[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN109145590B - Function hook detection method, detection equipment and computer readable medium - Google Patents

Function hook detection method, detection equipment and computer readable medium Download PDF

Info

Publication number
CN109145590B
CN109145590B CN201810841834.3A CN201810841834A CN109145590B CN 109145590 B CN109145590 B CN 109145590B CN 201810841834 A CN201810841834 A CN 201810841834A CN 109145590 B CN109145590 B CN 109145590B
Authority
CN
China
Prior art keywords
function
target
hook
preset
equipment information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810841834.3A
Other languages
Chinese (zh)
Other versions
CN109145590A (en
Inventor
刘瑞恺
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ping An Technology Shenzhen Co Ltd
Original Assignee
Ping An Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ping An Technology Shenzhen Co Ltd filed Critical Ping An Technology Shenzhen Co Ltd
Priority to CN201810841834.3A priority Critical patent/CN109145590B/en
Priority to PCT/CN2018/107745 priority patent/WO2020019482A1/en
Publication of CN109145590A publication Critical patent/CN109145590A/en
Application granted granted Critical
Publication of CN109145590B publication Critical patent/CN109145590B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/563Static detection by source code analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/033Test or assess software

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Telephone Function (AREA)

Abstract

The embodiment of the invention discloses a function hook detection method, a detection device and a computer readable medium, wherein the method comprises the following steps: when the fact that an Xpos plug-in is installed on a target terminal is detected, a flag value of a target function in the target terminal is obtained; determining whether the target function is hook according to the flag value; when the target function is confirmed to be hook, acquiring a target function pointer corresponding to the target function from a memory of the target function; and determining an original function corresponding to the target function pointer according to the corresponding relation between each function pointer and the function which is stored in advance, and replacing the target function with the original function. By adopting the embodiment of the invention, the false alarm of the hook behavior can be avoided, and the accuracy of hook detection can be improved.

Description

Function hook detection method, detection equipment and computer readable medium
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a method and a device for detecting a function hook, and a computer readable medium.
Background
Xposed is an open source framework that provides a framework service that can affect the running of a program through modules or codes written by itself without modifying the source code of an Android installation Package (APK). Some illegal persons may tamper with the device information by using the Xposed plug-in, but the current commercial device risk identification type products are generally unrecognizable to the tampering action, and the hook action is determined only by detecting whether the Xposed plug-in is installed in the terminal. The mode of only detecting whether the Xpos plug-in is installed to determine hook behaviors has high false alarm rate.
Disclosure of Invention
The embodiment of the invention provides a method and equipment for detecting a function hook and a computer readable medium, which are beneficial to avoiding the misinformation of hook behaviors and improving the accuracy of hook detection.
In a first aspect, an embodiment of the present invention provides a method for detecting a function hook, including:
when an Xpos plug-in is detected to be installed on a target terminal, a flag value of a target function in the target terminal is obtained, wherein the flag value is used for marking the state of the target function;
determining whether the target function is hook according to the flag value;
when the target function is confirmed to be hook, acquiring a target function pointer corresponding to the target function from a memory of the target function;
and determining an original function corresponding to the target function pointer according to the pre-stored corresponding relation between each function pointer and the function, and replacing the target function by using the original function.
Optionally, the method further includes:
acquiring current equipment information of the target terminal, wherein the current equipment information comprises one or more of the model, the system version and the wind control scene information of the target terminal;
determining a function list corresponding to the current equipment information according to a corresponding relation between preset equipment information and the function list, wherein each function list comprises a function of which the frequency of the book under the corresponding equipment information is greater than a preset frequency threshold;
and taking a function in a function list corresponding to the current equipment information as the target function.
Optionally, the method further includes:
establishing a function detection model according to functions of hooks under different equipment information in the statistical historical data, wherein the equipment information comprises one or more of equipment model, system version and wind control scene information;
and acquiring current equipment information of the target terminal, and inputting the current equipment information into the function detection model to obtain the target function.
Optionally, the determining whether the target function is hook according to the flag value includes:
comparing characters at preset positions in the flag value with preset fixed characters, wherein the number of the characters at the preset positions is the same as that of the fixed characters;
and when the character at the preset position is different from the fixed character obtained by comparison, determining that the target function is hook.
Optionally, the determining whether the target function is hook according to the flag value includes:
performing logical operation on the flag value according to a preset logical algorithm to obtain an operation result value, wherein the logical algorithm is determined according to a preset character string and a jump address when a native function in a system is executed;
and when the operation result value is a positive integer, determining that the target function is hook.
Optionally, after replacing the target function with the original function, the method further includes:
acquiring equipment information corresponding to the original function according to the original function, and determining the priority of the equipment information;
determining a target risk level of the target function by hook according to the priority of the equipment information;
and determining a control strategy corresponding to the target risk level according to the preset corresponding relation between different risk levels and the control strategy, and controlling the operation of the target terminal according to the determined control strategy.
Optionally, the method further includes:
counting the number of functions of the target terminal by hook within a preset time range, and determining the target risk level of the target terminal according to the number;
and determining a control strategy corresponding to the target risk level according to the preset corresponding relation between different risk levels and the control strategy, and controlling the operation of the target terminal according to the determined control strategy.
In a second aspect, an embodiment of the present invention provides a detection apparatus, which includes a unit configured to perform the method of the first aspect.
In a third aspect, an embodiment of the present invention provides another detection apparatus, which includes a processor, a user interface, a communication interface, and a memory, where the processor, the user interface, the communication interface, and the memory are connected to each other, where the memory is used to store a computer program that supports the detection apparatus to execute the foregoing method, the computer program includes program instructions, and the processor is configured to call the program instructions to execute the foregoing method according to the first aspect.
In a fourth aspect, an embodiment of the present invention provides a computer-readable storage medium, in which a computer program is stored, the computer program comprising program instructions, which, when executed by a processor, cause the processor to perform the method of the first aspect.
According to the method and the device, the flag value of the function to be subjected to hook detection in the terminal can be obtained, whether the function is hook-detected or not can be determined according to the flag value, and when the function is hook-detected, the function pointer corresponding to the function can be obtained, so that the real original function can be determined according to the function pointer and the hook-detected function can be replaced, the false alarm of hook behaviors can be avoided, the accuracy of hook detection is improved, and the safety of the terminal can be improved by restoring the real function.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the description below are some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on the drawings without creative efforts.
Fig. 1 is a schematic flow chart of a method for detecting a function hook according to an embodiment of the present invention;
fig. 2 is a schematic flow chart of another method for detecting a function hook according to an embodiment of the present invention;
fig. 3 is a schematic flow chart of another method for detecting a function hook according to an embodiment of the present invention;
FIG. 4 is a schematic structural diagram of a detection apparatus according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of another detection apparatus provided in the embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The technical scheme of the application can be applied to detection equipment, and the detection equipment can comprise various terminals, servers or risk identification products (equipment) connected with the terminals and the like and is used for detecting hook behaviors in the terminals. The terminal related to the application can be a mobile phone, a computer, a tablet, an intelligent watch and the like, and the application is not limited. An Xpos open source framework (or called as an Xpos plug-in) or other open source frameworks are deployed in the terminal, and hook behaviors often exist in the open source framework. Here, hook is a "hook" or "hook" and may change a result of executing a function, such as an execution result of an Application Programming Interface (API) function, so that an illegal party may modify device information through hook technology to achieve an illegal purpose. The hook behavior can be discovered in time through the method and the device.
In the present application, a function may also be called a different name, such as it may also be called a Method, artMethod, method, structure, method structure, artMethod structure, or other names.
Specifically, the method and the device can determine whether the function is hook according to the flag value by acquiring the flag value of the function in the terminal, so that the method and the device are favorable for avoiding the misinformation of hook behaviors and improving the accuracy of hook detection. Before the flag value of the function is obtained, the device overhead can be reduced by detecting whether the Xpos or other open source frames or plugins are installed in the terminal and obtaining the flag value of the function when the Xpos or other open source frames or plugins are determined to be installed. Further, when a function is determined to be hook, a function pointer corresponding to the function can be obtained, and a corresponding real original function can be determined according to the function pointer to replace the hook function, so that the real function can be restored, and the terminal safety can be improved. The details are described below.
Referring to fig. 1, fig. 1 is a schematic flow chart of a method for detecting a function hook according to an embodiment of the present invention. Specifically, as shown in fig. 1, the method for detecting a function hook may include the following steps:
101. and acquiring a flag value of a target function in the target terminal.
The target terminal may refer to any terminal that needs to perform hook detection, such as a terminal connected to a risk detection device, or a terminal in a specific wind control scenario, or a terminal that triggers (for example, through a preset key or a gesture or a preset other triggering manner) hook detection, and the like, which is not limited in the present application. The wind-controlled scenarios may include login scenarios, transaction scenarios, APP offer pickup scenarios, and so on.
The target function may refer to any API function, and in the present application, the detection device may perform hook detection on all functions in the terminal, for example, all API functions; or only some specified functions in the terminal, such as functions in a preset function list, or some functions that are easy to be checked by a hook, etc., may be subjected to hook check, so as to reduce the detection overhead of the device and improve the hook detection efficiency. The specified function is typically a function of information required for a particular demand or wind-controlled scenario. For example, the specified function may be a positioning function, that is, a function corresponding to positioning information, and in order to prevent the taxi-taking software from falsifying positioning, hook detection may be performed on the positioning function, such as a GPS function; for another example, the specified function may be a function of the device ID, and in order to obtain the real device ID of the device, hook detection may be performed on the function that obtains the device ID; for another example, the specific function may be a function of terminal environment information, such as battery information, wi-Fi information, 4G network base station information, an installed App list, address book content, power-on time, and the like, and to determine whether the target terminal operates in the simulator environment, hook detection may be performed on the environment information of the target terminal, such as functions of battery information, wi-Fi information, 4G network base station information, an installed App list, address book content, power-on time, and the like, which are not listed here.
Optionally, before obtaining a target function in the target terminal, that is, a flag value of a function to be subjected to hook detection (a function that needs to be subjected to hook detection), the detection device may further detect whether an Xposed plug-in is installed in the target terminal (where an Xposed frame is deployed), and obtain the flag value of the target function when the Xposed plug-in is determined to be installed. Therefore, hook detection in a specific environment can be realized, the reliability of hook detection is improved, and the equipment overhead is reduced.
102. And determining whether the target function is hook according to the flag value.
The flag value may be used to mark a state of the target function, where the state may be a state of whether the target function is tampered with, or may be a read-write state, a blocking and non-blocking state, a state of exiting a process or a program, and/or a state of changing contents of a file, and so on, so that whether the target function is hook can be determined according to the flag value. Specifically, each function has a corresponding flag, the flag is a variable, and when a certain function is tampered, the flag corresponding to the function is changed. Therefore, the detection device may determine whether the function is hook by detecting whether the flag of the function is changed, for example, the obtained value of the flag (or the flag processed according to the preset logical algorithm) may be compared with a default value (a fixed value when the function is not tampered), and if the value of the flag (or the flag processed according to the preset logical algorithm) is changed, that is, is different from the default value, it indicates that the function is hook, that is, the device information corresponding to the function is tampered. The flag value may be stored in a memory corresponding to the objective function.
103. And when the target function is confirmed to be hook, acquiring a target function pointer corresponding to the target function from the memory of the target function.
The function pointer and the function to be hook are stored in different fields of the same memory, and the mapping relationship exists between different function pointers and the original function, or the mapping relationship exists between different function pointers and the storage address of the original function.
Optionally, after determining that the target function is hook, the detection device may further restore the hook target function, so as to determine the real device information corresponding to the target function. Specifically, after determining that a certain function is hook-like, the function pointer corresponding to the target function, that is, the target function pointer mentioned above, may be quickly obtained from the memory, so as to determine, according to the target function pointer, an original function corresponding to the target function, that is, a native API, that is, a real function that is not hook-like.
104. And determining an original function corresponding to the target function pointer according to the corresponding relation between each function pointer and the function which is stored in advance, and replacing the target function by using the original function.
After determining the target function pointer in the memory corresponding to the target function, the original function, i.e. the real Method, corresponding to the target function pointer can be further determined. And the target function can be replaced by the original function, so that the hook function can be restored. The detection device can determine the real device information of the target terminal through the original function, so as to control the operation of the target terminal based on the real device information, for example, instruct the target terminal to output a prompt and require a user to input verification information; and forbidding all the access requests of the user in the corresponding wind control scene, and the like, which are not listed herein.
It should be understood that the original function pointer stored in the memory is not tampered, and according to the working principle of the Xposed plug-in, the original information of the function is backed up and stored in a specific address in the memory, that is, the address pointed by the target function pointer, before the target function is tampered. Once the backup information is also tampered, the Xposed plug-in will not work properly. Therefore, the original function acquired at the specific address pointed by the target function pointer must be the correct function, and the correct function cannot be tampered.
In the embodiment of the invention, the detection device can determine whether the function is hook according to the flag value by acquiring the flag value of the function in the terminal, and can determine the real original function and replace the hook function according to the function pointer by acquiring the function pointer corresponding to the function when determining that the function is hook, so that the false alarm of hook behavior can be avoided, the accuracy of hook detection is improved, and the safety of the terminal can be improved by restoring the real function.
Referring to fig. 2, fig. 2 is a schematic flow chart of another method for detecting a function hook according to an embodiment of the present invention. Specifically, as shown in fig. 2, the method for detecting a function hook may include the following steps:
201. and acquiring the current equipment information of the target terminal.
Optionally, the current device information may include one or more of device information such as a model, a brand, a system version, and wind control scenario information of the target terminal. The wind control scene information may include a wind control scene identifier and/or scene description information, and the like, which are used to indicate a wind control scene where the terminal is located. For example, the wind control scenario identifier may include a login identifier, a transaction identifier, and the like; for another example, the scene description information may include description information that the terminal is in a login state, description information that the terminal is in a transaction state, and the like, which are not listed here.
202. And determining a function list corresponding to the current equipment information according to the preset corresponding relation between different equipment information and the function list.
The device information corresponds to the current device information, and may include one or more of the model, brand, system version, and wind control scene information of the terminal. Each function list comprises at least one function with higher frequency of the hook under the corresponding device information, such as top M (M is an integer greater than 0, for example, 8) functions with highest frequency of the hook, or a function with frequency of the hook greater than a preset frequency threshold; and/or, functions with more times of being hooked under the corresponding device information are included, for example, the top N (N is an integer greater than 0, for example, 10) functions with the most times of being hooked, or functions with more times of being hooked than a preset number threshold, and so on.
203. And acquiring a flag value of a target function in the target terminal, wherein the target function is a function in a function list corresponding to the current equipment information.
Specifically, the hook functions in the history record may be grouped in advance according to different device information, a function group corresponding to each group of device information is determined, and a plurality of function lists are obtained by presetting the function group according to the function group, that is, each function list includes a function group corresponding to a group of device information, so as to preset corresponding relationships between different device information and the function lists. Furthermore, after the function list corresponding to the detection device can be found according to the current device information, hook detection is carried out on the functions in the function list without carrying out hook detection on all the functions in the terminal, so that the hook detection efficiency is improved, and the device overhead is reduced.
For example, the device information is a system version of the terminal, and a plurality of function lists corresponding to different system versions are configured in advance. When the detection device performs hook detection on the target terminal, the function list corresponding to the current system version can be found out by acquiring the current system version of the target terminal, and the function in the function list is the function that needs to perform the hook function.
For another example, the device information is wind control scene information of the terminal, and a plurality of function lists corresponding to different wind control scene information are configured in advance. When the detection device performs hook detection on the target terminal, the function list corresponding to the current wind control scene information can be further found out by acquiring the current wind control scene information of the target terminal, and the function in the function list is a function which needs to perform a hook function.
For another example, the device information is the model of the terminal and the wind control scene information, and a plurality of function lists corresponding to different models and wind control scene information are configured in advance. When the detection device performs hook detection on the target terminal, the function list corresponding to the model of the target terminal and the current wind control scene information can be found by acquiring the model of the target terminal and the current wind control scene information, and the function in the function list is a function which needs to perform a hook function.
204. And determining whether the target function is hook according to the flag value.
Optionally, when determining whether the target function is hook according to the flag value, the detection device may compare a character at a preset position in the flag value with a preset fixed character; and when the character at the preset position is different from the fixed character through comparison, determining that the target function is hook. The number of characters of the characters at the preset position is the same as that of the fixed characters, so that matching and comparison are facilitated. That is, the change in the value of the flag may mean that one or more bits of the flag are changed, and the one or more bits may mean one or more bits at a preset position of the flag. Therefore, the detection device can compare one or more bits of the obtained flag value at the preset position with the fixed character when the function is not tampered, and if the one or more bits of the flag value are changed, namely the one or more bits of the flag value are different from the fixed character, the function is indicated to be tampered, namely the device information corresponding to the function is tampered.
