述目标函数是否被hook时,具体执行以下步骤:The detection device according to any one of claims 15-17, wherein when the processor invokes the program instruction to execute the determining according to the flag value whether the objective function is hooked, specifically executes the following step:
    按照预设的逻辑算法对所述flag值进行逻辑运算,以得到运算结果值,其中,所述逻辑算法是根据预设字符串和系统中的原生函数执行时的跳转地址确定的;当所述运算结果值为正整数时,确定所述目标函数被hook。Perform logical operation on the flag value according to a preset logical algorithm to obtain an operation result value, wherein the logical algorithm is determined according to a preset string and a jump address when a native function in the system is executed; when When the operation result is a positive integer, it is determined that the objective function is hooked.
  20. 一种计算机可读存储介质,其特征在于,所述计算机可读存储介质存储有计算机程序,所述计算机程序包括程序指令,所述程序指令当被处理器执行时使所述处理器执行如权利要求1-7任一项所述的方法。A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program, the computer program includes program instructions, and when the program instructions are executed by a processor, the processor executes The method according to any one of 1-7 is required.
PCT/CN2018/107745 2018-07-27 2018-09-26 Function hook detection method, function hook detection device, and computer-readable medium WO2020019482A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201810841834.3 2018-07-27
CN201810841834.3A CN109145590B (en) 2018-07-27 2018-07-27 Function hook detection method, detection equipment and computer readable medium

Publications (1)

Publication Number Publication Date
WO2020019482A1 true WO2020019482A1 (en) 2020-01-30

Family

ID=64799067

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/107745 WO2020019482A1 (en) 2018-07-27 2018-09-26 Function hook detection method, function hook detection device, and computer-readable medium

Country Status (2)

Country Link
CN (1) CN109145590B (en)
WO (1) WO2020019482A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112434301A (en) * 2020-11-24 2021-03-02 平安普惠企业管理有限公司 Risk assessment method and device
CN112925693A (en) * 2021-02-25 2021-06-08 平安普惠企业管理有限公司 System monitoring method and device, computer equipment and storage medium
CN113238946A (en) * 2021-05-18 2021-08-10 北京达佳互联信息技术有限公司 Method and device for detecting hook frame and electronic equipment

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110532774A (en) * 2019-07-24 2019-12-03 阿里巴巴集团控股有限公司 Hook inspection method, device, server and readable storage medium storing program for executing
CN111309410B (en) * 2020-03-17 2023-06-30 北京奇艺世纪科技有限公司 Program object determining method and device
CN113918935B (en) * 2021-12-15 2022-04-01 飞天诚信科技股份有限公司 Method and device for processing function when being hook

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050203904A1 (en) * 2004-03-11 2005-09-15 International Business Machines Corporation System and method for measuring latch contention
CN101620658A (en) * 2009-07-14 2010-01-06 北京大学 Hook detecting method under Windows operation system
CN106096391A (en) * 2016-06-02 2016-11-09 北京金山安全软件有限公司 Process control method and user terminal
CN106325927A (en) * 2016-08-19 2017-01-11 北京金山安全管理系统技术有限公司 Interception method and device applied to dynamic library API (Application Program Interface) in Linux system
CN107808096A (en) * 2017-11-23 2018-03-16 厦门安胜网络科技有限公司 Method, terminal device and the storage medium of malicious code are injected into during detection APK operations

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104751052A (en) * 2013-12-30 2015-07-01 南京理工大学常熟研究院有限公司 Dynamic behavior analysis method for mobile intelligent terminal software based on support vector machine algorithm
CN106502876B (en) * 2016-10-26 2020-01-10 腾讯科技(深圳)有限公司 Method for determining hotspot function and related equipment
CN106997313B (en) * 2017-03-28 2022-04-05 腾讯科技(深圳)有限公司 Signal processing method and system of application program and terminal equipment
CN107102944B (en) * 2017-04-07 2020-01-24 北京深思数盾科技股份有限公司 Analysis method and device for calling function

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050203904A1 (en) * 2004-03-11 2005-09-15 International Business Machines Corporation System and method for measuring latch contention
CN101620658A (en) * 2009-07-14 2010-01-06 北京大学 Hook detecting method under Windows operation system
CN106096391A (en) * 2016-06-02 2016-11-09 北京金山安全软件有限公司 Process control method and user terminal
CN106325927A (en) * 2016-08-19 2017-01-11 北京金山安全管理系统技术有限公司 Interception method and device applied to dynamic library API (Application Program Interface) in Linux system
CN107808096A (en) * 2017-11-23 2018-03-16 厦门安胜网络科技有限公司 Method, terminal device and the storage medium of malicious code are injected into during detection APK operations

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"Detection of Xposed Hook behavior", XPOSED HOOK, 18 January 2017 (2017-01-18), XP055681880, Retrieved from the Internet <URL:https://goodoak.github.io/2017/01/18/xposed-detect> *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112434301A (en) * 2020-11-24 2021-03-02 平安普惠企业管理有限公司 Risk assessment method and device
CN112925693A (en) * 2021-02-25 2021-06-08 平安普惠企业管理有限公司 System monitoring method and device, computer equipment and storage medium
CN112925693B (en) * 2021-02-25 2023-11-03 新疆北斗同创信息科技有限公司 System monitoring method, device, computer equipment and storage medium
CN113238946A (en) * 2021-05-18 2021-08-10 北京达佳互联信息技术有限公司 Method and device for detecting hook frame and electronic equipment

Also Published As

Publication number Publication date
CN109145590A (en) 2019-01-04
CN109145590B (en) 2023-04-07

Similar Documents

Publication Publication Date Title
WO2020019482A1 (en) Function hook detection method, function hook detection device, and computer-readable medium
WO2020019484A1 (en) Simulator recognition method, recognition device, and computer readable medium
CN109492378A (en) A kind of auth method based on EIC equipment identification code, server and medium
WO2020019483A1 (en) Emulator identification method, identification device, and computer readable medium
CN109561085B (en) Identity verification method based on equipment identification code, server and medium
WO2020019485A1 (en) Simulator identification method, identification device, and computer readable medium
CN110417778B (en) Access request processing method and device
CN108335237B (en) Scheme setting method, terminal and computer readable storage medium
CN105357204B (en) Method and device for generating terminal identification information
CN103077344A (en) Terminal and method for providing risk of application using the same
US8917939B2 (en) Verifying vendor identification and organization affiliation of an individual arriving at a threshold location
CN109600362B (en) Zombie host recognition method, device and medium based on recognition model
US20210042150A1 (en) Method-call-chain tracking method, electronic device, and computer readable storage medium
CN113489713A (en) Network attack detection method, device, equipment and storage medium
KR20110128632A (en) Method and device for detecting malicious action of application program for smartphone
CN109815697B (en) Method and device for processing false alarm behavior
CN106155746B (en) A kind of installation file processing method and processing device, server
CN111464513A (en) Data detection method, device, server and storage medium
WO2016202108A1 (en) Nfc payment method, nfc payment system and mobile terminal
CN112000853A (en) Method, medium, client and server for generating/feeding back unique identifier of equipment
CN111597553A (en) Process processing method, device, equipment and storage medium in virus searching and killing
CN110633074A (en) Use control method and device of software development kit
CN104573495B (en) A kind for the treatment of method and apparatus of startup item
US7778660B2 (en) Mobile communications terminal, information transmitting system and information receiving method
US9449158B2 (en) Expiration time authentication system, expiration time authentication device, and expiration time authentication method for applications

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18927255

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: OTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 11.05.2021)

122 Ep: pct application non-entry in european phase

Ref document number: 18927255

Country of ref document: EP

Kind code of ref document: A1