CN112199642B - Detection method for anti-debugging of android system, mobile terminal and storage medium - Google Patents
Detection method for anti-debugging of android system, mobile terminal and storage medium Download PDFInfo
- Publication number
- CN112199642B CN112199642B CN201910610301.9A CN201910610301A CN112199642B CN 112199642 B CN112199642 B CN 112199642B CN 201910610301 A CN201910610301 A CN 201910610301A CN 112199642 B CN112199642 B CN 112199642B
- Authority
- CN
- China
- Prior art keywords
- application
- debugging
- state
- main process
- debugging tool
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
- G06F21/14—Protecting executable software against software analysis or reverse engineering, e.g. by obfuscation
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Multimedia (AREA)
- Technology Law (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention discloses a detection method, a mobile terminal and a storage medium for anti-debugging of an Android system, wherein detection codes are compiled in an Android system dynamic link library in advance, and loading links of the detection codes are added in an application starting code, so that the application can load and execute the detection codes after starting, the detection codes can accurately and timely detect whether the application is debugged by a common or unusual debugging tool according to the state of a network port and the state of an application main process in the application running process, and once the application is detected to be debugged by the debugging tool, a dialog box is popped up immediately and a program is terminated, thereby interrupting the debugging of the application by the debugging tool, effectively preventing the application from being attacked, and improving the safety of the application in the running process.
Description
Technical Field
The invention relates to the technical field of mobile terminals, in particular to a detection method for anti-debugging of an Android (Android) system, a mobile terminal and a storage medium.
Background
After the Android system is self-released, the Android system is favored by industry personnel because of its openness, openness and customizable, the market share of the Android system is very high and the Android system is growing every year nowadays, but the Android system is also gradually a main object of hacking because of its own openness and high market share, and application programs (hereinafter referred to as applications) on the Android system are also gradually becoming the main objects of hacking.
When an attacker attacks a certain application on the Android system, the attacker usually performs simple static decompilation and check after obtaining the target application, searches for a sensitively called interface, then analyzes the code implementation logic which is more critical, and finally tamper key information by directly modifying the code or utilizing other modification tools so as to achieve the purpose of attack.
At present, in order to prevent an application on an Android system from being attacked, code confusion, core parameter encryption or reinforcement (also called as shell adding) is mainly adopted, so that an attacker cannot acquire useful code realization logic after static decompilation and viewing, and the attacker has certain obstruction and difficulty in static analysis, but in order to rapidly and accurately realize attack and tampering, the attacker can utilize a dynamic debugging technology to debug the application by adopting one or more debugging tools (such as IDA and apktool), specifically, the effective code is targeted in the application operation process, and the key code realization logic is analyzed in a single-step debugging or dynamic tracking mode and the like, so that the purpose of attack is achieved. It can be seen that the safety of the Android system application in the running process is still low.
Accordingly, the prior art is still in need of improvement and development.
Disclosure of Invention
In view of the shortcomings of the prior art, the invention aims to provide a detection method for anti-debugging of an android system, a mobile terminal and a storage medium, and aims to solve the problem that safety of application in an operation process in the existing android system is not high.
In a first aspect, the invention provides a detection method for anti-debugging of an android system, which comprises the following steps:
Compiling detection codes for detecting the state of a network port and the state of an application process in an initialization function of a dynamic link library of an Android system in advance, and adding loading links of the detection codes into a starting code of the application;
Loading and executing the detection code after the application is started, and judging whether the application is debugged by a debugging tool or not according to the network port state and the application process state by the detection code;
If the application is detected to be debugged by the debugging tool, a prompt dialog box is popped up and the application is terminated.
Further, the step of the detection code judging whether the application is attacked by the debug tool according to the network port state and the application process state includes:
detecting whether the network port is occupied by a debugging tool, if so, the application is being debugged by the debugging tool.