For example, for a system with an Android version of 4.4 or more and 5.0 or less or other systems, when some Xposed plug-ins hook a certain function, 1 bit (bit) at a fixed position of a flag value of the function is set to be 1; while for a function that is not normally tampered with, this bit of the flag value is 0 (i.e., the fixed character described above). Therefore, it can be known whether the function is hook by the Xposed plug-in by checking whether the fixed bit of the flag value of the function is 0. That is, if the fixed bit of the flag value of the function is not 0, it indicates that the function is hook and the function is tampered.
Optionally, when determining whether the target function is hook according to the flag value, the detection device may further perform a logical operation on the flag value according to a preset logical algorithm to obtain an operation result value, where the logical algorithm is determined according to a preset character string and a jump address when a native function in the system is executed; when the operation result value is a positive integer, it is determined that the objective function is hook. That is, the flag processed value may be compared with a fixed character such as 0 when the flag is not tampered with according to a preset logic algorithm, and if the processed value is changed, that is, is not 0, for example, a positive integer, the function is hook.
For example, for a system with Android version 5.0 or above or other systems, if the result is equal to a positive integer according to a logical algorithm, such as the logical formula entrypoinfromjni & & AccessFlags &0x10000000, it may indicate that the function is tampered; if the result of the logical operation is equal to 0 (i.e., a fixed character), it may indicate that the function has not been tampered with. The EntryPointFromJni may refer to a jump address when a native function, such as a native function, is executed, and the Access flags are the flag.
Further optionally, before determining whether the target function is hook-detected according to the flag value, the detection device may also determine a system version currently used by the target terminal, and further select a mode of determining whether the target function is hook-detected according to the flag value according to the system version of the target terminal, so as to improve efficiency of hook detection. The corresponding relation between the system version and the hook detection mode can be preset. For example, in the above-described system of the Android version 4.4 or more and 5.0 or less, the detection apparatus may perform hook detection according to comparison of a character at a preset position in the flag value with a preset fixed character; for another example, in the system with the Android version 5.0 or above, the detection device may perform hook detection after performing logical operation on the flag value according to a preset logical algorithm. Or, optionally, the detection device may perform hook detection on the function through the two hook detection manners, and when a condition corresponding to any one of the manners is satisfied, it may be determined that the function is hook.
205. And when the target function is confirmed to be hook, acquiring a target function pointer corresponding to the target function from the memory of the target function.
206. And determining an original function corresponding to the target function pointer according to the pre-stored corresponding relation between each function pointer and the function, and replacing the target function by using the original function.
Specifically, please refer to the related description in the embodiment shown in fig. 1 for the description of the steps 205-206, which is not repeated herein.
207. Determining a target risk level of a target terminal, determining a control strategy corresponding to the target risk level according to the preset corresponding relation between different risk levels and the control strategy, and controlling the operation of the target terminal according to the determined control strategy.
In some optional embodiments, after the real information is obtained through the original function, the risk level of the function being tampered can be identified and obtained by combining with the wind control rule, and then different control strategies can be adopted for different risk levels.
Optionally, after the original function is used to replace the target function, the detection device may further obtain device information corresponding to the original function, determine a priority of the device information, and further determine a target risk level of the target function by hook according to the priority of the device information, so as to determine a control policy corresponding to the target risk level according to a preset correspondence between different risk levels and the control policy, and control the operation of the target terminal according to the determined control policy. That is, the priority (importance level) of each piece of equipment information, the risk level corresponding to each priority, and the control policy corresponding to each risk level can be preset. Wherein the higher the priority of the device information, the higher the risk level. Therefore, the detection equipment can determine the control strategy of the target terminal according to the priority of the tampered equipment information, and the flexibility is high.
Optionally, the detection device may further count the number of hook functions of the target terminal within a preset time range, determine a target risk level of the target terminal according to the number, further determine a control policy corresponding to the target risk level according to a preset correspondence between different risk levels and the control policy, and control the operation of the target terminal according to the determined control policy. That is, the risk level may also be determined according to the number of hook-based functions within a preset time range of the terminal, and the greater the number of hook-based functions, the higher the risk level. Or, optionally, the risk level may also be determined according to the number of times that the function is hooked within the preset time range, for example, the greater the number of times that the function is hooked within the preset time range is, the higher the risk level is, and the like. Therefore, the detection equipment can determine the control strategy of the target terminal according to the number of the functions to be hook or the occurrence frequency of the functions to be hook, and the flexibility is high.
For example, the risk level may be classified as low risk, medium risk, high risk, or may be classified as primary, secondary, tertiary, etc. The method for dividing and determining the risk level is not limited in the present application. The control policy may include instructing the terminal to output a prompt asking the user to input authentication information (when the risk level is low, such as in a low risk scenario); instructing the terminal to prohibit the user from requesting access operation (with higher risk level, such as medium risk scenario) under a specific wind control scenario (such as login, APP preferential getting such as getting red envelope, redeeming coupon, or transaction such as consumption, transfer, etc.); instructing the terminal to prohibit all access operations requested by the user (when the risk level is high, such as a high-risk scenario), and so on, which are not listed here.
The illegal party mainly affects the service provider of the App by tampering the device information. For example, many "wool pulling" attackers modify the mobile phone information through the hook frame, so that many forged mobile phones can be simulated by only a few mobile phones, the limitation of the equipment picking times is bypassed, and the activity benefits provided by the service party, such as full discount coupons, call fee coupons and the like, are picked and sold in large quantities. Therefore, the benefits originally used for propaganda and promotion are obtained by a few attackers and do not have the due effect. By the aid of the function hook detection scheme, hook behaviors in the terminal can be found in time, and real equipment information can be restored, so that influences caused by tampering behaviors are reduced.
For example, for hook terminal GPS information, the terminal is positioned in a site-specific scenario. Suppose that a driver uses the taxi taking APP and forges taking an order near a hot spot (i.e., hook GPS to the hot spot); or actually does not run, but brushes a list and gives a fake subsidy by forging the running path; or falsifying athletic step count information, incentives for fake-earning activities, etc. By the hook detection mode, the fact that the GPS function is tampered with can be detected in time, the GPS information of the terminal is further restored, and after the real GPS information is restored, if the GPS information is found to be inconsistent, the GPS function can be prohibited from getting rewards, or the reward of getting rewards can be cancelled, and even similar operation behaviors can be prohibited in time.
For another example, in a scene of hook device ID, in order to prevent malicious users from registering a large number of accounts and swiping a single-collar activity welfare, some apps identify unique devices according to the device ID and limit each mobile phone to participate in an activity only once. By modifying the ID information of the equipment through hook, the mobile phone can be forged into other mobile phones under the condition of not replacing the mobile phone, and benefits can be obtained for many times. By the hook detection mode, the function of the equipment ID can be detected to be hook in time, the equipment ID is tampered, and the operation behavior can be prohibited in time after the real equipment ID is restored. For example, after a user logs in an APP to repeatedly receive a benefit using a certain account, and the detection device recognizes that the device ID is tampered and obtains a real device ID, the real device ID and the login account may both be returned to the server, and compared with existing data (including device IDs, login accounts, and the like), thereby recognizing which accounts actually run on the same device (for example, devices with the same device ID are the same device). Then, the activity benefits obtained by the account numbers can be cancelled, the cash withdrawal request can be manually checked, or the batch of account numbers can be forbidden, so that the control of the equipment operation can be realized.
As another example, for the scenario of hook other context information. Many App wind control rules currently take into account the environment in which the current App is running. For example, a normal user does not run the APP through the Android simulator on the terminal, and a malicious user who uses the simulator is usually prohibited from running the APP in the simulator environment. The system will clearly indicate whether the terminal is true or the simulator, so that a malicious user may look at the system information; alternatively, the user may hook Wi-Fi information, since Wi-Fi information seen on a normal terminal will also be different from that seen in the simulator. By the tampering mode, the APP operation environment can be tampered into the simulator, so that normal users or possible malicious users are difficult to distinguish. By means of the hook detection method, the operating environment can be timely detected to be tampered, the real operating environment can be timely restored, and further the operating behaviors of the operating environment can be timely found and prohibited, such as prohibition of the APP operation or prohibition of all access requests on the APP.
Further optionally, the detection device may further send the hook-modified function and the real original function to the server, or may send a return value of the original function and a return value of the hook-modified target function to the server, so as to help the business wind control staff detect the device risk. Further, the detection device or the server may further store the (return value of the) hook function and the (return value of the) original function in an associated manner, so that the hook function can be subsequently locked quickly and the correct original function can be retrieved quickly according to the association relationship, and the efficiency of function restoration can be improved.
In the embodiment of the invention, the detection device can perform hook detection on the preset function in the function list corresponding to the current device information by acquiring the current device information of the target terminal, and does not need to perform hook detection on all the functions in the target terminal, so that the efficiency of hook detection is improved, and the device cost is saved. And then, determining whether each function is hook according to the flag values by respectively obtaining the flag values of the functions, and when determining that the function is hook, rapidly determining and restoring the real original function by obtaining the function pointer corresponding to the function, so that the false alarm of hook behaviors can be avoided, the accuracy of hook detection is improved, and the safety of the terminal can be improved by restoring the real function.
Referring to fig. 3, fig. 3 is a schematic flow chart of another method for detecting a function hook according to an embodiment of the present invention. Specifically, as shown in fig. 3, the method for detecting a function hook may include the following steps:
301. and establishing a function detection model according to the hook function under different equipment information in the statistical historical data.
Optionally, the device information may include one or more of a device model, a brand, a system version, and wind control scenario information.
Specifically, the detection device may collect hook-related functions in the history in advance, perform grouping according to device information of the terminal corresponding to each hook-related function, and determine a function group corresponding to different device information. And then different equipment information is used as input, and the function in the corresponding function group is used as output, and the function detection model is obtained through training. Therefore, the function detection model can be established by analyzing the functions of the hook of the terminals with different models, brands, systems and wind control scenes through big data, and the target function needing hook detection can be acquired by inputting equipment information into the function detection model in the follow-up process.
302. And acquiring current equipment information of the target terminal, and inputting the current equipment information into the function detection model to obtain a target function which needs to be subjected to hook detection.
After the function detection model is established and obtained, when hook detection needs to be performed on a certain terminal, current device information of the terminal, such as the model, the brand, the current system version, the current wind control scene information and the like of the terminal, can be obtained, and the current device information is input into the function detection model to obtain a target function in the terminal, so that the hook detection efficiency is improved, the pertinence is strong, and the device overhead is saved.
Optionally, the detection device may obtain different device information according to different detection scenarios, for example, when the target terminal runs different types of APPs, and obtain the target function corresponding to the device information according to the function detection model, so as to further improve efficiency and reliability of hook detection.
For example, when it is detected that a target terminal runs a certain APP that needs to be subjected to wind control, the detection device may obtain current wind control scene information of the target terminal, and may input the current wind control scene information to the function detection model, so as to obtain a target function corresponding to the current wind control scene information for hook detection. The APP that needs to be subjected to wind control can be obtained by labeling in advance, for example, by presetting an application list including APPs that need to be subjected to wind control, and determining whether the APP is the APP that needs to be subjected to wind control by detecting whether the running APP is the APP in the application list. Further, the current wind control scene information may be information for a wind control scene under the APP.
For another example, when it is detected that the taxi taking APP is run by the target terminal, the detection device may obtain the model and the system version of the target terminal, and may input the model and the current system version into the function detection model to obtain a target function corresponding to the model and the current system version for hook detection.
303. And acquiring a flag value of the target function.
304. And determining whether the target function is hook according to the flag value.
305. And when the target function is confirmed to be hook, acquiring a target function pointer corresponding to the target function from the memory of the target function.
306. And determining an original function corresponding to the target function pointer according to the pre-stored corresponding relation between each function pointer and the function, and replacing the target function by using the original function.
307. Determining a target risk level of a target terminal, determining a control strategy corresponding to the target risk level according to the preset corresponding relation between different risk levels and the control strategy, and controlling the operation of the target terminal according to the determined control strategy.
Specifically, please refer to the related descriptions of steps 204-207 in the embodiment shown in fig. 2 for the descriptions of steps 304-307, which are not repeated herein.
In the embodiment of the invention, the detection device can establish the function detection model by counting the hook functions corresponding to different device information in the historical data, and further, when performing hook detection, after obtaining the corresponding output function by obtaining the current device information of the target terminal and inputting the function detection model, the detection device can perform hook detection on the output target function without performing hook detection on all the functions in the target terminal, so that the efficiency of hook detection is improved, and the device cost is saved. And then, determining whether each function is hook according to the flag values by respectively obtaining the flag values of the functions, and when determining that the function is hook, rapidly determining and restoring the real original function by obtaining the function pointer corresponding to the function, so that the false alarm of hook behaviors can be avoided, the accuracy of hook detection is improved, and the safety of the terminal can be improved by restoring the real function.
The above method embodiments are all illustrations of the function hook detection method in the present application, and descriptions of various embodiments have respective emphasis, and reference may be made to relevant descriptions of other embodiments for parts that are not described in detail in a certain embodiment.
Referring to fig. 4, fig. 4 is a schematic structural diagram of a detection apparatus according to an embodiment of the present invention. The detection device of the embodiment of the invention comprises a unit for executing the function hook detection method. Specifically, the detection apparatus 400 of the present embodiment may include: an acquisition unit 401 and a processing unit 402. Wherein,
an obtaining unit 401, configured to obtain a flag value of a target function in the target terminal, where the flag value is used to mark a state of the target function;
a processing unit 402, configured to determine whether the target function is hook according to the flag value;
the obtaining unit 401 is further configured to obtain, when it is determined that the target function is hook, a target function pointer corresponding to the target function from a memory of the target function;
the processing unit 402 is further configured to determine an original function corresponding to the target function pointer according to a pre-stored correspondence between each function pointer and the function, and replace the target function with the original function.
Optionally, the obtaining unit 401 may obtain the flag value of the target function in the target terminal when detecting that the target terminal is installed with the Xposed plug-in, which is not described herein again.
Optionally, the obtaining unit 401 is further configured to obtain current device information of the target terminal, where the current device information includes one or more of a model, a system version, and wind control scene information of the target terminal;
the processing unit 402 is further configured to determine a function list corresponding to the current device information according to a preset correspondence between different device information and the function list, and take a function in the function list corresponding to the current device information as the target function.
Each function list may include a function whose frequency of being hook is greater than a preset frequency threshold and/or a function whose frequency of being hook is greater than a preset number threshold under the corresponding device information.
Optionally, the detection apparatus further includes: a model building unit 403;
the model establishing unit 403 is configured to establish a function detection model according to a hook function under different device information in the statistical historical data, where the device information includes one or more of a device model, a system version, and wind control scenario information;
the obtaining unit 401 is further configured to obtain current device information of the target terminal, and input the current device information into the function detection model to obtain the target function.
Optionally, the processing unit 402 is specifically configured to compare a character at a preset position in the flag value with a preset fixed character, where the number of characters at the preset position is the same as the number of characters of the fixed character; and when the character at the preset position is different from the fixed character obtained by comparison, determining that the target function is hook.
Optionally, the processing unit 402 is specifically configured to perform a logical operation on the flag value according to a preset logical algorithm to obtain an operation result value, where the logical algorithm is determined according to a preset character string and a jump address when a native function in a system is executed; and when the operation result value is a positive integer, determining that the target function is hook.
Optionally, the processing unit 402 is further configured to obtain, according to the original function, device information corresponding to the original function, and determine a priority of the device information; determining a target risk level of the target function by hook according to the priority of the equipment information; and determining a control strategy corresponding to the target risk level according to the preset corresponding relation between different risk levels and the control strategy, and controlling the operation of the target terminal according to the determined control strategy.
Optionally, the processing unit 402 is further configured to count the number of functions that the target terminal is hooked within a preset time range, and determine a target risk level of the target terminal according to the number; and determining a control strategy corresponding to the target risk level according to the preset corresponding relation between different risk levels and the control strategy, and controlling the operation of the target terminal according to the determined control strategy.
Specifically, the detection apparatus may implement, through the above units, part or all of the steps in the method for detecting a function hook in the embodiment shown in fig. 1 to fig. 3. It should be understood that the embodiments of the present invention are device embodiments corresponding to method embodiments, and the description of the method embodiments also applies to the embodiments of the present invention.
In the embodiment of the invention, the detection device can determine whether the function is hook-detected according to the flag value by acquiring the flag value of the function which needs to be hook-detected in the terminal, and can determine the real original function and replace the hook-detected function according to the function pointer by acquiring the function pointer corresponding to the function when the function is determined to be hook-detected, so that the false alarm of hook behavior can be avoided, the accuracy of hook detection is improved, and the safety of the terminal can be improved by restoring the real function.
Referring to fig. 5, fig. 5 is a schematic structural diagram of another detecting apparatus according to an embodiment of the present invention. The detection device is used for executing the method. As shown in fig. 5, the detection apparatus 500 in the present embodiment may include: one or more processors 501 and memory 502. Optionally, the detection device may also include one or more user interfaces 503, and/or one or more communication interfaces 504. The processor 501, user interface 503, communication interface 504, and memory 502 described above may be connected by a bus 505, which is illustrated in fig. 5, or may be connected in other ways. Wherein the memory 502 is adapted to store a computer program comprising program instructions and the processor 501 is adapted to execute the program instructions stored by the memory 502.
Wherein, the processor 501 can be used to call the program instruction to execute the following steps: when an Xpos plugin is installed on a target terminal, acquiring a flag value of a target function in the target terminal, wherein the flag value is used for marking the state of the target function; determining whether the target function is hook according to the flag value; when the target function is confirmed to be hook, acquiring a target function pointer corresponding to the target function from a memory of the target function; and determining an original function corresponding to the target function pointer according to the pre-stored corresponding relation between each function pointer and the function, and replacing the target function by using the original function.
Optionally, the processor 501 may also call the program instruction to perform the following steps: acquiring current equipment information of the target terminal, wherein the current equipment information comprises one or more of the model, the system version and the wind control scene information of the target terminal; determining a function list corresponding to the current equipment information according to preset corresponding relations between different equipment information and function lists, wherein each function list comprises a function of which the frequency of a hook under the corresponding equipment information is greater than a preset frequency threshold value and/or a function of which the frequency of the hook under the corresponding equipment information is greater than a preset number threshold value; and taking a function in a function list corresponding to the current equipment information as the target function.
Optionally, the processor 501 may further call the program instruction to perform the following steps: establishing a function detection model according to a hook function under different equipment information in statistical historical data, wherein the equipment information comprises one or more of equipment model, system version and wind control scene information; and acquiring current equipment information of the target terminal, and inputting the current equipment information into the function detection model to obtain the target function.
Optionally, when the processor 501 calls the program instruction to execute the determination of whether the target function is hook according to the flag value, the following steps are specifically executed: comparing characters at preset positions in the flag value with preset fixed characters, wherein the number of the characters at the preset positions is the same as that of the fixed characters; and when the characters at the preset positions are different from the fixed characters through comparison, determining that the target function is hook.
Optionally, when the processor 501 calls the program instruction to execute the determination of whether the target function is hook according to the flag value, the following steps are specifically executed: performing logical operation on the flag value according to a preset logical algorithm to obtain an operation result value, wherein the logical algorithm is determined according to a preset character string and a jump address when a native function in a system is executed; and when the operation result value is a positive integer, determining that the target function is hook.
Optionally, after the processor 501 may further call the program instruction to replace the target function with the original function, the following steps may be further performed: acquiring equipment information corresponding to the original function according to the original function, and determining the priority of the equipment information; determining a target risk level of the target function by hook according to the priority of the equipment information; and determining a control strategy corresponding to the target risk level according to the preset corresponding relation between different risk levels and the control strategy, and controlling the operation of the target terminal according to the determined control strategy.
Optionally, the processor 501 may further call the program instruction to perform the following steps: counting the number of functions of the target terminal by hook within a preset time range, and determining the target risk level of the target terminal according to the number; and determining a control strategy corresponding to the target risk level according to the preset corresponding relation between different risk levels and the control strategy, and controlling the operation of the target terminal according to the determined control strategy.
The Processor 501 may be a Central Processing Unit (CPU), or may be other general-purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf Programmable Gate Array (FPGA) or other Programmable logic device, a discrete Gate or transistor logic device, a discrete hardware component, or the like. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The user interface 503 may include input devices, which may include a touch pad, a microphone, etc., and output devices, which may include a display (LCD, etc.), speakers, etc.
The communication interface 504 may include a receiver and a transmitter for communicating with other devices.
Memory 502 may include both read-only memory and random-access memory, and provides instructions and data to processor 501. A portion of the memory 502 may also include non-volatile random access memory. For example, the memory 502 may also store the above-described correspondence between function pointers and functions, and the like.
In specific implementation, the processor 501 and the like described in the embodiments of the present invention may perform the implementation described in the method embodiments shown in fig. 1 to fig. 3, and may also perform the implementation of each unit described in fig. 4 in the embodiments of the present invention, which is not described herein again.
An embodiment of the present invention further provides a computer-readable storage medium, where a computer program is stored, and when executed by a processor, the computer program may implement part or all of the steps in the function hook detection method described in the embodiment corresponding to fig. 1 to 3, or may implement the functions of the detection device in the embodiment shown in fig. 4 or 5 of the present invention, which is not described herein again.
Embodiments of the present invention also provide a computer program product including instructions, which when executed on a computer, cause the computer to perform some or all of the steps of the above method.
The computer readable storage medium may be an internal storage unit of the detection apparatus according to any of the foregoing embodiments, for example, a hard disk or a memory of the detection apparatus. The computer readable storage medium may also be an external storage device of the detection device, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), and the like, provided on the detection device.
In this application, the term "and/or" is only one kind of association relationship describing an associated object, and means that there may be three kinds of relationships, for example, a and/or B, which may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" herein generally indicates that the former and latter related objects are in an "or" relationship.
In the embodiments of the present application, the sequence numbers of the above-mentioned processes do not mean the execution sequence, and the execution sequence of each process should be determined by its function and inherent logic, and should not constitute any limitation to the implementation process of the embodiments of the present invention.
The above description is only a part of the embodiments of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily conceive various equivalent modifications or substitutions within the technical scope of the present invention, and these modifications or substitutions should be covered within the scope of the present invention.

Claims (8)

1. A method for detecting a function hook is characterized by comprising the following steps:
the method comprises the steps that hook functions in history records are grouped in advance according to different equipment information, the corresponding function groups under each group of equipment information are determined, a plurality of function lists are obtained according to the preset function groups, and the corresponding relations between the different equipment information and the function lists are obtained in a preset mode; each function list comprises a group of function groups corresponding to the equipment information; the different equipment information comprises system versions, models and wind control scene information of the terminal, and the function lists comprise a plurality of function lists corresponding to different system versions and a plurality of function lists corresponding to different models and wind control scene information;
when an Xpos plug-in is detected to be installed on a target terminal, a flag value of a target function in the target terminal is obtained, wherein the flag value is used for marking the state of the target function; the target function is a function in a function list corresponding to the current equipment information of the target terminal;
determining whether the target function is hook according to the flag value;
when the target function is confirmed to be hook, acquiring a target function pointer corresponding to the target function from a memory of the target function;
determining an original function corresponding to the target function pointer according to the corresponding relation between each function pointer and the function stored in advance, and replacing the target function with the original function;
the method further comprises the following steps: determining the system version currently used by the target terminal, and selecting a mode of determining whether the target function is hook according to the flag value according to the system version of the target terminal, wherein the mode comprises the following steps:
comparing characters at preset positions in the flag value with preset fixed characters, wherein the number of the characters at the preset positions is the same as that of the fixed characters; when the characters at the preset positions are different from the fixed characters through comparison, determining that the target function is hook; or,
performing logical operation on the flag value according to a preset logical algorithm to obtain an operation result value, wherein the logical algorithm is determined according to a preset character string and a jump address when a native function in a system is executed; and when the operation result value is a positive integer, determining that the target function is hook.
2. The method of claim 1, further comprising:
acquiring current equipment information of the target terminal, wherein the current equipment information comprises one or more of the model, the system version and the wind control scene information of the target terminal;
determining a function list corresponding to the current equipment information according to a preset corresponding relationship between the equipment information and the function list, wherein each function list comprises a function of which the hook frequency is greater than a preset frequency threshold value and/or a function of which the hook frequency is greater than a preset number threshold value under the corresponding equipment information;
and taking a function in a function list corresponding to the current equipment information as the target function.
3. The method of claim 1, further comprising:
establishing a function detection model according to functions of hooks under different equipment information in the statistical historical data, wherein the equipment information comprises one or more of equipment model, system version and wind control scene information;
and acquiring current equipment information of the target terminal, and inputting the current equipment information into the function detection model to obtain the target function.
4. The method of claim 1, wherein after said replacing the objective function with the original function, the method further comprises:
acquiring equipment information corresponding to the original function according to the original function, and determining the priority of the equipment information;
determining a target risk level of the target function by hook according to the priority of the equipment information;
and determining a control strategy corresponding to the target risk level according to the preset corresponding relation between different risk levels and the control strategy, and controlling the operation of the target terminal according to the determined control strategy.
5. The method of claim 1, further comprising:
counting the number of functions of the target terminal by hook within a preset time range, and determining the target risk level of the target terminal according to the number;
and determining a control strategy corresponding to the target risk level according to the preset corresponding relation between different risk levels and the control strategy, and controlling the operation of the target terminal according to the determined control strategy.
6. A detection device, characterized by comprising means for performing the method of any of claims 1-5.
7. A detection device, comprising a processor, a user interface, a communication interface and a memory, the processor, the user interface, the communication interface and the memory being interconnected, wherein the memory is configured to store a computer program comprising program instructions, the processor being configured to invoke the program instructions to perform the method of any of claims 1-5.
8. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program comprising program instructions that, when executed by a processor, cause the processor to carry out the method according to any one of claims 1-5.
CN201810841834.3A 2018-07-27 2018-07-27 Function hook detection method, detection equipment and computer readable medium Active CN109145590B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201810841834.3A CN109145590B (en) 2018-07-27 2018-07-27 Function hook detection method, detection equipment and computer readable medium
PCT/CN2018/107745 WO2020019482A1 (en) 2018-07-27 2018-09-26 Function hook detection method, function hook detection device, and computer-readable medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810841834.3A CN109145590B (en) 2018-07-27 2018-07-27 Function hook detection method, detection equipment and computer readable medium

Publications (2)

Publication Number Publication Date
CN109145590A CN109145590A (en) 2019-01-04
CN109145590B true CN109145590B (en) 2023-04-07

Family

ID=64799067

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810841834.3A Active CN109145590B (en) 2018-07-27 2018-07-27 Function hook detection method, detection equipment and computer readable medium

Country Status (2)

Country Link
CN (1) CN109145590B (en)
WO (1) WO2020019482A1 (en)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110532774A (en) * 2019-07-24 2019-12-03 阿里巴巴集团控股有限公司 Hook inspection method, device, server and readable storage medium storing program for executing
CN111309410B (en) * 2020-03-17 2023-06-30 北京奇艺世纪科技有限公司 Program object determining method and device
CN112434301A (en) * 2020-11-24 2021-03-02 平安普惠企业管理有限公司 Risk assessment method and device
CN112925693B (en) * 2021-02-25 2023-11-03 新疆北斗同创信息科技有限公司 System monitoring method, device, computer equipment and storage medium
CN113238946B (en) * 2021-05-18 2024-10-25 北京达佳互联信息技术有限公司 Method and device for detecting hook frame and electronic equipment
CN113590360A (en) * 2021-08-03 2021-11-02 北京博睿宏远数据科技股份有限公司 Method and device for realizing function hook, computer equipment and storage medium
CN114003906A (en) * 2021-11-01 2022-02-01 北京奇艺世纪科技有限公司 Application program risk detection method and device, storage medium and electronic equipment
CN113918935B (en) * 2021-12-15 2022-04-01 飞天诚信科技股份有限公司 Method and device for processing function when being hook

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104751052A (en) * 2013-12-30 2015-07-01 南京理工大学常熟研究院有限公司 Dynamic behavior analysis method for mobile intelligent terminal software based on support vector machine algorithm
CN106502876A (en) * 2016-10-26 2017-03-15 腾讯科技(深圳)有限公司 Method and relevant device that a kind of focus function determines
CN106997313A (en) * 2017-03-28 2017-08-01 腾讯科技(深圳)有限公司 A kind of signal processing method of application program, system and terminal device
CN107102944A (en) * 2017-04-07 2017-08-29 北京深思数盾科技股份有限公司 The analysis method and device of a kind of call function

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7318220B2 (en) * 2004-03-11 2008-01-08 International Business Machines Corporation System and method for measuring latch contention
CN101620658A (en) * 2009-07-14 2010-01-06 北京大学 Hook detecting method under Windows operation system
CN106096391B (en) * 2016-06-02 2019-05-03 珠海豹趣科技有限公司 A kind of course control method and user terminal
CN106325927B (en) * 2016-08-19 2019-12-17 北京金山安全管理系统技术有限公司 interception method and device applied to dynamic library API in linux system
CN107808096B (en) * 2017-11-23 2019-12-17 厦门安胜网络科技有限公司 method for detecting malicious codes injected during APK running, terminal equipment and storage medium

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104751052A (en) * 2013-12-30 2015-07-01 南京理工大学常熟研究院有限公司 Dynamic behavior analysis method for mobile intelligent terminal software based on support vector machine algorithm
CN106502876A (en) * 2016-10-26 2017-03-15 腾讯科技(深圳)有限公司 Method and relevant device that a kind of focus function determines
CN106997313A (en) * 2017-03-28 2017-08-01 腾讯科技(深圳)有限公司 A kind of signal processing method of application program, system and terminal device
CN107102944A (en) * 2017-04-07 2017-08-29 北京深思数盾科技股份有限公司 The analysis method and device of a kind of call function

Also Published As

Publication number Publication date
WO2020019482A1 (en) 2020-01-30
CN109145590A (en) 2019-01-04

Similar Documents

Publication Publication Date Title
CN109145590B (en) Function hook detection method, detection equipment and computer readable medium
CN109492378B (en) Identity verification method based on equipment identification code, server and medium
WO2020019484A1 (en) Simulator recognition method, recognition device, and computer readable medium
WO2020019483A1 (en) Emulator identification method, identification device, and computer readable medium
CN107566358B (en) Risk early warning prompting method, device, medium and equipment
CN108335237B (en) Scheme setting method, terminal and computer readable storage medium
WO2020019485A1 (en) Simulator identification method, identification device, and computer readable medium
CN109561085A (en) A kind of auth method based on EIC equipment identification code, server and medium
CN107820210B (en) Sign-in method, mobile terminal and computer readable storage medium
CN111556059A (en) Abnormity detection method, abnormity detection device and terminal equipment
CN105357204B (en) Method and device for generating terminal identification information
US20210042150A1 (en) Method-call-chain tracking method, electronic device, and computer readable storage medium
CN107220169B (en) Method and equipment for simulating server to return customized data
CN111611612B (en) Block chain-based integrating system, device, storage medium and operation method thereof
CN109002733A (en) A kind of pair of equipment carries out the method and device of reliability evaluation
CN109684837A (en) A kind of mobile application malware detection method and system towards electric power enterprise
US20160055336A1 (en) System for preventing malicious intrusion based on smart device and method thereof
CN108280024B (en) Flow distribution strategy testing method and device and electronic equipment
CN114090689A (en) Intelligent contract data processing method based on alliance chain and related equipment thereof
US9449158B2 (en) Expiration time authentication system, expiration time authentication device, and expiration time authentication method for applications
CN112600803B (en) Web end data signature method and device and computer equipment
CN107368337B (en) Application downloading method and device and terminal equipment
CN113596600B (en) Security management method, device, equipment and storage medium for live broadcast embedded program
CN113609478B (en) IOS platform application program tampering detection method and device
CN113296911A (en) Cluster calling method, cluster calling device, electronic equipment and readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant