CN107798240A - A kind of method and device for being used to monitor PC ends operation mobile device - Google Patents

A kind of method and device for being used to monitor PC ends operation mobile device Download PDF

Info

Publication number
CN107798240A
CN107798240A CN201610806113.XA CN201610806113A CN107798240A CN 107798240 A CN107798240 A CN 107798240A CN 201610806113 A CN201610806113 A CN 201610806113A CN 107798240 A CN107798240 A CN 107798240A
Authority
CN
China
Prior art keywords
thread
message
file
reading
parameter
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201610806113.XA
Other languages
Chinese (zh)
Other versions
CN107798240B (en
Inventor
曾祥刚
乔伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan Antian Information Technology Co Ltd
Original Assignee
Wuhan Antian Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan Antian Information Technology Co Ltd filed Critical Wuhan Antian Information Technology Co Ltd
Priority to CN201610806113.XA priority Critical patent/CN107798240B/en
Publication of CN107798240A publication Critical patent/CN107798240A/en
Application granted granted Critical
Publication of CN107798240B publication Critical patent/CN107798240B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention discloses a kind of monitoring method for being used to monitor PC ends operation mobile device, the characteristics of make use of PC ends to be interacted when accessing mobile terminal using the adbd processes in ADB orders and android system, the operation of reading USB device file in mobile device end monitors all threads of adbd processes, to obtain the content of parameter of the operation, then content of parameter is combined into message, message is combined into ADB orders, to obtain the order sent when PC ends access mobile terminal, so as to reach the purpose of monitoring.This method is not influenceed by PC end ring border, easy to use, and monitoring effect is good.The invention also discloses a kind of supervising device for being used to monitor PC ends operation mobile device.

Description

A kind of method and device for being used to monitor PC ends operation mobile device
Technical field
The present invention relates to field of computer technology, more particularly to a kind of method for being used to monitor PC ends operation mobile device and Device.
Background technology
At present, PC ends are often connected to realize that PC ends are controlled mobile terminal by user with mobile terminal, such as peace of application Loading/unloading carries, system root etc..If PC ends have been infected malicious code, when the Malicious Code Detection at PC ends is to mobile terminal When being connected into PC ends, malicious code can connect the mobile terminals such as mobile phone automatically and carry out some malicious operations, such as obtain root power Limit, the application in unloading mobile terminal, malicious application, the file for obtaining mobile terminal and information etc. are installed automatically.Also, PC ends Generally by USB(USB)Mobile terminal is accessed, the mobile terminal for using android system, its Matter is to use ADB(Android Debug Bridge, Android debugging bridgers)The corresponding command of command-line tool.ADB is ordered Make row instrument be made up of 3 parts, do a little introductions to it below:
(1)ADB clients, the command-line tool run in PC ends, installation application, to obtain the operations such as file be by the life Row instrument is made to provide.
(2)ADB service ends, the service processes run in PC ends, management PC ends are directly connected with mobile phone and data interaction. The operation that ADB clients are initiated is sent to ADB service ends first, is then sent to mobile phone by ADB service ends.
(3)ADB mobile phone terminal processes, it is entitled adbd process in android system, receives and perform ADB clothes The instruction that business end is sent.The process is interacted by reading and writing the USB device file in android system with ADB service ends, adbd Process can open 2 threads to operate USB device file, be respectively used to read and write.
Adbd processes have specific message format, have document to enter in Android source code when being interacted with ADB service ends Row description.ADB orders can include a series of message, and every message contains message header and the part of message data 2 again, and this is The message of row is identified by same ID number(ID number is located in message header), and generally started by OPEN, CLOSE endings. Message header form is shown in Fig. 1, wherein each field is 4 byte-sizeds.Command is the mark of order.Arg0, Arg1 order for message The parameter of order, Arg0 are the ID number being mentioned herein.The message header of each OPEN orders has a new Arg0 value.Data_ Length is the length of message data behind message header.
Conventional ADB command operations have:
(1)Software, adb.exe install [options] abc.apk are installed
(2)Uninstall, adb.exe uninstall packageName
(3)File transmits, and comprising adb.exe push and adb.exe pull orders, push is that local file is transferred into mobile phone Middle specified path, pull are to locally by file copy in mobile phone.
(4)Order performs, adb.exe shell cmd [options].Android system be based on linux system, Adb can perform some Linux commands by shell parameters.File adb shell rm filepath are such as deleted, unloading is soft Part adb shell pm uninstall packageName, obtain system property adb shell getprop etc..
Although the existing antivirus software of mobile terminal and protection capacity of safety protection software can scan and analyze application program, can not The operation of ADB orders is analyzed, if so mobile terminal is connected into the PC ends for having infected malicious code, mobile end may be caused End is mounted malicious application, information leakage.This programme can monitor the operation of ADB orders on mobile terminals, if finding, malice is pacified The behavior of dress and malicious operation then can be prevented and alarmed, and ensure terminal security.
The content of the invention
It is an object of the invention to provide a kind of monitoring method and device for being used to monitor PC ends operation mobile device, its energy User is helped not influenceed in operation of the mobile terminal monitored PC ends to mobile terminal, the monitoring by PC end ring border directly, user Just, monitoring effect is good.
To achieve these goals, the invention discloses it is a kind of be used for monitor PC ends operation mobile device monitoring method, Comprise the following steps:
The thread number of all threads in acquisition for mobile terminal adbd processes and the adbd processes;
Each thread is monitored respectively according to all thread numbers of acquisition, finds out thread and the acquisition for wherein reading USB device file The current thread number for reading thread;
According to the reading file operation in the current thread number monitoring thread for reading thread, the content of parameter for reading file operation, institute are obtained Stating content of parameter includes message header or message data;
When the content of parameter of the first reading file operation monitored is message data, then preserve in all parameters of acquisition Hold;
All content of parameter of preservation are combined into corresponding message, wherein, a message header and a corresponding message data It can be combined to a piece of news;
Obtained message is combined into corresponding ADB orders, wherein, an ADB order includes at least one message, belongs to same The message of order possesses identical ID number, and the ID number is located in the message header;
Whether the ADB orders for judging to obtain according to default rule can produce malicious act.
Further, each thread is monitored according to the default time and finds the corresponding behaviour for reading USB device file Make, if not found within the period, monitor next thread immediately.
Further, after finding out whole thread numbers, each thread is monitored one by one, if current thread, which performs, reads text Part operates, and the thread number for being USB device file, then obtaining current thread that first parameter is pointed to.
Further, can again after terminal does not connect USB or searches the thread failure for reading USB device file Whole thread numbers are obtained, and search whether to read the thread of USB device file.
Further, if judging, ADB orders can produce malicious act, change current ADB orders, resistance malicious act Occur.
Further, if judging, ADB orders can produce malicious act, produce user's alarm.
To achieve these goals, the invention also discloses a kind of monitoring dress for being used to monitor PC ends operation mobile device Put, in mobile terminal, the supervising device includes guarding module, monitoring module, detection module, wherein:
When PC ends access mobile terminal, the module of guarding is used to obtain all threads in adbd processes and the adbd processes Thread number;Each thread is monitored respectively according to all thread numbers of acquisition, is found out and is wherein read the thread of USB device file simultaneously Obtain the current thread number for reading thread and be sent to the monitoring module;
The monitoring module is used to read the reading file operation in thread according to the current thread number monitoring for reading thread, obtains and reads file The content of parameter of operation, the content of parameter include message header or message data, when judge to monitor first reads file behaviour When the content of parameter of work is message data, then all content of parameter of acquisition are preserved;
The detection module is used to all content of parameter of preservation being combined into corresponding message, wherein, a message header with it is right The message data answered can be combined to a piece of news;Obtained message is combined into corresponding ADB orders, wherein, an ADB Order includes at least one message, and the message for belonging to same order possesses identical ID number, and the ID number is located at the message header It is interior;The detection module is additionally operable to preserve default malicious commands sentence, by the ADB orders of acquisition and the default malicious commands Sentence is compared, and judges whether that malicious act can be produced.
Further, the monitoring module is used to be monitored each thread according to the default time the corresponding reading of searching The operation of USB device file, if not found within the period, next thread is monitored immediately.
Further, it is described to keep after terminal does not connect USB or searches the thread failure for reading USB device file Shield module can obtain whole thread numbers again, and search whether to read the thread of USB device file.
Further, after whole thread numbers are found out, the monitoring module is monitored to each thread one by one, if worked as Preceding thread, which performs, reads file operation, and the thread for being USB device file, then obtaining current thread that first parameter is pointed to Number.If not finding the thread number for reading USB device file, whole thread numbers are obtained again, and continue to scan on thread.
Further, if judging, ADB orders can produce malicious act, and the detection module changes current ADB orders, resistance It is worth malicious act.
Further, if judging, ADB orders can produce malicious act, and the detection module produces user's alarm.
Compared with the prior art, the invention has the advantages that:Used when accessing mobile terminal present invention utilizes PC ends The characteristics of ADB orders interact with the adbd processes in android system, in mobile device end monitoring adbd processes, institute is wired The operation of reading USB device file in journey, to obtain the content of parameter of the operation, is then combined into message by content of parameter, will Message is combined into ADB orders, to obtain the order sent when PC ends access mobile terminal, so as to reach the purpose of monitoring.The prison Control is not influenceed by PC end ring border, and easy to use, monitoring effect is good.
Brief description of the drawings
Fig. 1 is the form schematic diagram of ADB command messages heads.
Fig. 2 is a kind of flow chart for being used to monitor the monitoring method that PC ends operate mobile device of the present invention.
Fig. 3 is a kind of structural representation for being used to monitor the supervising device that PC ends operate mobile device of the present invention.
Embodiment
In order that the object, technical solutions and advantages of the present invention are clearer, the present invention is made below in conjunction with accompanying drawing into One step it is described in detail.
Although the step in the present invention is arranged with label, it is not used to limit the precedence of step, unless It specify that the order of step or based on the execution of certain step needs other steps, otherwise the relative rank of step is It is adjustable.
Entered when accessing mobile terminal present invention utilizes PC ends using ADB orders and the adbd processes in android system The characteristics of row interaction, in certain embodiments, as shown in Fig. 2 a kind of monitoring method for being used to monitor PC ends operation mobile device Comprise the following steps:
S01, the thread number of all threads in adbd processes and the adbd processes is obtained in the terminal.
The ps orders that system offer can be used directly obtain whole thread numbers of adbd processes, also can be by checking/proc File system.Each process has a corresponding catalogue/proc/ [process number] under/proc in Linux, under the catalogue Cmdline files save command name, and whole thread numbers of process are have recorded under task subdirectories(No. PID is designated as hereinafter).
S02, each thread is monitored respectively according to all thread numbers of acquisition, find out the line for wherein reading USB device file Journey, and obtain the current thread number for reading thread.
Find out after whole thread numbers, it is necessary to judge wherein to read the thread of USB device file.Called using ptrace systems (It is to allow a process to track and control another process that it, which is acted on,), each thread is monitored one by one.It is available The system that ptrace PTRACE_SYSCALL carrys out monitoring thread is called.If current thread, which performs, reads file operation, and the What one parameter was pointed to is USB device file, then obtains No. PID of current thread.Can also directly it be looked into using strace instruments See in the system calling that each thread is carried out whether there is the operation for reading USB device file.
The USB device file path of different editions android system can be variant, specifically needs to refer to source code, such as The USB device file of the versions of Android 4.4 acquiescence is /dev/android_adb.
Preferably, the judgement to each thread can continue a bit of time, and each thread is entered according to the default time Row monitoring, corresponding reading file operation is found, if not found within the period, then it represents that current thread is not required to monitor Thread, monitor next thread immediately.
It should be understood that due to the possibility of restarting of adbd processes be present, therefore be also required to monitor opening again for adbd processes Move, be required for obtaining No. PID of its respective thread after restarting again every time.Read when terminal does not connect USB or searched After the thread failure of USB device file, whole thread numbers can be obtained again, and search whether to read the line of USB device file Journey.
S03, the reading file operation in thread is read according to the current thread number monitoring for reading thread, obtains the ginseng for reading file operation Number content, the content of parameter include message header or message data.
After obtaining current read thread No. PID, method can be used in ptrace to obtain ginseng when reading file system call Number, read document method and only have 3 parameters, be by register transmission during transmission, therefore use ptrace PTRACE_ GETREGS obtains register value and can obtain parameter.Wherein, the parameter of data storage is a memory address, reads file operation At the end of, the content of reading is stored in the internal memory of memory address sensing, can use ptrace PTRACE_PEEKTEXT Method comes out the data copy in address.
S04, when the content of parameter of the first reading file operation monitored is message data, then preserve all of acquisition Content of parameter.
Per a piece of news, message header and message data two parts are generally comprised, therefore once file operation acquisition is read in monitoring To be probably that message header is also likely to be message data.Whether the content of parameter for first determining whether to copy out is message content, is pressed Described according to the message format in ADB, there are magic fields in message content, determine whether message header by checking the field. If message header, then what next reading file operation was got is exactly message data, and the length of message data is stored in message header In.If start to get is not message header, current message data is abandoned, reading file operation next time is got just inevitable It is message header.
S05, all content of parameter of preservation are combined into corresponding message.
It should be understood that the message header and message data of a piece of news are relative with the parameter for reading file operation twice in succession Should, therefore be that can obtain a piece of news reading file operation content getparms twice to merge.
S06, obtained message is combined into corresponding ADB orders, wherein, an ADB order includes at least one message, The message for belonging to same order possesses identical ID number, and the ID number is located in the message header.
One of ordinary skill in the art will appreciate that, the order of an ADB client executing is to be converted into multiple messages It is sent to adbd processes.Such as the push operations of file, contained (OPEN, sync) in the message for reading file acquisition -- > (WRTE, STAT) --> (WRTE, filepath) --> (WRTE, SEND) --> WRTE(filepath + content) --> (WRTE, QUIT) -->(CLOSE), represent that one disappears with the tuple including 2 element contents here Breath, Part I are the order of message header, and Part II is message data, and such as (OPEN, sync) represents to proceed by sync Operation,(WRTE, SEND)Expression can carry out data transmission;Therefore be may determine that by this series of message as one Push file operations, by filepath it is known that the place of file storage.The order of other ADB clients is also similar 's.A series of message corresponding to every ADB Client command possess same ID number, therefore can will possess disappearing for identical ID number Breath is combined into corresponding ADB orders.
Whether S07, the ADB orders for judging to obtain according to default rule can produce malicious act.
Default malicious commands sentence is preserved in mobile terminal, by the ADB orders being combined into and default malicious commands Sentence is compared, if the ADB orders being combined into are default malicious commands sentence, the ADB orders for judging to obtain have malice Behavior.
Entered when accessing mobile terminal present invention utilizes PC ends using ADB orders and the adbd processes in android system The characteristics of row interaction, the reading file operation in mobile device end monitors all threads of adbd processes, to obtain reading file operation Content of parameter, content of parameter is then combined into message, message is combined into ADB orders, with obtain PC ends access it is mobile eventually The order sent during end, so as to reach the purpose of monitoring.The monitoring is not influenceed by PC end ring border, easy to use, and monitoring effect is good.
Preferably, if judging, ADB orders can produce malicious act, such as file copy, using install and uninstall, port is opened Open, then the present invention also carries out respective handling to avoid causing user to lose to ADB orders.
Several frequently seen malicious commands sentence and the more excellent solution for the order is described below:
(1)Sample installation order, in ADB service ends, the order is decomposed into following two steps progress, is file transmission first(adb push filename.apk /data/local/tmp/filename.apk), followed by perform installation order(adb shell pm install /data/local/tmp/filename.apk).Refer to when can transmit by scanning file and either perform and install Fixed file path carrys out the malicious of judgement sample installation order.
If judging there is sample installation order, command context can be directly changed, such as the bag name in order is replaced with into sky Character string, so that installation is invalid.
(2)The transmission order of file, including incoming mobile terminal order(adb push)With outflow mobile terminal order (adb pull).Push operations can be by being scanned to judge to transmission file, and pull operations need to judge that transmission file is No is sensitive document(Such as contact database)., can be by the way that file path be set into empty string etc. if transmission file is sensitive document Mode makes order invalid.
(3)The execution of shell-command, i.e., the operation that adb shell modes perform.As adb shell getprop are obtained System property, adb shell am orders can send broadcast, and adb shell pm orders can unload application.Need according to specific Order is malicious to judge, such as whether unloading is that crucial application can be judged by the bag name specified in pm orders;Such as Fruit order is to delete file then to can determine whether file path is system file path.Malicious commands can be by changing in order The mode of appearance is handled.
Being mentioned in the processing method of above-mentioned three classes malicious commands can be handled by changing command context, specifically be repaiied The mode of changing is described as follows:The content of order is stored in message data and read in the internal memory of parameter sensing of file operation, due to The saved parameter for reading file operation, therefore internal memory where order can be changed using ptrace PTRACE_POKETEXT In content, can also use ptrace PTRACE_SETREGS modification read file operation parameter be null pointer, make parameter It is invalid to be worth.
Preferably, if judging, ADB orders can produce malicious act, produce user's alarm.
Specifically, can by directly produce user alarm or by the content of the ADB orders by process communication in a manner of pass To conventional social class or game class application, such application can carry out user's alarm in a manner of pop-up alerts.
As shown in figure 3, the invention also discloses a kind of supervising device for being used to monitor PC ends operation mobile device, for moving In dynamic terminal, the supervising device includes guarding module 10, monitoring module 20, detection module 30, wherein:
When PC ends access mobile terminal, it is described guard module 10 be used to obtaining in adbd processes and the adbd processes institute it is wired The thread number of journey;Each thread is monitored respectively according to all thread numbers of acquisition, finds out the thread for wherein reading USB device file And obtain the current thread number for reading thread and be sent to the monitoring module 20.
The ps orders that system offer can be used directly obtain whole thread numbers of adbd processes, also can be by checking/proc File system.Each process has a corresponding catalogue/proc/ [process number] under/proc in Linux, under the catalogue Cmdline files save command name, and No. PID of whole threads of process is have recorded under task subdirectories.
After finding out whole No. PID, called using ptrace systems(It is that one process of permission is another to track and control that it, which is acted on, An outer process), each thread is monitored one by one, can be come monitoring thread using ptrace PTRACE_SYSCALL System calls.If the reading file operation of current thread calling system, and what first parameter pointed to is USB device file, then Obtain No. PID of current thread.Can also be directly viewable using strace instruments during the system that each thread is carried out is called whether There is the operation for reading USB device file.
Preferably, the judgement to each thread can continue a bit of time, and each thread is entered according to the default time Row monitoring, corresponding reading file operation is found, if not found within the period, then it represents that current thread is not required to monitor Thread, monitor next thread immediately.
It should be understood that due to the possibility of restarting of adbd processes be present, therefore be also required to monitor opening again for adbd processes Move, be required for obtaining No. PID of its respective thread after restarting again every time.Read when terminal does not connect USB or searched After the thread failure of USB device file, whole thread numbers can be obtained again, and search whether to read the line of USB device file Journey.
The monitoring module 20 is used to read the reading file operation in thread according to the current thread number monitoring for reading thread, obtains The content of parameter of file operation is read, and judge to monitor first reads the content of parameter of file operation as message header or message count According to then preserving all content of parameter of acquisition if message data, the content of parameter includes message header or message data.
After obtaining current read thread No. PID, method can be used in ptrace to obtain parameter when system is called, read text The system call method of part operation only has 3 parameters, is by register transmission during transmission, therefore uses ptrace's PTRACE_GETREGS obtains register value and can obtain parameter.For preserving the parameter of data storage location for an internal memory Location, ptrace PTRACE_PEEKTEXT methods can be used to come out the data copy in address.
Per a piece of news, message header and message data two parts are generally comprised, therefore once file operation acquisition is read in monitoring To be probably that message header is also likely to be message data.Whether the content of parameter for first determining whether to copy out is message content, is pressed Described according to the message format in ADB, there are magic fields in message content, determine whether message header by checking the field. If message header, then what next reading file operation was got is exactly message data, and the length of message data is stored in message header In.If start to get is not message header, current message data is abandoned, reading file operation next time is got just inevitable It is message header.
The detection module 30 is used to all content of parameter of preservation being combined into corresponding message, wherein, a message Head can be combined to a piece of news with a corresponding message data;Obtained message is combined into corresponding ADB orders, wherein, One ADB orders include at least one message, and the message for belonging to same order possesses identical ID number, and the ID number is positioned at described In message header;The detection module 30 is additionally operable to preserve default malicious commands sentence, and ADB orders and this of acquisition is default Malicious commands sentence is compared, and judges whether that malicious act can be produced.
One of ordinary skill in the art will appreciate that, the message header and message data of a piece of news with reading text twice in succession The parameter of part operation is corresponding, therefore the content for the parameter for reading file operation twice is merged and can obtain a piece of news.One The order of ADB client executings is converted into multiple messages and is sent to adbd processes.Such as the push operations of file, reading Contained in the thread of USB device file (OPEN, sync) --> (WRTE, STAT) --> (WRTE, filepath) --> (WRTE, SEND) --> WRTE(filepath + content) --> (WRTE, QUIT) -->(CLOSE), this In with the tuple including 2 element contents represent a message, Part I is the order of message header, and Part II is message Data, such as (OPEN, sync) represent that to proceed by sync operates,(WRTE, SEND)Expression can carry out data transmission;Therefore It is may determine that by this series of message as a push file operation, by filepath it is known that file storage Place.The order of other ADB clients is also similar.A series of message corresponding to every ADB Client command possess together One ID number, therefore the message for possessing identical ID number can be combined into corresponding ADB orders.
Default malicious commands sentence is preserved in mobile terminal, by the ADB orders being combined into and default malicious commands Sentence is compared, and the ADB orders for judging to obtain if the ADB orders being combined into are default malicious commands sentence have malice row For.
Entered when accessing mobile terminal present invention utilizes PC ends using ADB orders and the adbd processes in android system The characteristics of row interaction, the reading file operation in USB device file thread is read during mobile device end monitors adbd processes, to obtain The content of parameter for reading file operation is taken, content of parameter is then combined into message, message is combined into ADB orders, to obtain PC End accesses the order sent during mobile terminal, so as to reach the purpose of monitoring.The monitoring is not influenceed by PC end ring border, user Just, monitoring effect is good.
Preferably, the detection module 30 is additionally operable to, when judging that ADB orders have malicious act, enter the ADB orders Row respective handling is to avoid causing user to lose.
Several frequently seen malicious commands sentence and the more excellent solution for the order is described below:
(1)Sample installation order, in ADB service ends, the order is decomposed into following two steps progress, is file transmission first(adb push filename.apk /data/local/tmp/filename.apk), followed by perform installation order(adb shell pm install /data/local/tmp/filename.apk).Refer to when can transmit by scanning file and either perform and install Fixed file path carrys out the malicious of judgement sample installation order.
If judging there is sample installation order, command context can be directly changed, such as the bag name in order is replaced with into sky Character string, so that installation is invalid.
(2)The transmission order of file, including incoming mobile terminal order(adb push)With outflow mobile terminal order (adb pull).Push operations can be by being scanned to judge to transmission file, and pull operations need to judge that transmission file is No is sensitive document(Such as contact database)., can be by the way that file path be set into empty string etc. if transmission file is sensitive document Mode makes order invalid.
(3)The execution of shell-command, i.e., the operation that adb shell modes perform.As adb shell getprop are obtained System property, adb shell am orders can send broadcast, and adb shell pm orders can unload application.Need according to specific Order is malicious to judge, such as whether unloading is that crucial application can be judged by the bag name specified in pm orders;Such as Fruit order is to delete file then to can determine whether file path is system file path.Malicious commands can be by changing in order The mode of appearance is handled.
Being mentioned in the processing method of above-mentioned three classes malicious commands can be handled by changing command context, specifically be repaiied The mode of changing is described as follows:The content of order is stored in the internal memory for the parameter sensing for reading file operation, due to saved reading The parameter of file operation, therefore the content in the internal memory of order place can be changed using ptrace PTRACE_POKETEXT, The parameter that ptrace PTRACE_SETREGS modification reading file operations can also be used is null pointer, makes parameter value invalid.
The detection module 30 is additionally operable to the side for producing user's alarm or the content of the ADB orders being passed through into process communication Formula passes conventional social class or game class application, and such application can carry out user's alarm in a manner of pop-up alerts.
Some embodiments of the present invention have shown and described in described above, but as previously described, it should be understood that the present invention is not Form disclosed herein is confined to, is not to be taken as the exclusion to other embodiment, and available for various other combinations, modification And environment, and can be carried out in the scope of the invention is set forth herein by the technology or knowledge of above-mentioned teaching or association area Change., then all should be in institute of the present invention and the change and change that those skilled in the art are carried out do not depart from the spirit and scope of the present invention In attached scope of the claims.

Claims (10)

1. a kind of monitoring method for being used to monitor PC ends operation mobile device, it is characterised in that the monitoring method includes following Step:
The thread number of all threads in acquisition for mobile terminal adbd processes and the adbd processes;
Each thread is monitored respectively according to all thread numbers of acquisition, finds out thread and the acquisition for wherein reading USB device file The current thread number for reading thread;
The reading file operation in the thread is monitored according to the current thread number for reading thread, obtains the content of parameter for reading file operation, The content of parameter includes message header or message data;
When the content of parameter of the first reading file operation monitored is message data, then preserve in all parameters of acquisition Hold;
All content of parameter of preservation are combined into corresponding message, wherein, a message header and a corresponding message data It can be combined to a piece of news;
Obtained message is combined into corresponding ADB orders, wherein, an ADB order includes at least one message, belongs to same The message of order possesses identical ID number, and the ID number is located in the message header;
Whether the ADB orders for judging to obtain according to default rule can produce malicious act.
2. monitoring method as claimed in claim 1, it is characterised in that be monitored and seek to each thread according to the default time Corresponding reading file operation is looked for, if not found within the period, monitors next thread immediately.
3. monitoring method as claimed in claim 1, it is characterised in that after finding out whole thread numbers, enter one by one to each thread Row monitoring, if current thread, which performs, reads file operation, and what first parameter pointed to is USB device file, then obtains and work as The thread number of preceding thread.
4. monitoring method as claimed in claim 1, it is characterised in that set when terminal does not connect USB or searches reading USB After the thread failure of standby file, whole thread numbers can be obtained again, and search whether to read the thread of USB device file.
5. monitoring method as claimed in claim 1, it is characterised in that ADB orders can produce malicious act if judging, press Current ADB orders are changed according to default rule, prevent malicious act from occurring or/and produce user's alarm.
6. a kind of supervising device for being used to monitor PC ends operation mobile device, it is characterised in that the supervising device includes guarding Module, monitoring module, detection module, when PC ends access mobile terminal:
The thread number guarded module and be used to obtain all threads in adbd processes and the adbd processes;According to the institute of acquisition There is thread number to monitor each thread respectively, find out the thread for wherein reading USB device file and obtain the current thread for reading thread Number it is sent to the monitoring module;
The monitoring module is used to read the reading file operation in thread according to the current thread number monitoring for reading thread, obtains and reads file The content of parameter of operation, the content of parameter include message header or message data, when judge to monitor first reads file behaviour When the content of parameter of work is message data, then all content of parameter of acquisition are preserved;
The detection module is used to all content of parameter of preservation being combined into corresponding message, wherein, a message header with it is right The message data answered can be combined to a piece of news;Obtained message is combined into corresponding ADB orders, wherein, an ADB Order includes at least one message, and the message for belonging to same order possesses identical ID number, and the ID number is located at the message header It is interior;The detection module is additionally operable to preserve default malicious commands sentence, by the ADB orders of acquisition and the default malicious commands Sentence is compared, and judges whether to produce malicious act.
7. supervising device as claimed in claim 6, it is characterised in that the monitoring module is used for according to the default time to every Individual thread is monitored the corresponding reading file operation of searching, if not found within the period, monitors next line immediately Journey.
8. supervising device as claimed in claim 6, it is characterised in that the monitoring module is supervised to each thread one by one Control, if current thread, which performs, reads file operation, and what first parameter pointed to is USB device file, then obtains and work as front The thread number of journey.
9. supervising device as claimed in claim 6, it is characterised in that set when terminal does not connect USB or searches reading USB After the thread failure of standby file, the module of guarding can obtain whole thread numbers again, and search whether to read USB device text The thread of part.
10. supervising device as claimed in claim 6, it is characterised in that ADB orders can produce malicious act, institute if judging State detection module and change current ADB orders according to default rule, prevent malicious act from occurring or/and produce user's alarm.
CN201610806113.XA 2016-09-07 2016-09-07 A kind of method and device operating mobile device for monitoring the end PC Active CN107798240B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610806113.XA CN107798240B (en) 2016-09-07 2016-09-07 A kind of method and device operating mobile device for monitoring the end PC

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610806113.XA CN107798240B (en) 2016-09-07 2016-09-07 A kind of method and device operating mobile device for monitoring the end PC

Publications (2)

Publication Number Publication Date
CN107798240A true CN107798240A (en) 2018-03-13
CN107798240B CN107798240B (en) 2019-10-18

Family

ID=61529963

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610806113.XA Active CN107798240B (en) 2016-09-07 2016-09-07 A kind of method and device operating mobile device for monitoring the end PC

Country Status (1)

Country Link
CN (1) CN107798240B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114968456A (en) * 2022-05-07 2022-08-30 麒麟合盛网络技术股份有限公司 Method and device for controlling terminal

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102254113A (en) * 2011-06-27 2011-11-23 深圳市安之天信息技术有限公司 Method and system for detecting and intercepting malicious code of mobile terminal
CN103279706A (en) * 2013-06-07 2013-09-04 北京奇虎科技有限公司 Method and device for intercepting installation of Android application program in mobile terminal
US8935793B2 (en) * 2012-02-29 2015-01-13 The Mitre Corporation Hygienic charging station for mobile device security
CN104978518A (en) * 2014-10-31 2015-10-14 哈尔滨安天科技股份有限公司 Method and system for preventing PC (Personal Computer) side from obtaining layout operation of mobile equipment screen

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102254113A (en) * 2011-06-27 2011-11-23 深圳市安之天信息技术有限公司 Method and system for detecting and intercepting malicious code of mobile terminal
US8935793B2 (en) * 2012-02-29 2015-01-13 The Mitre Corporation Hygienic charging station for mobile device security
CN103279706A (en) * 2013-06-07 2013-09-04 北京奇虎科技有限公司 Method and device for intercepting installation of Android application program in mobile terminal
CN104978518A (en) * 2014-10-31 2015-10-14 哈尔滨安天科技股份有限公司 Method and system for preventing PC (Personal Computer) side from obtaining layout operation of mobile equipment screen

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
史杨: "Android手机和计算机连接后的安全控制策略研究", 《长春师范大学学报》 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114968456A (en) * 2022-05-07 2022-08-30 麒麟合盛网络技术股份有限公司 Method and device for controlling terminal
CN114968456B (en) * 2022-05-07 2024-03-08 麒麟合盛网络技术股份有限公司 Method and device for controlling terminal

Also Published As

Publication number Publication date
CN107798240B (en) 2019-10-18

Similar Documents

Publication Publication Date Title
CN109344616B (en) Method and device for monitoring dynamic loading behavior of mobile application program
US8844038B2 (en) Malware detection
KR101051722B1 (en) Monitor program, monitoring method and computer program product for hardware related thereto
CN110213207B (en) Network security defense method and equipment based on log analysis
KR102723245B1 (en) Machine learning system and method for reducing false positive malware detection rate
US20150020198A1 (en) Methods of detection of software exploitation
US8640233B2 (en) Environmental imaging
CN105205413B (en) A kind of guard method of data and device
US11822666B2 (en) Malware detection
CN103279707A (en) Method, device and system for actively defending against malicious programs
CN109639726A (en) Intrusion detection method, device, system, equipment and storage medium
US10678917B1 (en) Systems and methods for evaluating unfamiliar executables
US9842219B1 (en) Systems and methods for curating file clusters for security analyses
US9646157B1 (en) Systems and methods for identifying repackaged files
US9203850B1 (en) Systems and methods for detecting private browsing mode
CN107798240A (en) A kind of method and device for being used to monitor PC ends operation mobile device
CN114422274B (en) Multi-scene vulnerability detection method and device based on cloud protogenesis and storage medium
US9692773B1 (en) Systems and methods for identifying detection-evasion behaviors of files undergoing malware analyses
CN107169354A (en) Multi-layer android system malicious act monitoring method
CN108197475B (en) Malicious so module detection method and related device
KR102472523B1 (en) Method and apparatus for determining document action based on reversing engine
CN113839944B (en) Method, device, electronic equipment and medium for coping with network attack
CN114610577A (en) Target resource locking method, device, equipment and medium
US11423166B2 (en) Method and apparatus for inspecting sensitive information stored in file system
CN114417349A (en) Attack result determination method, device, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information

Address after: 430000 Hubei city Wuhan East Lake New Technology Development Zone 8 Huacheng Road 8 Wuhan software new town industry three phase C20 building

Applicant after: Wuhan Antian Information Technology Co., Ltd.

Address before: 430000 software industry, No. 1 East Road, software park, East Lake New Technology Development Zone, Hubei, Wuhan 4-1, B4 building, room 12, floor 01

Applicant before: Wuhan Antian Information Technology Co., Ltd.

CB02 Change of applicant information
GR01 Patent grant
GR01 Patent grant