Further, the step of the detection code judging whether the application is attacked by the debug tool according to the network port state and the application process state includes:
Monitoring and capturing whether the debugging tool sends a process debugging signal to the application main process, if so, the application is being debugged by the debugging tool; the process debug signal includes: SIGCONT signals to cause the application main process to continue running, SIGSTOP signals to cause threads associated with the application main process to suspend running.
Further, the step of the detection code judging whether the application is attacked by the debug tool according to the network port state and the application process state includes:
Detecting the state value of an application main process and the state values of all threads related to the main process, and if at least one of the state value of the main process and the state values of all threads is T, then the application is being debugged by a debugging tool.
Further, the step of the detection code judging whether the application is attacked by the debug tool according to the network port state and the application process state further includes:
and establishing a first process for reading the state value of the application main process, detecting whether the state value read by the first process is T, and if so, debugging the application by a debugging tool.
Further, the step of the detection code judging whether the application is attacked by the debug tool according to the network port state and the application process state includes:
a second process is pre-established, a first time threshold value and a first termination time are set,
The second process starts timing after setting the first termination time to zero after sending the first check data to the application master process,
The application main process receives the first check data and then sends second check data to the second process,
The second process stops timing after receiving the second check data and saves the first termination time,
Detecting whether the first termination time is greater than the first time threshold, if yes, then the application is being debugged by a debugging tool, if not, then continuing to execute the steps of starting timing after the second process sends first check data to the application main process and sets the termination time to zero.
Further, the step of the detection code judging whether the application is attacked by the debug tool according to the network port state and the application process state includes:
a third process is pre-established, a second time threshold value and a second termination time are set,
After the application master process sends the first check data to the third process, the second termination time is set to zero and then the timing is started,
The third process receives the first check data and then sends second check data to the application main process,
The application main process stops timing after receiving the second check data, and saves the second termination time,
Detecting whether the second termination time is greater than the second time threshold, if yes, then the application is being debugged by the debugging tool, if not, then continuing to execute the steps of starting timing after the application main process sends the first check data to the third process and setting the second termination time to zero.
In a second aspect, the present invention provides a mobile terminal, including a processor, a memory, and a communication bus;
the memory is stored with a detection method program for anti-debugging of the android system, which can be executed by the processor;
the communication bus realizes connection communication between the processor and the memory;
And the processor realizes the steps in any one of the android system anti-debugging detection methods when executing the android system anti-debugging detection method program.
In a third aspect, the present invention provides a computer readable storage medium, where the computer readable storage medium stores one or more programs, where the one or more programs are executable by one or more processors to implement the steps in the method for detecting anti-debugging of an android system according to any one of the above.
In a fourth aspect, the present invention provides a detection apparatus for anti-debugging of an android system, where the detection apparatus includes:
The starting unit is used for starting the application and loading the detection code;
the detection unit is used for detecting whether the application is debugged by the debugging tool in real time;
and the processing unit is used for popping up a prompt dialog box and terminating the application.
Compared with the prior art, the detection method, the mobile terminal and the storage medium for the anti-debugging of the Android system are provided, because the detection codes are compiled in the dynamic link library of the Android system in advance and the loading links of the detection codes are added in the starting codes of the application, the application can load and execute the detection codes after starting, the detection codes can accurately and timely detect whether the application is debugged by a common or unusual debugging tool according to the state of a network port and the state of an application main process in the running process of the application, and once the application is detected to be debugged by the debugging tool, a dialog box is popped up and a program is terminated immediately, so that the debugging of the application by the debugging tool is interrupted, the application is effectively prevented from being attacked, and the safety of the running process of the application is improved.
Drawings
Fig. 1 is a flowchart of a detection method for anti-debugging of an android system.
Fig. 2 is a functional block diagram of a mobile terminal according to a preferred embodiment of the present invention.
Fig. 3 is a functional block diagram of a preferred embodiment of the present invention for installing a mobile terminal.
Detailed Description
The invention provides a detection method for anti-debugging of an android system, a mobile terminal and a storage medium, and the invention is further described in detail below in order to make the purposes, the technical schemes and the effects of the invention clearer and more definite. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.
