[go: up one dir, main page]

CN108734007A - A kind of processing method and processing device of monitoring application program - Google Patents

A kind of processing method and processing device of monitoring application program Download PDF

Info

Publication number
CN108734007A
CN108734007A CN201710240393.7A CN201710240393A CN108734007A CN 108734007 A CN108734007 A CN 108734007A CN 201710240393 A CN201710240393 A CN 201710240393A CN 108734007 A CN108734007 A CN 108734007A
Authority
CN
China
Prior art keywords
application program
behavior
sensitive
sensitive behavior
function parameter
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201710240393.7A
Other languages
Chinese (zh)
Inventor
罗汉斌
阿曼太
傅强
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Heng Jia Jia (beijing) Technology Co Ltd
China Mobile Group Shanghai Co Ltd
Original Assignee
Heng Jia Jia (beijing) Technology Co Ltd
China Mobile Group Shanghai Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Heng Jia Jia (beijing) Technology Co Ltd, China Mobile Group Shanghai Co Ltd filed Critical Heng Jia Jia (beijing) Technology Co Ltd
Priority to CN201710240393.7A priority Critical patent/CN108734007A/en
Publication of CN108734007A publication Critical patent/CN108734007A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3003Monitoring arrangements specially adapted to the computing system or computing system component being monitored
    • G06F11/302Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system component is a software system

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Mathematical Physics (AREA)
  • Quality & Reliability (AREA)
  • Computer Hardware Design (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The embodiment of the present invention provides a kind of processing method and processing device of monitoring application program, the method includes:During the virtual machine after being loaded with modification system source code runs the application program, the function parameter of the application program is called in extraction;According to pre-stored strategy matching file and the function parameter, the operational process of the application program is monitored, to obtain the sensitive behavior when application program is run.Described device executes the above method.The processing method of monitoring application program provided in an embodiment of the present invention, can monitor the operation overall process of application program, and comprehensively obtain the running sensitive operation behavior of application program.

Description

一种监控应用程序的处理方法及装置Method and device for processing monitoring application program

技术领域technical field

本发明实施例涉及虚拟机技术领域,具体涉及一种监控应用程序的处理方法及装置。Embodiments of the present invention relate to the technical field of virtual machines, and in particular to a processing method and device for monitoring application programs.

背景技术Background technique

随着移动通信技术的发展,越来越多的应用程序运行在移动终端,一些病毒、木马等通过应用程序窥探人们的隐私,严重影响了人们的正常生活,因此,对应用程序进行监控,以识别出移动终端是否有运行异常的应用程序,显得尤为重要。With the development of mobile communication technology, more and more applications are running on mobile terminals. Some viruses and Trojan horses spy on people's privacy through applications, seriously affecting people's normal life. Therefore, monitoring applications to It is particularly important to identify whether there is an application program running abnormally in the mobile terminal.

现有监控应用程序的方法(以安卓系统为例)有:对应用程序(Android Package,以下简称APK)反编译后,再针对敏感应用程序接口(Application Program Interface,以下简称api)的调用位置增加logcat输入,然后重打包,安装到移动终端或虚拟机中运行,通过监控应用程序运行过程中的logcat输出,识别出运行异常的应用程序。但是,该方法只能针对早期的应用程序,目前的应用程序大多采用加壳加固或加入了反反编译、反重打包机制,导致该方法失效。现有的方法还有:通过hook(钩子,实际上是一个处理消息的程序段,通过系统调用,把它挂入系统)的方式hook系统java接口实时获取应用程序运行的行为,但只能监控hook动作以后的应用程序的运行,且无法监控ndk(Native Development Kit)层的敏感操作。Existing methods for monitoring application programs (taking the Android system as an example) include: after decompiling the application program (Android Package, hereinafter referred to as APK), and then increasing the call location for the sensitive application program interface (Application Program Interface, hereinafter referred to as api) logcat input, and then repackage, install and run in a mobile terminal or a virtual machine, and identify abnormally running applications by monitoring the logcat output during the running of the application. However, this method can only be used for early applications. Most current applications are hardened by packing or adding decompilation and anti-repackaging mechanisms, which makes this method invalid. There are also existing methods: through hook (hook, actually a program segment for processing messages, hooking it into the system through system calls) to hook the java interface of the system to obtain the behavior of the application program in real time, but it can only monitor The operation of the application after the hook action, and the sensitive operation of the ndk (Native Development Kit) layer cannot be monitored.

因此,如何监控应用程序的运行全过程,并全面地获取应用程序运行中的敏感操作行为,成为亟须解决的问题。Therefore, how to monitor the entire running process of the application program and comprehensively obtain sensitive operation behaviors during the running of the application program has become an urgent problem to be solved.

发明内容Contents of the invention

针对现有技术存在的问题,本发明实施例提供一种监控应用程序的处理方法及装置。Aiming at the problems existing in the prior art, embodiments of the present invention provide a method and device for processing a monitoring application program.

一方面,本发明实施例提供一种监控应用程序的处理方法,所述方法包括:On the one hand, an embodiment of the present invention provides a method for processing a monitoring application, the method comprising:

在加载有修改系统源码后的虚拟机运行所述应用程序的过程中,提取调用所述应用程序的函数参数;During the process of running the application program on the virtual machine loaded with the modified system source code, extracting the function parameters for calling the application program;

根据预先存储的策略匹配文件、以及所述函数参数,对所述应用程序的运行过程进行监控,以获取所述应用程序运行时的敏感行为。According to the pre-stored policy matching file and the function parameters, the running process of the application program is monitored to obtain the sensitive behavior of the application program during running.

另一方面,本发明实施例提供一种监控应用程序的处理装置,所述装置包括:On the other hand, an embodiment of the present invention provides a processing device for monitoring application programs, the device comprising:

提取单元,用于在加载有修改系统源码后的虚拟机运行所述应用程序的过程中,提取调用所述应用程序的函数参数;An extraction unit, configured to extract function parameters for calling the application during the process of running the application on the virtual machine loaded with the modified system source code;

监控单元,用于根据预先存储的策略匹配文件、以及所述函数参数,对所述应用程序的运行过程进行监控,以获取所述应用程序运行时的敏感行为。The monitoring unit is configured to monitor the running process of the application program according to the pre-stored policy matching file and the function parameters, so as to obtain sensitive behaviors of the application program during running.

本发明实施例提供的监控应用程序的处理方法,能够监控应用程序的运行全过程,并全面地获取应用程序运行中的敏感操作行为。The processing method for monitoring an application program provided by the embodiment of the present invention can monitor the whole running process of the application program, and comprehensively obtain sensitive operation behaviors during the running of the application program.

附图说明Description of drawings

为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作一简单地介绍,显而易见地,下面描述中的附图是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the following will briefly introduce the drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description These are some embodiments of the present invention. Those skilled in the art can also obtain other drawings based on these drawings without creative work.

图1为本发明实施例监控应用程序的处理方法的流程示意图;FIG. 1 is a schematic flow diagram of a processing method for monitoring an application program according to an embodiment of the present invention;

图2为本发明实施例监控应用程序的处理装置的结构示意图;2 is a schematic structural diagram of a processing device for monitoring application programs according to an embodiment of the present invention;

图3为本发明实施例提供的装置实体结构示意图。Fig. 3 is a schematic diagram of the physical structure of the device provided by the embodiment of the present invention.

具体实施方式Detailed ways

为使本发明实施例的目的、技术方案和优点更加清楚,下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。In order to make the purpose, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below in conjunction with the drawings in the embodiments of the present invention. Obviously, the described embodiments It is a part of embodiments of the present invention, but not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without creative efforts fall within the protection scope of the present invention.

图1为本发明实施例监控应用程序的处理方法的流程示意图,如图1所示,本发明实施例提供的监控应用程序的处理方法,包括以下步骤:Fig. 1 is a schematic flow chart of a processing method of a monitoring application program according to an embodiment of the present invention. As shown in Fig. 1 , the processing method of a monitoring application program provided by an embodiment of the present invention includes the following steps:

S1:在加载有修改系统源码后的虚拟机运行所述应用程序的过程中,提取调用所述应用程序的函数参数。S1: During the process of running the application program on the virtual machine loaded with the modified system source code, extracting function parameters for calling the application program.

具体的,装置在加载有修改系统源码后的虚拟机运行所述应用程序的过程中,提取调用所述应用程序的函数参数。需要说明的是:未修改系统源码的虚拟机,无法提取到调用应用程序(Android Package,以下简称APK)的函数参数。该函数参数可以包括该函数的输入值和返回值,不同的APK对应有不同的函数参数。在原系统的架构层(包括应用层、框架层、运行环境层和内核层),对于需要监控的APK、将架构层相应的位置确定为监控点,并写入修改后的系统源码,由于上述的架构层与ndk层有关联,从而可以监控到ndk层的敏感行为,如无特别说明本发明实施例中的应用程序是上述需要监控的应用程序。以获取手机应用表的应用程序为例具体举例说明系统源码的修改如下:Specifically, the device extracts function parameters for calling the application program during the process of running the application program on the virtual machine loaded with the modified system source code. It should be noted that the function parameters of the calling application program (Android Package, hereinafter referred to as APK) cannot be extracted by the virtual machine without modifying the system source code. The function parameters may include input values and return values of the function, and different APKs have different function parameters. In the architecture layer of the original system (including the application layer, framework layer, operating environment layer, and kernel layer), for the APK that needs to be monitored, the corresponding location of the architecture layer is determined as the monitoring point, and the modified system source code is written. The architecture layer is associated with the ndk layer, so that the sensitive behavior of the ndk layer can be monitored. Unless otherwise specified, the application program in the embodiment of the present invention is the above-mentioned application program that needs to be monitored. Taking the application program for obtaining the mobile application table as an example to illustrate the modification of the system source code as follows:

Landroid/app/ApplicationPackageManager;Landroid/app/ApplicationPackageManager;

List<PackageInfo>getInstalledPackages(int flags);获取手机应用表List<PackageInfo>getInstalledPackages(int flags); get mobile application list

\android\frameworks\base\core\java\android\app\ApplicationPackageManager.java\android\frameworks\base\core\java\android\app\ApplicationPackageManager.java

其中:第一行是确需要监控的应用程序对应的监控点、第二行是执行该需要监测的应用程序的调取函数、第三行是写入修改系统源码的路径和文件,从中可以看出:路径中的“frameworks”对应于架构层中的框架层,不同的监控点都需要在原系统源码中不同的路径写入不同的监控代码,其他需要监控的应用程序对应的监控点、执行该需要监测的应用程序的调取函数、写入修改系统源码的路径和文件如下,具体的说明不再赘述。Among them: the first line is the monitoring point corresponding to the application program that needs to be monitored, the second line is the call function that executes the application program that needs to be monitored, and the third line is the path and file for writing and modifying the system source code, from which you can see Output: "frameworks" in the path corresponds to the framework layer in the architecture layer. Different monitoring points need to write different monitoring codes in different paths in the original system source code. The calling function of the application program that needs to be monitored, the path and file of writing and modifying the system source code are as follows, and the specific description will not be repeated.

创建新进程应用程序:Ljava/lang/ProcessBuilder;Create a new process application: Ljava/lang/ProcessBuilder;

start创建新进程start creates a new process

\libcore\luni\src\main\java\java\lang;\libcore\luni\src\main\java\java\lang;

初始化应用程序:Initialize the application:

Landroid/content/Intent;Android/content/Intent;

Intent初始化Intent initialization

Intent\android\frameworks\base\core\java\android\content\Intent.java;Intent\android\frameworks\base\core\java\android\content\Intent.java;

调用Intent的应用程序:Application calling Intent:

Landroid/content/Intent;Android/content/Intent;

setAction调用Intent的setAction calls Intent

setAction\android\frameworks\base\core\java\android\content\Intent.java;setAction\android\frameworks\base\core\java\android\content\Intent.java;

添加悬浮窗口应用程序:Add floating window application:

Landroid/view/WindowManager;Landroid/view/WindowManager;

LayoutParams添加悬浮窗口LayoutParams add floating window

\android\frameworks\base\core\java\android\view\WindowManager.java;\android\frameworks\base\core\java\android\view\WindowManager.java;

唤醒锁屏应用程序:To wake up the lock screen app:

Landroid/os/PowerManager;Landroid/os/PowerManager;

wakeUp()唤醒锁屏wakeUp() wakes up the lock screen

\android\frameworks\base\core\java\android\os\PowerManager.java;\android\frameworks\base\core\java\android\os\PowerManager.java;

检测手机是否待机状态应用程序:Detect if the phone is in standby application:

Landroid/app/KeyguardManagerLandroid/app/KeyguardManager

inKeyguardRestrictedInputMode()检测手机是否待机状态inKeyguardRestrictedInputMode() detects whether the phone is in standby mode

\android\frameworks\base\core\java\android\app\KeyguardManager.java;\android\frameworks\base\core\java\android\app\KeyguardManager.java;

使用ssl安全通讯应用程序:Use ssl secure communication app:

Ljavax/net/ssl/SSLContext;Ljavax/net/ssl/SSLContext;

getInstance("TLS");使用ssl安全通讯getInstance("TLS"); use ssl secure communication

\android\libcore\luni\src\main\java\javax\net\ssl\SSLContext.java;\android\libcore\luni\src\main\java\javax\net\ssl\SSLContext.java;

获取加密实例应用程序:Get the encrypted example application:

Ljavax/crypto/Cipher;Ljavax/crypto/Cipher;

getInstance("DES");获取加密实例getInstance("DES"); get encrypted instance

\android\libcore\luni\src\main\java\javax\crypto\Cipher.java;\android\libcore\luni\src\main\java\javax\crypto\Cipher.java;

调用哈希算法应用程序:Call the hash algorithm application:

Ljava/security/MessageDigest;Ljava/security/MessageDigest;

getInstance("MD5")调用哈希算法getInstance("MD5") calls the hash algorithm

\android\libcore\luni\src\main\java\java\security\MessageDigest.java;\android\libcore\luni\src\main\java\java\security\MessageDigest.java;

查找其他文件应用程序:Find other file apps:

Ljava/io/file;Ljava/io/file;

file.list()查找其他文件file.list() finds other files

libcore/luni/src/main/java/java/io/File.java;libcore/luni/src/main/java/java/io/File.java;

动态注册接收器应用程序:Dynamically register the receiver application:

Landroid/content/ContextWrapper;Landroid/content/ContextWrapper;

registerReceiver(myReceiver,filter);动态注册接收器registerReceiver(myReceiver, filter); dynamically register the receiver

\android\frameworks\base\core\java\android\content\ContextWrapper.java;\android\frameworks\base\core\java\android\content\ContextWrapper.java;

获取FirstHeader、LastHeader、Headers应用程序:Get the FirstHeader, LastHeader, Headers application:

Lorg/apache/http/message/AbstractHttpMessageLorg/apache/http/message/AbstractHttpMessage

"getFirstHeader(""Set-Cookie"");"getFirstHeader(""Set-Cookie"");

getLastHeader(""Set-Cookie"");getLastHeader(""Set-Cookie"");

getHeaders(""Set-Cookie"");"获取getHeaders(""Set-Cookie""); "Get

cookies\external\apache-http\src\org\apache\http\message\AbstractHttpMessage.java;cookies\external\apache-http\src\org\apache\http\message\AbstractHttpMessage.java;

激活应用程序:Activate the application:

Landroid/app/ActivityAndroid/app/Activity

startActivity(Intent intent)激活startActivity(Intent intent) activates

Activity\android\frameworks\base\core\java\android\app\Activity.java;Activity\android\frameworks\base\core\java\android\app\Activity.java;

界面覆盖检测应用程序:Interface overlay detection application:

Landroid/widget/Toast;Landroid/widget/Toast;

makeText界面覆盖检测makeText interface coverage detection

\android\frameworks\base\core\java\android\wigget\Toast.java;\android\frameworks\base\core\java\android\wigget\Toast.java;

在进行S1的步骤之前,为了保证修改系统源码后的虚拟机的正常启动,还需要进行以下调试运行测试:Before step S1, in order to ensure the normal startup of the virtual machine after modifying the system source code, the following debugging and running tests are required:

(1)对修改完成后的新系统源码进行编译,编译成功后会在/out/target/product/generi目录下生成系统镜像文件userdata.img、system.img和ramdisk.img,再编译安卓系统内核源码,编译成功后会生成kernel-qemu内核镜像文件。(1) Compile the new system source code after the modification is completed. After the compilation is successful, the system image files userdata.img, system.img and ramdisk.img will be generated in the /out/target/product/generi directory, and then compile the Android system kernel Source code, after successful compilation, the kernel-qemu kernel image file will be generated.

(2)覆盖安卓软件开发工具包(Software Development Kit,以下简称SDK)中对应的原系统镜像目录中同名文件,假如修改的源代码系统版本是4.4.2则其对应的API level为Android-19,因此需要将android-sdk-linux/system-images/android-19/default/armeabi-v7a目录下的userdata.img、system.img和ramdisk.img和kernel-qemu覆盖为已经编译好的镜像文件。(2) Overwrite the file with the same name in the corresponding original system image directory in the Android Software Development Kit (Software Development Kit, hereinafter referred to as SDK). If the modified source code system version is 4.4.2, its corresponding API level is Android-19 , so you need to overwrite the userdata.img, system.img, ramdisk.img and kernel-qemu in the android-sdk-linux/system-images/android-19/default/armeabi-v7a directory with the compiled image files.

(3)运行虚拟机AVD Manager工具,创建AVD模拟器运行,若虚拟机启动正常,则视为虚拟机植入修改后的系统源码成功,否则需要排查问题后,并重新修改系统源码,再执行上述步骤,直到虚拟机启动正常。(3) Run the virtual machine AVD Manager tool to create an AVD emulator to run. If the virtual machine starts normally, it is considered that the virtual machine has successfully implanted the modified system source code. Otherwise, you need to troubleshoot the problem and re-modify the system source code before executing Repeat the above steps until the virtual machine starts normally.

S2:根据预先存储的策略匹配文件、以及所述函数参数,对所述应用程序的运行过程进行监控,以获取所述应用程序运行时的敏感行为。S2: Monitor the running process of the application program according to the pre-stored policy matching file and the function parameters, so as to obtain the sensitive behavior of the application program during running.

具体的,装置根据预先存储的策略匹配文件、以及所述函数参数,对所述应用程序的运行过程进行监控,以获取所述应用程序运行时的敏感行为。需要说明的是:策略匹配文件可以包括有敏感行为的样本特征,样本特征可以经过样本学习训练获得,反映出敏感行为的固有特征。敏感行为可以包括虚拟机检测屏蔽的敏感行为、网络行为的敏感行为、文件操作的敏感行为、隐私行为的敏感行为、网络应用的敏感行为、系统进程的敏感行为等,更加具体的说明如表1所示:Specifically, the device monitors the running process of the application program according to the pre-stored policy matching file and the function parameters, so as to obtain the sensitive behavior of the application program during running. It should be noted that the policy matching file may include sample features with sensitive behaviors, and the sample features can be obtained through sample learning and training to reflect the inherent characteristics of sensitive behaviors. Sensitive behaviors can include sensitive behaviors of virtual machine detection and shielding, sensitive behaviors of network behaviors, sensitive behaviors of file operations, sensitive behaviors of privacy behaviors, sensitive behaviors of network applications, sensitive behaviors of system processes, etc. More specific descriptions are shown in Table 1 Shown:

表1Table 1

敏感行为监控功能是对系统API的调用并记录相应的调用信息,根据已知的敏感行为的分析可知,这些敏感行为主要集中在后台联网、操作数据库、后台发送消息、窃取用户隐私等,这些行为的实现在系统中都有对应的API,故当APK调用此系统API时即表明APK触发了此种敏感行为。举例说明如下:The sensitive behavior monitoring function is to call the system API and record the corresponding call information. According to the analysis of known sensitive behaviors, these sensitive behaviors are mainly concentrated in background networking, operating databases, sending messages in the background, and stealing user privacy. The implementation of has a corresponding API in the system, so when the APK calls this system API, it means that the APK triggers this sensitive behavior. Examples are as follows:

网络行为监控:Network Behavior Monitoring:

Android系统中的联网方式较多,包括socket、URL等,其API有HttpGet、HttpPost等,当APK触发联网行为时,可以获取联网URL等信息。There are many networking methods in the Android system, including socket, URL, etc., and its APIs include HttpGet, HttpPost, etc. When APK triggers networking behavior, information such as networking URL can be obtained.

发送短信监控:Send SMS monitoring:

Android系统中发送短信的API主要包括sendText、sendDataMessage等,当APK触发发送短信行为时,可以获取到发送短信的目的地址、短信的内容等。The APIs for sending text messages in the Android system mainly include sendText, sendDataMessage, etc. When the APK triggers the sending of text messages, the destination address and content of the text messages can be obtained.

操作数据库的监控:Operational database monitoring:

Android系统中的一些应用程序数据通常保存在本地数据库中,如联系人、通话记录等都以数据库的形式保存。在Android中操作数据库主要通过ContentResover类中的query、insert、delete、update等API对数据库进行操作;当APK操作数据库时,可以获取其操作行为及操作的数据库名。Some application data in the Android system are usually stored in a local database, such as contacts, call records, etc. are all stored in the form of a database. The operation of the database in Android is mainly through the query, insert, delete, update and other APIs in the ContentResover class to operate the database; when the APK operates the database, its operation behavior and the name of the database can be obtained.

窃取用户隐私监控:Steal user privacy monitoring:

恶意APK获取的用户隐私主要包括用户手机号码、IMEI、位置等信息,Android系统中其对应的API包括getLine1Number、get DeviceId等;当APK进行这些敏感行为时进行相应的记录。The user privacy obtained by the malicious APK mainly includes the user's mobile phone number, IMEI, location and other information. The corresponding APIs in the Android system include getLine1Number, getDeviceId, etc.; when the APK performs these sensitive behaviors, corresponding records are made.

本发明实施例提供的监控应用程序的处理方法,能够监控应用程序的运行全过程,并全面地获取应用程序运行中的敏感操作行为。The processing method for monitoring an application program provided by the embodiment of the present invention can monitor the whole running process of the application program, and comprehensively obtain sensitive operation behaviors during the running of the application program.

在上述实施例的基础上,所述根据预先存储的策略匹配文件、以及所述函数参数,对所述应用程序的运行过程进行监控,以获取所述应用程序运行时的敏感行为,包括:On the basis of the above embodiments, the monitoring of the running process of the application program according to the pre-stored policy matching file and the function parameters, so as to obtain the sensitive behavior of the application program during running, includes:

将所述函数参数发送至日志输出模块,所述日志输出模块预先存储有所述策略匹配文件,所述策略匹配文件包括有敏感行为样本特征。The function parameters are sent to a log output module, and the log output module pre-stores the policy matching file, and the policy matching file includes sensitive behavior sample features.

具体的,装置将所述函数参数发送至日志输出模块,所述日志输出模块预先存储有所述策略匹配文件,所述策略匹配文件包括有敏感行为样本特征。需要说明的是:日志输出模块可以存储获得的函数参数,在日志输出模块中可以进行样本特征与解析后的函数参数的特征比对。Specifically, the device sends the function parameters to a log output module, and the log output module pre-stores the policy matching file, and the policy matching file includes sensitive behavior sample characteristics. It should be noted that: the log output module can store the obtained function parameters, and the sample feature can be compared with the feature of the parsed function parameters in the log output module.

在所述日志输出模块中解析所述函数参数,并将所述函数参数的解析结果与所述敏感行为样本特征进行比对。Analyzing the function parameters in the log output module, and comparing the parsing results of the function parameters with the characteristics of the sensitive behavior samples.

具体的,装置在所述日志输出模块中解析所述函数参数,并将所述函数参数的解析结果与所述敏感行为样本特征进行比对。对解析举例说明如下:记录APK调用的所有敏感API及其函数参数,同时记录该次行为所属的进程UID,用于确定该行为是由哪个APK发出的,再通过logcat及shell获取所有的log信息并进行解析。Specifically, the device parses the function parameters in the log output module, and compares the parsing results of the function parameters with the characteristics of the sensitive behavior samples. The analysis is illustrated as follows: record all sensitive APIs and function parameters called by the APK, and record the UID of the process to which the behavior belongs, which is used to determine which APK issued the behavior, and then obtain all log information through logcat and shell and parse it.

根据所述比对的结果,以获取所述应用程序运行时的敏感行为。According to the result of the comparison, the sensitive behavior of the application program at runtime is obtained.

具体的,装置根据所述比对的结果,以获取所述应用程序运行时的敏感行为。将解析的结果与敏感行为样本特征进行比对,若敏感行为样本特征与解析的结果相匹配,则认为APK运行时产生了敏感行为,比如含有发送短信、获取用户手机号等。若敏感行为样本特征与解析的结果不匹配,则认为APK运行时没有产生敏感行为。Specifically, the device obtains the sensitive behavior of the application program during runtime according to the comparison result. Compare the analysis results with the sensitive behavior sample features. If the sensitive behavior sample features match the analysis results, it is considered that sensitive behaviors have occurred during APK operation, such as sending text messages and obtaining user mobile phone numbers. If the characteristics of the sensitive behavior sample do not match the analysis result, it is considered that the APK does not generate sensitive behavior when it is running.

本发明实施例提供的监控应用程序的处理方法,通过在日志输出模块中进行特征比对,更加自动地实现了监控应用程序的运行全过程,并全面地获取应用程序运行中的敏感操作行为。The processing method of the monitoring application provided by the embodiment of the present invention more automatically realizes the whole process of monitoring the running of the application through feature comparison in the log output module, and comprehensively acquires sensitive operation behaviors in the running of the application.

在上述实施例的基础上,所述根据所述比对的结果,以获取所述应用程序运行时的敏感行为之后,所述方法还包括:On the basis of the above embodiments, after obtaining the sensitive behavior of the application program at runtime according to the result of the comparison, the method further includes:

将获取到的所述敏感行为与所述策略匹配文件生成在同一个报告中。Generate the obtained sensitive behavior and the policy matching file in the same report.

具体的,装置将获取到的所述敏感行为与所述策略匹配文件生成在同一个报告中。可以通过在线查看或离线下载该报告,方便查询和管理该敏感行为。Specifically, the device generates the acquired sensitive behavior and the policy matching file in the same report. The report can be viewed online or downloaded offline to facilitate query and management of the sensitive behavior.

本发明实施例提供的监控应用程序的处理方法,生成包括有敏感行为与策略匹配文件的同一个报告,便于对敏感行为进行查询和管理。The processing method for monitoring application programs provided by the embodiment of the present invention generates the same report including sensitive behaviors and policy matching files, which is convenient for querying and managing sensitive behaviors.

在上述实施例的基础上,所述函数参数包括:所述函数的输入值和返回值。Based on the above embodiments, the function parameters include: input values and return values of the function.

具体的,装置中的所述函数参数包括:所述函数的输入值和返回值。可参照上述实施例,不再赘述。Specifically, the function parameters in the device include: an input value and a return value of the function. Reference may be made to the foregoing embodiments, and details are not repeated here.

本发明实施例提供的监控应用程序的处理方法,通过提取函数参数中的输入值和返回值即可实现对应用程序的监控。In the processing method for monitoring application programs provided by the embodiments of the present invention, monitoring of application programs can be realized by extracting input values and return values in function parameters.

在上述实施例的基础上,所述敏感行为包括针对所述虚拟机检测屏蔽的敏感行为、网络行为的敏感行为、文件操作的敏感行为、隐私行为的敏感行为、网络应用的敏感行为、系统进程的敏感行为。On the basis of the above-mentioned embodiments, the sensitive behaviors include sensitive behaviors for detection and shielding of the virtual machine, sensitive behaviors of network behaviors, sensitive behaviors of file operations, sensitive behaviors of privacy behaviors, sensitive behaviors of network applications, system processes sensitive behavior.

具体的,装置中的所述敏感行为包括针对所述虚拟机检测屏蔽的敏感行为、网络行为的敏感行为、文件操作的敏感行为、隐私行为的敏感行为、网络应用的敏感行为、系统进程的敏感行为。可参照上述实施例,不再赘述。Specifically, the sensitive behaviors in the device include sensitive behaviors for detection and shielding of the virtual machine, sensitive behaviors of network behaviors, sensitive behaviors of file operations, sensitive behaviors of privacy behaviors, sensitive behaviors of network applications, and sensitive behaviors of system processes. Behavior. Reference may be made to the foregoing embodiments, and details are not repeated here.

本发明实施例提供的监控应用程序的处理方法,可以确定更加具体的敏感行为。The processing method for monitoring application programs provided by the embodiments of the present invention can determine more specific sensitive behaviors.

图2为本发明实施例监控应用程序的处理装置的结构示意图,如图2所示,本发明实施例提供了一种监控应用程序的处理装置,包括提取单元1和监控单元2,其中:FIG. 2 is a schematic structural diagram of a processing device for monitoring application programs according to an embodiment of the present invention. As shown in FIG. 2 , an embodiment of the present invention provides a processing device for monitoring application programs, including an extraction unit 1 and a monitoring unit 2, wherein:

提取单元1用于在加载有修改系统源码后的虚拟机运行所述应用程序的过程中,提取调用所述应用程序的函数参数,监控单元2用于根据预先存储的策略匹配文件、以及所述函数参数,对所述应用程序的运行过程进行监控,以获取所述应用程序运行时的敏感行为。The extraction unit 1 is used to extract the function parameters for calling the application program during the process of running the application program on the virtual machine loaded with the modified system source code, and the monitoring unit 2 is used to match the file according to the pre-stored strategy, and the The function parameter is used to monitor the running process of the application program, so as to obtain the sensitive behavior of the application program during running.

具体的,提取单元1用于在加载有修改系统源码后的虚拟机运行所述应用程序的过程中,提取调用所述应用程序的函数参数,提取单元1将函数参数发送给监控单元2,监控单元2用于根据预先存储的策略匹配文件、以及所述函数参数,对所述应用程序的运行过程进行监控,以获取所述应用程序运行时的敏感行为。Specifically, the extracting unit 1 is used to extract the function parameters for calling the application program during the running of the application program by the virtual machine loaded with the modified system source code, and the extracting unit 1 sends the function parameters to the monitoring unit 2 to monitor Unit 2 is configured to monitor the running process of the application program according to the pre-stored policy matching file and the function parameters, so as to obtain the sensitive behavior of the application program during running.

本发明实施例提供的监控应用程序的处理装置,能够监控应用程序的运行全过程,并全面地获取应用程序运行中的敏感操作行为。The processing device for monitoring application programs provided by the embodiments of the present invention can monitor the entire running process of the application programs and comprehensively acquire sensitive operation behaviors during the running of the application programs.

在上述实施例的基础上,所述监控单元2具体用于:On the basis of the above embodiments, the monitoring unit 2 is specifically used for:

将所述函数参数发送至日志输出模块,所述日志输出模块预先存储有所述策略匹配文件,所述策略匹配文件包括有敏感行为样本特征;在所述日志输出模块中解析所述函数参数,并将所述函数参数的解析结果与所述敏感行为样本特征进行比对;根据所述比对的结果,以获取所述应用程序运行时的敏感行为。The function parameter is sent to the log output module, the log output module is pre-stored with the policy matching file, and the policy matching file includes sensitive behavior sample characteristics; parsing the function parameter in the log output module, and comparing the parsing results of the function parameters with the characteristics of the sensitive behavior samples; according to the comparison results, the sensitive behaviors when the application program is running are obtained.

具体的,所述监控单元2具体用于:将所述函数参数发送至日志输出模块,所述日志输出模块预先存储有所述策略匹配文件,所述策略匹配文件包括有敏感行为样本特征;在所述日志输出模块中解析所述函数参数,并将所述函数参数的解析结果与所述敏感行为样本特征进行比对;根据所述比对的结果,以获取所述应用程序运行时的敏感行为。Specifically, the monitoring unit 2 is specifically configured to: send the function parameters to the log output module, the log output module pre-stores the policy matching file, and the policy matching file includes sensitive behavior sample features; Analyzing the function parameter in the log output module, and comparing the parsing result of the function parameter with the characteristics of the sensitive behavior sample; according to the result of the comparison, to obtain the sensitive Behavior.

本发明实施例提供的监控应用程序的处理装置,通过在日志输出模块中进行特征比对,更加自动地实现了监控应用程序的运行全过程,并全面地获取应用程序运行中的敏感操作行为。The processing device for monitoring application programs provided by the embodiments of the present invention more automatically realizes the whole process of monitoring application program running through feature comparison in the log output module, and comprehensively acquires sensitive operation behaviors during application program running.

在上述实施例的基础上,所述监控单元2还具体用于:On the basis of the above embodiments, the monitoring unit 2 is also specifically used for:

将获取到的所述敏感行为与所述策略匹配文件生成在同一个报告中。Generate the obtained sensitive behavior and the policy matching file in the same report.

具体的,所述监控单元2还具体用于,将获取到的所述敏感行为与所述策略匹配文件生成在同一个报告中。Specifically, the monitoring unit 2 is further specifically configured to generate the acquired sensitive behavior and the policy matching file in the same report.

本发明实施例提供的监控应用程序的处理装置,生成包括有敏感行为与策略匹配文件的同一个报告,便于对敏感行为进行查询和管理。The processing device for monitoring application programs provided by the embodiments of the present invention generates the same report including sensitive behavior and policy matching files, which facilitates query and management of sensitive behavior.

在上述实施例的基础上,所述函数参数包括:所述函数的输入值和返回值。On the basis of the above embodiments, the function parameters include: input values and return values of the function.

具体的,监控单元2中的所述函数参数包括:所述函数的输入值和返回值。Specifically, the function parameters in the monitoring unit 2 include: input values and return values of the function.

本发明实施例提供的监控应用程序的处理方法,通过提取函数参数中的输入值和返回值即可实现对应用程序的监控。In the processing method for monitoring application programs provided by the embodiments of the present invention, monitoring of application programs can be realized by extracting input values and return values in function parameters.

在上述实施例的基础上,所述敏感行为包括针对所述虚拟机检测屏蔽的敏感行为、网络行为的敏感行为、文件操作的敏感行为、隐私行为的敏感行为、网络应用的敏感行为、系统进程的敏感行为。On the basis of the above-mentioned embodiments, the sensitive behaviors include sensitive behaviors for detection and shielding of the virtual machine, sensitive behaviors of network behaviors, sensitive behaviors of file operations, sensitive behaviors of privacy behaviors, sensitive behaviors of network applications, system processes sensitive behavior.

具体的,监控单元2中的所述敏感行为包括针对所述虚拟机检测屏蔽的敏感行为、网络行为的敏感行为、文件操作的敏感行为、隐私行为的敏感行为、网络应用的敏感行为、系统进程的敏感行为。Specifically, the sensitive behaviors in the monitoring unit 2 include sensitive behaviors for detection and shielding of the virtual machine, sensitive behaviors of network behaviors, sensitive behaviors of file operations, sensitive behaviors of privacy behaviors, sensitive behaviors of network applications, system process sensitive behavior.

本发明实施例提供的监控应用程序的处理方法,可以确定更加具体的敏感行为。The processing method for monitoring application programs provided by the embodiments of the present invention can determine more specific sensitive behaviors.

本发明实施例提供的监控应用程序的处理装置具体可以用于执行上述各方法实施例的处理流程,其功能在此不再赘述,可以参照上述方法实施例的详细描述。The processing device for monitoring application programs provided by the embodiments of the present invention can be specifically used to execute the processing procedures of the above-mentioned method embodiments, and its functions will not be described in detail here, and reference can be made to the detailed description of the above-mentioned method embodiments.

图3为本发明实施例提供的装置实体结构示意图,如图3所示,所述装置包括:处理器(processor)301、存储器(memory)302和总线303;FIG. 3 is a schematic diagram of the physical structure of the device provided by the embodiment of the present invention. As shown in FIG. 3 , the device includes: a processor (processor) 301, a memory (memory) 302, and a bus 303;

其中,所述处理器301、存储器302通过总线303完成相互间的通信;Wherein, the processor 301 and the memory 302 complete mutual communication through the bus 303;

所述处理器301用于调用所述存储器302中的程序指令,以执行上述各方法实施例所提供的方法,例如包括:在加载有修改系统源码后的虚拟机运行所述应用程序的过程中,提取调用所述应用程序的函数参数;根据预先存储的策略匹配文件、以及所述函数参数,对所述应用程序的运行过程进行监控,以获取所述应用程序运行时的敏感行为。The processor 301 is used to call the program instructions in the memory 302 to execute the methods provided by the above method embodiments, for example, including: during the process of running the application program on a virtual machine loaded with the modified system source code , extracting function parameters for calling the application program; monitoring the running process of the application program according to the pre-stored policy matching file and the function parameters, so as to obtain sensitive behaviors of the application program during operation.

本实施例公开一种计算机程序产品,所述计算机程序产品包括存储在非暂态计算机可读存储介质上的计算机程序,所述计算机程序包括程序指令,当所述程序指令被计算机执行时,计算机能够执行上述各方法实施例所提供的方法,例如包括:在加载有修改系统源码后的虚拟机运行所述应用程序的过程中,提取调用所述应用程序的函数参数;根据预先存储的策略匹配文件、以及所述函数参数,对所述应用程序的运行过程进行监控,以获取所述应用程序运行时的敏感行为。This embodiment discloses a computer program product, the computer program product includes a computer program stored on a non-transitory computer-readable storage medium, the computer program includes program instructions, and when the program instructions are executed by the computer, the computer The methods provided by the above method embodiments can be executed, for example, including: during the process of running the application program on the virtual machine loaded with the modified system source code, extracting the function parameters for calling the application program; The file and the function parameters are used to monitor the running process of the application program, so as to obtain the sensitive behavior of the application program during operation.

本实施例提供一种非暂态计算机可读存储介质,所述非暂态计算机可读存储介质存储计算机指令,所述计算机指令使所述计算机执行上述各方法实施例所提供的方法,例如包括:在加载有修改系统源码后的虚拟机运行所述应用程序的过程中,提取调用所述应用程序的函数参数;根据预先存储的策略匹配文件、以及所述函数参数,对所述应用程序的运行过程进行监控,以获取所述应用程序运行时的敏感行为。This embodiment provides a non-transitory computer-readable storage medium, the non-transitory computer-readable storage medium stores computer instructions, and the computer instructions cause the computer to execute the methods provided in the foregoing method embodiments, for example including : During the process of running the application program on the virtual machine loaded with modified system source code, extract the function parameters for calling the application program; according to the pre-stored policy matching file and the function parameters, the application program The running process is monitored to obtain the sensitive behavior of the application when it is running.

本领域普通技术人员可以理解:实现上述方法实施例的全部或部分步骤可以通过程序指令相关的硬件来完成,前述的程序可以存储于一计算机可读取存储介质中,该程序在执行时,执行包括上述方法实施例的步骤;而前述的存储介质包括:ROM、RAM、磁碟或者光盘等各种可以存储程序代码的介质。Those of ordinary skill in the art can understand that all or part of the steps for realizing the above-mentioned method embodiments can be completed by hardware related to program instructions, and the aforementioned program can be stored in a computer-readable storage medium. When the program is executed, the It includes the steps of the above method embodiments; and the aforementioned storage medium includes: ROM, RAM, magnetic disk or optical disk and other various media that can store program codes.

以上所描述的装置等实施例仅仅是示意性的,其中所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部模块来实现本实施例方案的目的。本领域普通技术人员在不付出创造性的劳动的情况下,即可以理解并实施。The devices and other embodiments described above are only illustrative, and the units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may Located in one place, or can be distributed to multiple network elements. Part or all of the modules can be selected according to actual needs to achieve the purpose of the solution of this embodiment. It can be understood and implemented by those skilled in the art without any creative effort.

通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到各实施方式可借助软件加必需的通用硬件平台的方式来实现,当然也可以通过硬件。基于这样的理解,上述技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品可以存储在计算机可读存储介质中,如ROM/RAM、磁碟、光盘等,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行各个实施例或者实施例的某些部分所述的方法。Through the above description of the implementations, those skilled in the art can clearly understand that each implementation can be implemented by means of software plus a necessary general hardware platform, and of course also by hardware. Based on this understanding, the essence of the above technical solution or the part that contributes to the prior art can be embodied in the form of software products, and the computer software products can be stored in computer-readable storage media, such as ROM/RAM, magnetic discs, optical discs, etc., including several instructions to make a computer device (which may be a personal computer, server, or network device, etc.) execute the methods described in various embodiments or some parts of the embodiments.

最后应说明的是:以上各实施例仅用以说明本发明的实施例的技术方案,而非对其限制;尽管参照前述各实施例对本发明的实施例进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分或者全部技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本发明的实施例各实施例技术方案的范围。Finally, it should be noted that: the above embodiments are only used to illustrate the technical solutions of the embodiments of the present invention, not to limit them; although the embodiments of the present invention have been described in detail with reference to the foregoing embodiments, those skilled in the art The skilled person should understand that: it is still possible to modify the technical solutions described in the foregoing embodiments, or perform equivalent replacements for some or all of the technical features; and these modifications or replacements do not make the essence of the corresponding technical solutions deviate from the present invention The scope of the technical solution of each embodiment of the embodiment.

Claims (10)

1. a kind of processing method of monitoring application program, which is characterized in that including:
During the virtual machine after being loaded with modification system source code runs the application program, extraction is called described using journey The function parameter of sequence;
According to pre-stored strategy matching file and the function parameter, the operational process of the application program is carried out Monitoring, to obtain the sensitive behavior when application program is run.
2. according to the method described in claim 1, it is characterized in that, it is described according to pre-stored strategy matching file and The function parameter is monitored the operational process of the application program, to obtain the sensitivity when application program is run Behavior, including:
The function parameter is sent to journal output module, the journal output module is previously stored with the strategy matching text Part, the strategy matching file include sensitive behavior sample characteristics;
Parse the function parameter in the journal output module, and by the analysis result of the function parameter and the sensitivity Behavior sample feature is compared;
According to the comparison as a result, to obtain the sensitive behavior when application program is run.
3. according to the method described in claim 2, it is characterized in that, it is described according to the comparison as a result, to be answered described in acquisition After sensitive behavior when being run with program, the method further includes:
By the sensitive behavior got and the strategy matching file generated in the same report.
4. according to the method described in claim 1, it is characterized in that, the function parameter includes:The input value of the function and Return value.
5. according to the method described in claim 1, it is characterized in that, the sensitive behavior includes being directed to the virtual machine testing screen The sensitive behavior of the sensitive behavior, network behavior covered, the sensitive behavior of file operation, the sensitive behavior of privacy behavior, network are answered Sensitive behavior, the sensitive behavior of system process.
6. a kind of processing unit of monitoring application program, which is characterized in that including:
Extraction unit, for during the virtual machine after being loaded with modification system source code runs the application program, extracting Call the function parameter of the application program;
Monitoring unit is used for according to pre-stored strategy matching file and the function parameter, to the application program Operational process is monitored, to obtain the sensitive behavior when application program is run.
7. device according to claim 6, which is characterized in that the monitoring unit is specifically used for:
The function parameter is sent to journal output module, the journal output module is previously stored with the strategy matching text Part, the strategy matching file include sensitive behavior sample characteristics;
Parse the function parameter in the journal output module, and by the analysis result of the function parameter and the sensitivity Behavior sample feature is compared;
According to the comparison as a result, to obtain the sensitive behavior when application program is run.
8. device according to claim 7, which is characterized in that the monitoring unit also particularly useful for:
By the sensitive behavior got and the strategy matching file generated in the same report.
9. device according to claim 6, which is characterized in that the function parameter includes:The input value of the function and Return value.
10. device according to claim 6, which is characterized in that the sensitive behavior includes being directed to the virtual machine testing The sensitive behavior of shielding, the sensitive behavior of network behavior, the sensitive behavior of file operation, the sensitive behavior of privacy behavior, network The sensitive behavior of application, the sensitive behavior of system process.
CN201710240393.7A 2017-04-13 2017-04-13 A kind of processing method and processing device of monitoring application program Pending CN108734007A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710240393.7A CN108734007A (en) 2017-04-13 2017-04-13 A kind of processing method and processing device of monitoring application program

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710240393.7A CN108734007A (en) 2017-04-13 2017-04-13 A kind of processing method and processing device of monitoring application program

Publications (1)

Publication Number Publication Date
CN108734007A true CN108734007A (en) 2018-11-02

Family

ID=63924467

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710240393.7A Pending CN108734007A (en) 2017-04-13 2017-04-13 A kind of processing method and processing device of monitoring application program

Country Status (1)

Country Link
CN (1) CN108734007A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109992489A (en) * 2018-12-29 2019-07-09 上海连尚网络科技有限公司 It is a kind of for monitoring the method and apparatus for the process performing applied in user equipment
CN110430177A (en) * 2019-07-26 2019-11-08 北京智游网安科技有限公司 A kind of monitoring method, intelligent terminal and the storage medium of APP network behavior
CN112784272A (en) * 2021-01-26 2021-05-11 京东数字科技控股股份有限公司 Application program processing method and device, electronic equipment, system and storage medium
CN119066686A (en) * 2024-11-05 2024-12-03 成都云祺科技有限公司 PHP source code encryption method, system, device and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104182688A (en) * 2014-08-26 2014-12-03 北京软安科技有限公司 Android malicious code detection device and method based on dynamic activation and behavior monitoring
US20150227746A1 (en) * 2014-02-07 2015-08-13 Northwestern University System and Method for Privacy Leakage Detection and Prevention System without Operating System Modification
CN105488388A (en) * 2015-12-22 2016-04-13 中软信息系统工程有限公司 Method for implementing application software behavior monitoring system based on CPU temporal-spatial isolation mechanism
CN105550585A (en) * 2016-03-02 2016-05-04 腾讯科技(深圳)有限公司 Application security testing method, device and system
CN105975858A (en) * 2015-12-08 2016-09-28 武汉安天信息技术有限责任公司 Method and system for malicious code detection based on virtual technology in Android system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150227746A1 (en) * 2014-02-07 2015-08-13 Northwestern University System and Method for Privacy Leakage Detection and Prevention System without Operating System Modification
CN104182688A (en) * 2014-08-26 2014-12-03 北京软安科技有限公司 Android malicious code detection device and method based on dynamic activation and behavior monitoring
CN105975858A (en) * 2015-12-08 2016-09-28 武汉安天信息技术有限责任公司 Method and system for malicious code detection based on virtual technology in Android system
CN105488388A (en) * 2015-12-22 2016-04-13 中软信息系统工程有限公司 Method for implementing application software behavior monitoring system based on CPU temporal-spatial isolation mechanism
CN105550585A (en) * 2016-03-02 2016-05-04 腾讯科技(深圳)有限公司 Application security testing method, device and system

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109992489A (en) * 2018-12-29 2019-07-09 上海连尚网络科技有限公司 It is a kind of for monitoring the method and apparatus for the process performing applied in user equipment
CN110430177A (en) * 2019-07-26 2019-11-08 北京智游网安科技有限公司 A kind of monitoring method, intelligent terminal and the storage medium of APP network behavior
CN112784272A (en) * 2021-01-26 2021-05-11 京东数字科技控股股份有限公司 Application program processing method and device, electronic equipment, system and storage medium
CN119066686A (en) * 2024-11-05 2024-12-03 成都云祺科技有限公司 PHP source code encryption method, system, device and storage medium

Similar Documents

Publication Publication Date Title
US10872151B1 (en) System and method for triggering analysis of an object for malware in response to modification of that object
Spreitzenbarth et al. Mobile-sandbox: having a deeper look into android applications
US10581879B1 (en) Enhanced malware detection for generated objects
Spreitzenbarth et al. Mobile-Sandbox: combining static and dynamic analysis with machine-learning techniques
US8099472B2 (en) System and method for a mobile cross-platform software system
CN108133139A (en) A kind of Android malicious application detecting system compared based on more running environment behaviors
CN104517054B (en) Method, device, client and server for detecting malicious APK
US12026256B2 (en) Context-based analysis of applications
Malik et al. System call analysis of android malware families
Eder et al. Ananas-a framework for analyzing android applications
CN103890770A (en) System and method for whitelisting applications in a mobile network environment
Cooper et al. A survey of android malware characterisitics and mitigation techniques
CN105631312A (en) Method and system for processing rogue programs
CN113467784A (en) Application program processing method and device and computer readable storage medium
Faruki et al. Droidanalyst: Synergic app framework for static and dynamic app analysis
CN105095759A (en) File detection method and device
CN108734007A (en) A kind of processing method and processing device of monitoring application program
Cao et al. Rotten apples spoil the bunch: an anatomy of Google Play malware
Stirparo et al. In-memory credentials robbery on android phones
CN116881926A (en) Risk scanning method, system and computing device based on device codes
US10880316B2 (en) Method and system for determining initial execution of an attack
Choi et al. Large‐Scale Analysis of Remote Code Injection Attacks in Android Apps
CN105095754A (en) Method, device and mobile terminal for processing virus applications
Su et al. Detection of android malware by static analysis on permissions and sensitive functions
Hasan et al. Enhancing monkey to trigger malicious payloads in android malware

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20181102

RJ01 Rejection of invention patent application after publication