Referring to fig. 1, the detection method for anti-debugging of an android system provided by the invention comprises the following steps:
s10, compiling detection codes for detecting the state of a network port and the state of an application process in an initialization function of a dynamic link library of an Android system in advance, and adding loading links of the detection codes into a starting code of an application;
In the Android system, the root directory of any Application must include an Android management file, where the file includes an Application tag, when the Application is started, the system creates an Application class object with only one Application class object, and the life cycle of the Application class object is equal to the life cycle of the Application (from start to stop). A special function_init function, also called an initialization function, exists in the dynamic link library, and the initialization function is automatically executed when the dynamic link library is loaded and is mainly used for initializing the dynamic link library.
Specifically, a loading link of the detection code is added in attachBaseContext or onCreate functions of an Application class specified by an applied android management file in advance, and the detection code is compiled in an initialization function in a dynamic link library of the system in advance. Because the application can load the dynamic link library after being started, and the initialization function can be automatically operated when the dynamic link library is loaded, and then the detection code is operated, the detection code can be immediately loaded and executed after the application is started, the detection code can be always kept to be operated in the operation process of the application, and the reliability of subsequent real-time detection is ensured.
S20, loading and executing the detection code after the application is started, and judging whether the application is debugged by a debugging tool or not according to the network port state and the application process state by the detection code;
In one embodiment, the step S20 includes:
s201, detecting whether a network port is occupied by a debugging tool, and if so, debugging the application by the debugging tool.
When an application is debugged by a debugging tool, the debugging tool and the application are in a communication state, and when the corresponding network ports of an Android system and a PC end (the debugging tool is generally operated at the PC end) are started to forward, the debugging tool can communicate with the application through an Android-server program of the Android system, and the common debugging tool has a default port number used by the common debugging tool, for example, the default network port number of an IDA debugging tool is 23946, and the default network port number of an apktool is 5037 (apktool occupies an adb port).
Therefore, the default occupied port number of the common debugging tool can be stored in advance through an array or other forms, whether some network ports of the Android system are occupied by the common debugging tool is detected, and if yes, the application is being debugged by the debugging tool; if not, the detection is continued. The detection logic can effectively detect whether the application is debugged by some common debugging tools.
In another embodiment, the step S20 includes:
s202, monitoring and capturing whether a debugging tool sends a process debugging signal to an application main process, if so, the application is debugged by the debugging tool; wherein the process debug signal comprises: SIGCONT signals to cause the application main process to continue running, SIGSTOP signals to cause threads associated with the application main process to suspend running.
When an application is debugged by a debugging tool, an application main process is in a state of suspending operation because of being debugged, and if a debugger wants the application to resume operation, a process debugging signal SIGCONT needs to be sent to the application main process, so that the process signal needs to be monitored and captured; in addition, in order to prevent the detection during the debugging process, an attacker usually stops the running of the threads related to the main process by sending a process debugging signal SIGSTOP to the threads, while the detection code is a thread under the main process, if the detection code is stopped, the application is debugged and thus attacked, so that the process signal needs to be monitored and captured.
Therefore, whether a process debugging signal is sent to the application main process by monitoring whether a debugging tool exists or not, if yes, capturing and detecting the signal and whether the signal is SIGCONT signals or SIGSTOP signals or not, and if yes, the application is being debugged by the debugging tool; if not, continuing to monitor. This detection logic can effectively detect whether an application is debugged by some common or unusual debugging tools.
In another embodiment, the step S20 includes:
s203, detecting the state value of an application main process and the state values of all threads related to the main process, and if at least one of the state value of the main process and the state values of all threads is T, debugging the application by a debugging tool.
When an application is being debugged by a debug tool, typically an attacker will debug the application host process or some thread associated with the host process, whichever is in the debugged state, the state value of that process or thread will become T (tracking stop, indicating that the process or thread is in the debugged state). In specific implementation, the id value of the current application main process can be obtained through getpid functions, then the id values of all threads related to the application main process are obtained, and finally the state values of the main process and all threads are traversed and detected. For example, the id value of the current application main process is obtained through getpid functions, and a plurality of threads (all threads related to the main process are obtained at the moment) such as 28363, 28371 and 28528 exist under the main process directory (/ proc/28363/task), then the State value in the directory/proc/28363/status file (this value is the State value of the application main process), the State value in the directory/proc/28371/status file (this value is the State value of one of the threads related to the application main process) and the State value in the directory/proc/28528/status file (this State value under the folder directory can be directly read, without redundant parsing and converting operations).
Thus, by traversing (which may be implemented by means of a loop or the like) and detecting the state values of the application main process and the state values of all threads related to the main process, if at least one of the state values of the main process and the state values of all threads is T, the application is being debugged by the debug tool; if not, continuing traversing and detecting. This detection logic can effectively detect whether an application is debugged by some common or unusual debugging tools.
In another embodiment, the step S20 includes:
s204, a first process for reading the state value of the application main process is established, whether the state value read by the first process is T is detected, and if yes, the application is debugged by a debugging tool.
If the application is being debugged by the debugging tool, a situation exists that the main process can not acquire the state value of the main process and all threads thereof after the main process is suspended by the debugging tool, in order to prevent the situation, a process is established, preferably, the process is established as a sub-process of the main process of the application, then the process can read the id value of the main process through a getppid function, and further the state value of the main process is read.
Therefore, reading the state value of the application main process through the first process, detecting whether the state value is T, and if so, debugging the application by a debugging tool; if not, the read detection is continued. This detection logic can effectively detect whether an application is debugged by some common or unusual debugging tools.
In another embodiment, said step S20 comprises S203 and said S204;
Specifically, through the first process, it can be ensured that the id of the application main process can be acquired, and then the ids of all threads related to the main process are acquired, so that the application can be accurately judged whether to be debugged by the debugging tool only if at least one of the state values of the main process and all threads is T. By the detection logic, the reliability of detection can be ensured, and whether an application is debugged by common or unusual debugging tools can be effectively detected.
In another embodiment, the step S20 includes S205, and the step S205 specifically includes:
S2051, a second process is established in advance, and a first time threshold value and a first termination time are set;
When the application main process is debugged by the debugging tool, the main process is in a pause running state, if a process is established in advance to communicate with the application main process in real time, a main process sub-process is preferably established, and if the condition of abnormal communication running is detected, whether the application is debugged can be judged. In order to detect the abnormal running condition, a first time threshold and a first termination time are set for comparison detection in the subsequent steps, wherein the first time threshold is only required to be slightly larger than the time spent for a complete communication under the condition that an application main process is not debugged, and the first termination time is used for recording the time spent for a complete communication.
S2052, after the second process sends first check data to the application main process, the second process starts timing after setting the first termination time to zero;
s2053, after the application main process receives the first check data, sending second check data to the second process;
s2054, stopping timing after the second process receives the second check data, and storing the first termination time;
the above steps are a complete communication process, and when the implementation is performed, first, the second process sends the first check data to the main process, and sets the first termination time to 0 and starts timing. The first expiration time is set to 0 in order to ensure that the first expiration time accurately records the time taken for a complete communication process, wherein the first check data may be arbitrarily set, for example, a transmission string "1".
Then, after receiving the first check data, the main process feeds back second check data to the second process, wherein the second check data can be set arbitrarily, such as a character string of "1"; the first check data may be obtained after performing a predetermined process, for example, the first check data is a character string "1", and the predetermined process is to add one to the first check data, and the second check data is a character string "2".
Finally, after the second process receives the second check data, the second process stops timing, and the time spent in the process is assigned to the first termination time, and the value of the first termination time is changed into the time spent in a complete communication process.
S2055, detecting whether the first termination time is greater than the first time threshold, if yes, then the application is being debugged by a debugging tool, and if not, then continuing to execute step S2052.
If the application main process is not debugged by the debugging tool, the communication process is not abnormal, and the first termination time is smaller than a first time threshold; if the application main process is being debugged by the debugging tool, the communication process is abnormal, and the first termination time is larger than a first time threshold. By comparing the sizes of the two, whether the current application main process is debugged by the application tool or not can be accurately reflected. If the first termination time is less than the first time threshold in a complete communication process, step S2052 is continuously executed to continue the loop detection. This detection logic can effectively detect whether an application is debugged by some common or unusual debugging tools.
In another embodiment, the step S20 includes S206, and the step S206 specifically includes:
s2061, pre-establishing a third process, and setting a second time threshold and a second termination time; this step is the same as the design principle of S2051.
S2062, after the application main process sends third check data to the third process, the application main process sets the second termination time to zero and starts timing;
S2063, the third process receives the third check data and then sends fourth check data to the application main process;
s2064, stopping timing after the application main process receives the fourth check data, and storing the second termination time;
The step of the method is a complete communication process, similar to the communication process of step S205, except that the application host process sends the check data to the third process first, and the third process feeds back the check data after receiving the check data.
S2065, detecting whether the second termination time is greater than the second time threshold, if so, the application is being debugged by the debugging tool, and if not, continuing to execute step S2062.
If the application main process is not debugged by the debugging tool, the communication process is not abnormal, and the second termination time is smaller than a second time threshold; if the application main process is being debugged by the debugging tool, the communication process is abnormal, and the second termination time is larger than a second time threshold. By comparing the sizes of the two, whether the current application main process is debugged by the application tool or not can be accurately reflected. If the second termination time is less than the second time threshold during a complete communication, step S2052 is continuously executed to continue the loop detection. This detection logic can effectively detect whether an application is debugged by some common or unusual debugging tools.
And S30, if the fact that the application is debugged by the debugging tool is detected, a prompt dialog box is popped up and the application is terminated.
If it is detected in the step S20 that the application is being debugged by the debugging tool, a prompt dialog box is popped up and the application is terminated immediately, so that further debugging of the application by the debugging tool is avoided.
From the above, the method is characterized in that the detection code is compiled in the Android system dynamic link library in advance, and the loading link of the detection code is added in the application starting code, so that the application can be loaded and executed after starting, the detection code can accurately and timely detect whether the application is being debugged by a common or unusual debugging tool according to the state of a network port and the state of an application main process in the application running process, and once the application is detected to be debugged by the debugging tool, a dialog box is popped up immediately and a program is terminated, thereby interrupting the debugging of the application by the debugging tool, effectively preventing the application from being attacked, and improving the safety of the application in the running process.
Referring to fig. 2, the present invention further provides a mobile terminal based on the detection method for anti-debugging of the android system, where the mobile terminal may be a mobile phone, a desktop computer, a palm computer, a server, and other computing devices. The mobile terminal comprises a processor 10, a memory 20 and a display screen 30, wherein the processor 10 is connected with the memory 20 through a communication bus 50, and the display screen 30 is connected with the processor 10 through the communication bus 50. Fig. 2 shows only some of the components of the mobile terminal, but it should be understood that not all of the illustrated components are required to be implemented and that more or fewer components may alternatively be implemented.
The memory 20 may in some embodiments be an internal storage unit of the mobile terminal, such as a memory of the mobile terminal. The memory 20 may also be an external storage device of the mobile terminal in other embodiments, such as a plug-in type usb flash drive, a smart memory card (SMART MEDIA CARD, SMC), a Secure Digital (SD) card, a flash memory card (FLASH CARD) or the like. Further, the memory 20 may also include both an internal storage unit and an external storage device of the mobile terminal. The memory 20 is used for storing application software installed in the mobile terminal and various data, such as program codes for installing the mobile terminal. The memory 20 may also be used to temporarily store data that has been output or is to be output. In an embodiment, the memory 20 stores an android system anti-debugging detection method program 40, and the android system anti-debugging detection method program 40 can be executed by the processor 10, so as to implement the android system anti-debugging detection method in the present application.
The processor 10 may be a central processing unit (Central Processing Unit, CPU), microprocessor, mobile phone baseband processor or other data processing chip in some embodiments, for running the program codes or processing data stored in the memory 20, for example, executing the Android system anti-debug based detection method, etc.
The display screen 30 may be an LED display screen, a liquid crystal display screen, a touch-control type liquid crystal display screen, an OLED (Organic Light-Emitting Diode) touch device, or the like in some embodiments. The display screen 30 is used for displaying information on the mobile terminal and for displaying a visual user interface. The components 10-30 of the mobile terminal communicate with each other via a system bus.
In an embodiment, the steps in the method for detecting anti-debugging of the android system according to any one of the above embodiments are implemented when the processor 10 executes the program 40 for detecting anti-debugging of the android system in the memory 20.
Fig. 3 is a functional block diagram of a preferred embodiment of a mobile terminal with a computer program for detecting anti-debugging of an android system according to the present invention. In this embodiment, the system for installing the detection method program for the anti-debug of the android system may be divided into one or more modules, and the one or more modules are stored in the memory 20 and executed by one or more processors (the processor 10 in this embodiment) to complete the present invention. For example, in fig. 3, a mobile terminal in which a mobile terminal brushstroke control processing method computer program is installed may be divided into a starting unit 21, a detecting unit 22, a processing unit 23. The unit referred to by the invention refers to a series of computer program instruction segments capable of completing specific functions, and is more suitable for describing the execution process of the detection method program for the anti-debugging of the android system in the mobile terminal than the program. The following description will specifically introduce the functionality of the modules 21-23.
A starting unit 21 for starting the application and loading the detection code;
A detecting unit 22 for detecting in real time whether the application is debugged by the debugging tool;
The processing unit 23 is configured to pop up the prompt dialog and terminate the application, as described in detail above.
Based on the above embodiments, the present invention further provides a computer readable storage medium storing one or more programs, where the one or more programs are executable by one or more processors to implement the steps in the method for detecting anti-debugging of an android system as described in any one of the above, and specifically described above.
It is to be understood that the invention is not limited in its application to the examples described above, but is capable of modification and variation in light of the above teachings by those skilled in the art, and that all such modifications and variations are intended to be included within the scope of the appended claims.
Claims (7)
1. The detection method for the anti-debugging of the android system is characterized by comprising the following steps:
Compiling detection codes for detecting the state of a network port and the state of an application process in an initialization function of a dynamic link library of an Android system in advance, adding a loading link of the detection codes in a starting code of the application, loading the dynamic link library after the application is started, and automatically running the initialization function when the dynamic link library is loaded, so as to run the detection codes;
Loading and executing the detection code after the application is started, and judging whether the application is debugged by a debugging tool or not according to the network port state and the application process state by the detection code;
the step of judging whether the application is debugged by the debugging tool according to the network port state and the application process state by the detection code comprises the following steps:
Monitoring and capturing whether the debugging tool sends a process debugging signal to the application main process, if so, the application is being debugged by the debugging tool; the process debug signal includes: SIGCONT signals to cause the application main process to continue running, SIGSTOP signals to cause threads associated with the application main process to suspend running;
detecting whether a network port is occupied by a debugging tool, if so, debugging the application by the debugging tool;
acquiring the id value of the current application main process through getpid functions, acquiring the id values of all threads related to the application main process, traversing and detecting the state values of the main process and all threads, and reducing the operation of analysis conversion;
detecting state values of an application main process and state values of all threads related to the main process, and if at least one of the state values of the main process and the state values of all threads is T, debugging the application by a debugging tool;
If the application is detected to be debugged by the debugging tool, a prompt dialog box is popped up and the application is terminated.
2. The method for detecting anti-debugging of an android system according to claim 1, wherein the step of determining, by the detection code, whether the application is attacked by the debugging tool according to the network port state and the application process state further comprises:
and establishing a first process for reading the state value of the application main process, detecting whether the state value read by the first process is T, and if so, debugging the application by a debugging tool.
3. The method for detecting anti-debugging of an android system according to claim 1, wherein the step of determining, by the detection code, whether the application is attacked by the debugging tool according to the network port state and the application process state comprises:
a second process is pre-established, a first time threshold value and a first termination time are set,
The second process starts timing after setting the first termination time to zero after sending the first check data to the application master process,
The application master process receives the first verification data and then sends second verification data to the second process,
The second process stops timing after receiving the second check data and saves the first termination time,
Detecting whether the first termination time is greater than the first time threshold, if yes, then the application is being debugged by a debugging tool, if not, then continuing to execute the steps of starting timing after the second process sends first check data to the application main process and sets the termination time to zero.
4. The method for detecting anti-debugging of an android system according to claim 1, wherein the step of determining, by the detection code, whether the application is attacked by the debugging tool according to the network port state and the application process state comprises:
a third process is pre-established, a second time threshold value and a second termination time are set,
After the application master process sends third check data to the third process, the second termination time is set to zero and then the timing is started,
The third process receives the third verification data and then sends fourth verification data to the application master process,
The application main process stops timing after receiving the fourth check data, and saves the second termination time,
Detecting whether the second termination time is greater than the second time threshold, if yes, then the application is being debugged by the debugging tool, if not, then continuing to execute the steps of starting timing after the application main process sends the first check data to the third process and setting the second termination time to zero.
5. A mobile terminal comprising a processor, a memory, and a communication bus;
the memory is stored with a detection method program for anti-debugging of the android system, which can be executed by the processor;
the communication bus realizes connection communication between the processor and the memory;
The steps in the android system anti-debugging detection method according to any one of claims 1-4 are realized when the processor executes the android system anti-debugging detection method program.
6. A computer readable storage medium storing one or more programs executable by one or more processors to implement the steps in the method for detecting anti-debugging of an android system as claimed in any one of claims 1-4.
7. Detection device of anti-debugging of android system, characterized by comprising:
The starting unit is used for starting the application and loading the detection code;
The steps of starting the application and loading the detection code comprise:
Compiling detection codes for detecting the state of a network port and the state of an application process in an initialization function of a dynamic link library of an Android system in advance, adding a loading link of the detection codes in a starting code of the application, loading the dynamic link library after the application is started, and automatically running the initialization function when the dynamic link library is loaded, so as to run the detection codes;
the detection unit is used for detecting whether the application is debugged by the debugging tool in real time;
The step of detecting in real time whether the application is debugged by the debugging tool comprises the following steps:
Loading and executing the detection code after the application is started, and judging whether the application is debugged by a debugging tool or not according to the network port state and the application process state by the detection code;
the step of judging whether the application is debugged by the debugging tool according to the network port state and the application process state by the detection code comprises the following steps:
Monitoring and capturing whether the debugging tool sends a process debugging signal to the application main process, if so, the application is being debugged by the debugging tool; the process debug signal includes: SIGCONT signals to cause the application main process to continue running, SIGSTOP signals to cause threads associated with the application main process to suspend running;
detecting whether a network port is occupied by a debugging tool, if so, debugging the application by the debugging tool;
acquiring the id value of the current application main process through getpid functions, acquiring the id values of all threads related to the application main process, traversing and detecting the state values of the main process and all threads, and reducing the operation of analysis conversion;
detecting state values of an application main process and state values of all threads related to the main process, and if at least one of the state values of the main process and the state values of all threads is T, debugging the application by a debugging tool;
the processing unit is used for popping up a prompt dialog box and terminating the application;
the step for popping up the prompt dialog and terminating the application includes:
If the application is detected to be debugged by the debugging tool, a prompt dialog box is popped up and the application is terminated.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910610301.9A CN112199642B (en) | 2019-07-08 | 2019-07-08 | Detection method for anti-debugging of android system, mobile terminal and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910610301.9A CN112199642B (en) | 2019-07-08 | 2019-07-08 | Detection method for anti-debugging of android system, mobile terminal and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112199642A CN112199642A (en) | 2021-01-08 |
| CN112199642B true CN112199642B (en) | 2024-09-13 |
Family
ID=74004549
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910610301.9A Active CN112199642B (en) | 2019-07-08 | 2019-07-08 | Detection method for anti-debugging of android system, mobile terminal and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112199642B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113209630B (en) * | 2021-05-14 | 2022-09-30 | 上海完美时空软件有限公司 | Frame grabbing defense method and device for game application, storage medium and computer equipment |
| CN114385982A (en) * | 2021-12-28 | 2022-04-22 | 武汉卡比特信息有限公司 | Method and system for anti-debugging android application program, electronic device and storage medium |
| CN116755999B (en) * | 2023-05-17 | 2024-03-29 | 安芯网盾(北京)科技有限公司 | Starting method of debugging service process applied to Windows system |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106055983A (en) * | 2016-07-27 | 2016-10-26 | 北京鼎源科技有限公司 | Anti-debugging method of android application based on IDA communication |
| CN106845170A (en) * | 2017-01-20 | 2017-06-13 | 武汉斗鱼网络科技有限公司 | A kind of anti-debug method and system |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104461806A (en) * | 2013-09-16 | 2015-03-25 | 中兴通讯股份有限公司 | Data breakpoint monitoring method and device and debugger |
| CN106778104B (en) * | 2017-01-20 | 2019-10-25 | 武汉斗鱼网络科技有限公司 | Anti-debugging method and system for an application program |
-
2019
- 2019-07-08 CN CN201910610301.9A patent/CN112199642B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106055983A (en) * | 2016-07-27 | 2016-10-26 | 北京鼎源科技有限公司 | Anti-debugging method of android application based on IDA communication |
| CN106845170A (en) * | 2017-01-20 | 2017-06-13 | 武汉斗鱼网络科技有限公司 | A kind of anti-debug method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112199642A (en) | 2021-01-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10984096B2 (en) | Systems, methods, and apparatus for detecting control flow attacks | |
| US8484732B1 (en) | Protecting computers against virtual machine exploits | |
| US20160300044A1 (en) | Anti-debugging method | |
| CN108197032B (en) | Main thread jamming monitoring method, medium, equipment and system for IOS application | |
| CN112199642B (en) | Detection method for anti-debugging of android system, mobile terminal and storage medium | |
| US20120047579A1 (en) | Information device, program, method for preventing execution of unauthorized program code, and computer readable recording medium | |
| US10474565B2 (en) | Root cause analysis of non-deterministic tests | |
| CN108021791B (en) | Data protection method and device | |
| US10514972B2 (en) | Embedding forensic and triage data in memory dumps | |
| US10318731B2 (en) | Detection system and detection method | |
| CN113190427B (en) | Method and device for monitoring blocking, electronic equipment and storage medium | |
| CN110851352A (en) | Fuzzy test system and terminal equipment | |
| CN112130923A (en) | Container management method and device, electronic equipment and computer-readable storage medium | |
| US9104801B2 (en) | Analyzing concurrent debugging sessions | |
| CN102722430A (en) | Method and device for detecting hot plug of secure digital card | |
| CN107844703B (en) | Client security detection method and device based on Android platform Unity3D game | |
| JP2008513899A (en) | Method for processing a computer program on a computer system | |
| CN112100622B (en) | A data processing method and device | |
| Luo et al. | Platform software reliability for cloud service continuity-challenges and opportunities | |
| CN100517251C (en) | Test system and method | |
| KR102556413B1 (en) | Method and apparatus for managing a virtual machine using semaphore | |
| CN117408060B (en) | Whole vehicle model simulation performance optimization method, storage medium and electronic equipment | |
| US20250124181A1 (en) | Vehicle model simulation performance optimization method, storage medium, processor and electronic device | |
| US20250124182A1 (en) | Vehicle model simulation performance optimization system and computer device | |
| KR20080050117A (en) | Method and system for enhancing the reliability of embedded software |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |