WO2013182005A1 - Method and device for use in intercepting call for service by application - Google Patents

Method and device for use in intercepting call for service by application Download PDF

Info

Publication number
WO2013182005A1
WO2013182005A1 PCT/CN2013/076450 CN2013076450W WO2013182005A1 WO 2013182005 A1 WO2013182005 A1 WO 2013182005A1 CN 2013076450 W CN2013076450 W CN 2013076450W WO 2013182005 A1 WO2013182005 A1 WO 2013182005A1
Authority
WO
WIPO (PCT)
Prior art keywords
application
service
address
call
information
Prior art date
Application number
PCT/CN2013/076450
Other languages
French (fr)
Chinese (zh)
Inventor
丁祎
李元
Original Assignee
北京奇虎科技有限公司
奇智软件(北京)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 北京奇虎科技有限公司, 奇智软件(北京)有限公司 filed Critical 北京奇虎科技有限公司
Publication of WO2013182005A1 publication Critical patent/WO2013182005A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/54Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by adding security routines or objects to programs

Definitions

  • the present invention relates to system security of an electronic device operating system, and more particularly to a method and apparatus for intercepting an application's call to an application in an operating system of an electronic device. Background technique
  • reading contact information is through a data source service (ie, a process of the system, the process loads the data source service object, and provides an interface).
  • a data source service ie, a process of the system, the process loads the data source service object, and provides an interface.
  • any program that needs to read the contact information needs to apply for reading the contact information through the interface.
  • the interface of this service is based on the Binder communication mechanism.
  • the process of calling the interface is as follows: The application issues an interface request for a service, sends the service name and interface serial number -> the service's total route query service, and registers the caller, letting it wait ->
  • the service's total route allocates the client's request to the specific service -> the specific service performs the call to its own interface -> the specific service returns the result of the interface call -> the service's total route gets the result and returns it to the registered application ->
  • the client program gets the result of the interface request.
  • the Android system itself does not have an interception mechanism. It only tells the system user that the program may access certain services before the malicious program is installed, but does not judge whether the application is a malicious program.
  • interception is achieved by registering a fake service with the system, but this way leaves a noticeable fake service name in the intercepted system, which is easily detected by malicious programs, which in turn invalidates the interception.
  • the present invention has been made in order to provide an application pair in an operating system for intercepting an electronic device that overcomes the above problems or at least partially solves or alleviates the above problems.
  • Method and device for calling a service are provided.
  • a method for intercepting an application's call to a service in an operating system of an electronic device includes: loading an intercepted dynamic library into a process in which the service is located; and inputting and outputting the process The address of the control function is replaced with the first address of the intercepting dynamic library; when the application invokes the service, executing the intercepting dynamic library based on the first address to obtain information and a location of the application Decoding the information, and replacing the address of the service to be called included in the invoked information with the second address of the intercepting dynamic library; and displaying the information of the application based on the second address and The invoked information, and the processing is performed in accordance with the selection of the call by the operating system on the electronic device.
  • an apparatus for intercepting an application's call to a service in an operating system of an electronic device including a load module, configured to load the intercept dynamic library to a process in which the service is located; a module, configured to replace an address of the input/output control function in the process with a first address of the intercepting dynamic library; a second replacement module, configured to: when the application invokes the service, based on the Executing the intercepting dynamic library with an address, obtaining information of the application and the called information, and replacing an address of the service to be called included in the called information with the number of the intercepting dynamic library And a processing module, configured to display information of the application and the invoked information based on the second address, and perform processing according to selection of the call by an operating system on an electronic device.
  • a computer program comprising computer readable code causing the server to perform any of claims 1-7 when run on a server
  • a computer readable medium storing the computer program according to claim 15 is provided.
  • the present invention is capable of intercepting calls and displaying information about applications and calls when the application makes a call to the service, so that it can be selected based on this information to allow the application to invoke the service.
  • the call can be rejected, and the false service result of the successful call can be returned to the malicious application, so that the malicious application cannot be found, thereby improving the security of the system.
  • FIG. 1 is a flow chart schematically showing a method for intercepting an application's call to a service in an operating system of an electronic device, in accordance with an embodiment of the present invention
  • FIG. 2 schematically illustrates an example view of a selection of an invocation by an operating system on an electronic device in accordance with an embodiment of the present invention
  • FIG. 3 is a block diagram schematically showing an apparatus for intercepting an application's call to a service in an operating system of an electronic device, in accordance with an embodiment of the present invention
  • Figure 4 is a schematic block diagram showing a server for performing the method according to the present invention.
  • Fig. 5 schematically shows a memory unit for holding or carrying a program code implementing a method according to the invention.
  • the electronic device includes, but is not limited to, the following electronic devices with an operating system installed: mobile phone, tablet, notebook computer, navigator, audio and/or video player, radio, mobile TV, multi-function remote control
  • mobile phone tablet, notebook computer, navigator, audio and/or video player, radio, mobile TV, multi-function remote control
  • the principle of the present invention is exemplarily described by taking a mobile phone equipped with an Andro id system as an example, but the description is merely exemplary, and the scope of the present invention is not limited thereto, and the principle of the present invention can also be applied to Any electronic device installed with other operating systems (eg, Lenovo, i OS, Wi ndow Phone, Symbi an, etc.), such as those previously mentioned.
  • the method 100 for intercepting an application's call to a service in an operating system for intercepting an electronic device the following is described by taking an application call to the service through the Binder mechanism of the Andro id system, but the description is merely exemplary.
  • the invention is also applicable to other communication mechanisms.
  • the process in which each service is located is found in the Andro id system in advance, and in step S101, the interception dynamic library is loaded to the process in which the service is located.
  • the pull dynamic library can be loaded into the The process in which the service is located.
  • the process may be suspended before execution of step S101, for example, by the application programming interface pt race provided by the Linux system.
  • step S102 is performed, in which the address of the input/output control function in the process is replaced with the first address of the intercepting dynamic library.
  • the input and output control function is an I0CTL function in the Binder mechanism.
  • the first address of the intercepting dynamic library is used to execute the intercepting dynamic library. After the execution of step S102, the process can be resumed.
  • step S103 when the application invokes the service, executing the intercepting dynamic library based on the first address, obtaining information of the application and the invoked information, and The address of the service to be called included in the called information is replaced with the second address of the intercepting dynamic library.
  • the I0CTL function when the application calls the service through the Binder mechanism, the I0CTL function will be reached, since the address of the IOCTTL function has been replaced with the first of the intercepting dynamic library. The address, so the intercepting dynamic library will be executed based on the first address.
  • the intercepting dynamic library may obtain the information of the application and the called message according to the Andro id system by using the IOCT function according to an embodiment of the present invention, where the information of the application includes the The name and description of the application, the information of the call includes the interface number of the call and the address of the service to be called. Replacing the address of the service to be called with the second address of the intercepting dynamic library, the information of the application and the called information may be displayed based on the second address, and according to the call Select to perform processing on the call.
  • step S104 Since the address of the service to be called has been replaced with the second address of the intercepting dynamic library, in step S104, the information and the application of the application will be displayed based on the second address. Said information, and according to the operating system on the electronic device Processing is performed on the selection of the call.
  • FIG. 2 is an exemplary view of a selection of an invocation by an operating system on an electronic device in accordance with an embodiment of the present invention.
  • the information of the application and the called information are displayed on the display screen of the mobile phone, and the user is asked whether to allow the application to make a call to the service.
  • the call is performed according to the address of the service, and the actual service result is returned to the application; or when the user selects not to allow the
  • a predefined service result is returned to the application.
  • the predefined service result may, for example, be a service result indicating that the call has been successful, in order for the application to consider that its call to the service has succeeded, and to intercept the interception according to an embodiment of the present invention. None to know.
  • the user can judge whether the application is a malicious application according to the displayed information of the application and the called information, and select to allow the application if it is determined to be a non-malicious normal application.
  • the selection does not allow the The application invokes the service to ensure system security, while returning to the malicious application a false service result indicating that the call has succeeded, thereby rendering the malicious application unaware of the interception performed in accordance with the present invention.
  • the process in which each service is located in the Android system (including the process in which the call service is located, assuming that the name is the process S) is pre-loaded, and the interception dynamic library is loaded into the process (including the process S) where each service is located.
  • the malicious application A needs to make a call to the call service in order to dial the charge number 888, which first initiates access to the call interface.
  • the address of the IOCT function in the Binder mechanism is replaced with the first address of the intercepting dynamic library. Since the malicious application A will implement the call service through the Binder mechanism, it will execute the I0CTL function in the Binder mechanism. The IOCCTL has been replaced with the first address, and thus the interception dynamic library will be executed based on the first address. At this time, the intercepting dynamic library can be prior to the Android system through the IOCTTL function. The information of the application (the malicious program A and its description) and the called information (calling the call service, dialing the telephone number 888) are obtained. Then, the address of the call service is replaced with the second address of the interception dynamic library.
  • the information of the malicious application A and the call service for calling the call service are displayed on the display screen of the mobile phone based on the second address.
  • Number 888 information Based on the above information, the user chooses not to allow malicious application A to call the call service.
  • the pre-defined service result is returned directly to the malicious application A, that is, the service result indicating that the call has been successful, so that the malicious application A thinks that its call to the call service has succeeded, and None is known about the interception performed in accordance with an embodiment of the present invention.
  • the present invention provides a method for intercepting an application's call to a service in an operating system of an electronic device.
  • the present invention is capable of intercepting calls and displaying information about applications and calls when the application makes a call to the service, so that it can be selected based on this information to allow the application to invoke the service.
  • the call can be rejected and the virtual service result of the successful call can be returned to the malicious application, so that the malicious application cannot be found, thereby improving the security of the system.
  • the malicious application can intercept the privacy information of the electronic device user (including contact information, call history, short message, multimedia message, various accounts and passwords, etc.), and prevent the malicious application from dialing the charge call and sending the buckle.
  • Pay SMS visit websites that consume network traffic, prevent malicious applications from installing Trojans and virus programs, prevent malicious applications from recording users' GPS or network location, block malicious applications from popping up harassment ads, etc., for any malicious application.
  • the call of the service is intercepted, thereby improving the security of the system.
  • the present invention also provides an apparatus 200 for intercepting an application's call to a service in an operating system of an electronic device.
  • the apparatus 200 includes:
  • the loading module 210 is configured to load the intercepting dynamic library into the process where the service is located, and the loading module 210 can be used to perform step S101 in the foregoing method 100;
  • a first replacement module 220 configured to replace an address of the input/output control function in the process with a first address of the intercepting dynamic library, where the first replacement module 220 is configured to perform step S10 2 in the foregoing method 100.
  • a second replacement module 230 configured to execute the intercepting dynamic library based on the first address when the application invokes the service, to obtain information about the application and the calling Information, and the address of the service to be called included in the called information is replaced with the second address of the intercepting dynamic library, the second replacement module 230 can be used to perform step S103 in the above method 100; as well as
  • the processing module 240 is configured to display information about the application and the invoked information based on the second address, and perform processing according to selection of the call by an operating system on an electronic device, the processing module 240 It can be used to perform step S104 in the above method 100.
  • the processing module 240 performs the call according to the address of the service, and to the application Returning the actual service result; or in the event that the application's call to the service is selected to be disallowed, the processing module 240 returns a predefined service result to the application.
  • the apparatus 200 further includes a suspending module 250 for suspending the process before the loading module 210 loads the intercepting dynamic library to a process in which the service is located, and for the A replacement module 220 replaces the address of the input-output control function in the process with the recovery module 260 that resumes the process after intercepting the first address of the dynamic library.
  • the information of the application includes the name and description of the application
  • the information of the call includes the interface number of the call and the address of the service to be called.
  • the operating system is an Andro id system
  • the application invokes the service through a Binder mechanism of the Andro id system.
  • the input and output control function is an I0CTL function in the Binder mechanism.
  • the second replacement module 230 executes the intercepting dynamic library based on the first address to pass the
  • the I0CTL function obtains the information of the application and the letter of the call before the Andro id system.
  • the various component embodiments of the present invention may be implemented in hardware, or in a software module running on one or more processors, or in a combination thereof.
  • a microprocessor or digital signal processor can be used in practice.
  • Some or all of the functionality of some or all of the means for intercepting an application's call to a service in an operating system of an electronic device in accordance with an embodiment of the present invention is implemented.
  • the invention can also be implemented as a device or device program (e.g., a computer program and a computer program product) for performing some or all of the methods described herein.
  • Such a program implementing the invention may be stored on a computer readable medium or may be in the form of one or more signals. Such signals may be downloaded from an Internet website, provided on a carrier signal, or provided in any other form.
  • Figure 4 illustrates a server, such as an application server, that can implement a method for intercepting an application's call to a service in an operating system of an electronic device in accordance with the present invention.
  • the server conventionally includes a processor 410 and a computer program product or computer readable medium in the form of a memory 420.
  • Memory 420 can be an electronic memory such as flash memory, EEPROM (Electrically Erasable Programmable Read Only Memory), EPROM, hard disk or ROM.
  • Memory 420 has a memory space 430 for program code 431 for performing any of the method steps described above.
  • storage space 430 for program code may include various program code 431 for implementing various steps in the above methods, respectively.
  • the program code can be read from or written to one or more computer program products.
  • These computer program products include program code carriers such as hard disks, compact disks (CDs), memory cards or floppy disks. Such computer program products are typically portable or fixed storage units as described with reference to Figure 5.
  • the storage unit may have a storage section, a storage space, and the like arranged similarly to the storage 420 in the server of FIG.
  • the program code can be compressed, for example, in an appropriate form.
  • the storage unit includes computer readable code 431, i.e., code that can be read by a processor, such as 410, which, when executed by a server, causes the server to perform various steps in the methods described above.
  • an embodiment or “an embodiment,” or “one or more embodiments” as used herein means that the particular features, structures, or characteristics described in connection with the embodiments are included in at least one embodiment of the invention.
  • the phrase “in one embodiment” herein does not necessarily refer to the same embodiment.

Abstract

Disclosed are a method and device for use in intercepting a call for a service by an application in an operating system. The method comprises: loading an interception dynamic-link library to a process where the service is at; replacing the address of an input/output control function in the process with a first address of the interception dynamic-link library; when the application is calling the service, executing the interception dynamic-link library on the basis of the first address to acquire the name and information of the application and information of the call, and replacing the address of the service-to-be-called and comprised in the information of the call with a second address of the interception dynamic-link library; displaying the information of the application and the information of the call on the basis of the second address, and executing the process on the basis of a selection with respect to the call on an electronic device via the operating system. The present invention increases the security of the operating system of the electronic device.

Description

一种用于拦截应用程序对服务的调用的方法和装置 技术领域  Method and apparatus for intercepting an application's call to a service
本发明涉及电子设备操作系统的系统安全,特别涉及一种用于拦截电子 设备的操作系统中应用程序对服务的调用的方法和装置。 背景技术  The present invention relates to system security of an electronic device operating system, and more particularly to a method and apparatus for intercepting an application's call to an application in an operating system of an electronic device. Background technique
近年来, 安装有操作系统的电子设备、 特别是便携式电子设备(例如, 移动电话、 平板电脑等)变得越来越普及。 与之相应地, 运行在这些电子设 备的操作系统上的应用程序的数量也有了呈几何级数的爆炸式增长。 以 iOS 系统和 Android系统为例, 目前这两个系统上的应用程序分别超过了 60万个 和 40万个。  In recent years, electronic devices equipped with operating systems, particularly portable electronic devices (for example, mobile phones, tablets, etc.) have become more and more popular. Correspondingly, the number of applications running on the operating systems of these electronic devices has also exploded exponentially. Take iOS and Android as examples. Currently, there are more than 600,000 and 400,000 applications on these two systems.
尽管海量的应用程序给用户带来了更多的选择,但随之而来的安全性问 题也值得关注。 以 Android系统为例, 系统的部分重要功能通过服务接口的 形式提供, 譬如读取联系人信息是通过数据源服务(即系统的一个进程, 该 进程加载了数据源服务对象, 并且提供接口)来进行的, 任何需要读取联系 人信息的程序都需要通过接口来向该服务申请读取联系人信息。  Although a large number of applications give users more choices, the security issues that follow are also worthy of attention. Taking the Android system as an example, some important functions of the system are provided through a service interface. For example, reading contact information is through a data source service (ie, a process of the system, the process loads the data source service object, and provides an interface). In the process, any program that needs to read the contact information needs to apply for reading the contact information through the interface.
这种服务的接口基于 Binder通讯机制, 调用接口的流程如下: 应用程序 发出对某个服务的接口请求, 发送服务名称和接口序号 -〉服务的总路由查 询服务, 并登记调用者, 让其等待 -〉服务的总路由分配客户的请求到具体 服务 ->具体服务执行对自己接口的调用 ->具体服务返回接口调用的结果 -> 服务的总路由拿到结果, 并返回给登记过的应用程序 -〉 客户程序拿到 接口请求的结果。  The interface of this service is based on the Binder communication mechanism. The process of calling the interface is as follows: The application issues an interface request for a service, sends the service name and interface serial number -> the service's total route query service, and registers the caller, letting it wait -> The service's total route allocates the client's request to the specific service -> the specific service performs the call to its own interface -> the specific service returns the result of the interface call -> the service's total route gets the result and returns it to the registered application -> The client program gets the result of the interface request.
目前, Android系统本身不具备拦截的机制, 只是在恶意程序安装之前 告知系统用户此程序可能会访问某些服务,但是对于应用程序是否是恶意程 序不做判断。 目前, 存在一些针对恶意程序进行拦截的方案。 例如, 通过向 系统注册假服务的方式实现拦截,但是这种方式会在进行拦截的系统中留下 明显的假服务名称, 很容易被恶意程序发现, 进而使拦截失效。 发明内容  Currently, the Android system itself does not have an interception mechanism. It only tells the system user that the program may access certain services before the malicious program is installed, but does not judge whether the application is a malicious program. Currently, there are some options for intercepting malicious programs. For example, interception is achieved by registering a fake service with the system, but this way leaves a noticeable fake service name in the intercepted system, which is easily detected by malicious programs, which in turn invalidates the interception. Summary of the invention
鉴于上述问题,提出了本发明以便提供一种克服上述问题或者至少部 分地解决或者减緩上述问题的用于拦截电子设备的操作系统中应用程序对 服务的调用的方法和装置。 In view of the above problems, the present invention has been made in order to provide an application pair in an operating system for intercepting an electronic device that overcomes the above problems or at least partially solves or alleviates the above problems. Method and device for calling a service.
根据本发明的一个方面, 提供了一种用于拦截电子设备的操作系统中 应用程序对服务的调用的方法,包括:将拦截动态库加载到服务所在的进程; 将所述进程中的输入输出控制函数的地址替换为所述拦截动态库的第一地 址; 在应用程序对所述服务进行调用时, 基于所述第一地址执行所述拦截动 态库, 以获得所述应用程序的信息和所述调用的信息, 并且将所述调用的信 息中包括的要被调用的服务的地址替换为所述拦截动态库的第二地址; 以及 基于所述第二地址, 显示所述应用程序的信息和所述调用的信息, 并且根据 在电子设备上通过操作系统对于所述调用的选择来执行处理。  According to an aspect of the present invention, a method for intercepting an application's call to a service in an operating system of an electronic device includes: loading an intercepted dynamic library into a process in which the service is located; and inputting and outputting the process The address of the control function is replaced with the first address of the intercepting dynamic library; when the application invokes the service, executing the intercepting dynamic library based on the first address to obtain information and a location of the application Decoding the information, and replacing the address of the service to be called included in the invoked information with the second address of the intercepting dynamic library; and displaying the information of the application based on the second address and The invoked information, and the processing is performed in accordance with the selection of the call by the operating system on the electronic device.
根据本发明的另一个方面, 提供了一种用于拦截电子设备的操作系统 中应用程序对服务的调用的装置, 包括加载模块, 用于将拦截动态库加载到 服务所在的进程; 第一替换模块, 用于将所述进程中的输入输出控制函数的 地址替换为所述拦截动态库的第一地址; 第二替换模块, 用于在应用程序对 所述服务进行调用时, 基于所述第一地址执行所述拦截动态库, 以获得所述 应用程序的信息和所述调用的信息, 并且将所述调用的信息中包括的要被调 用的服务的地址替换为所述拦截动态库的第二地址; 以及处理模块, 用于基 于所述第二地址, 显示所述应用程序的信息和所述调用的信息, 并且根据在 电子设备上通过操作系统对于所述调用的选择来执行处理。  According to another aspect of the present invention, an apparatus for intercepting an application's call to a service in an operating system of an electronic device is provided, including a load module, configured to load the intercept dynamic library to a process in which the service is located; a module, configured to replace an address of the input/output control function in the process with a first address of the intercepting dynamic library; a second replacement module, configured to: when the application invokes the service, based on the Executing the intercepting dynamic library with an address, obtaining information of the application and the called information, and replacing an address of the service to be called included in the called information with the number of the intercepting dynamic library And a processing module, configured to display information of the application and the invoked information based on the second address, and perform processing according to selection of the call by an operating system on an electronic device.
根据本发明的又一个方面,提供了一种计算机程序,其包括计算机可 读代码, 当所述计算机可读代码在服务器上运行时, 导致所述服务器执 行根据权利要求 1-7中的任一个所述的用于拦截电子设备的操作系统中应 用程序对服务的调用的方法。  According to still another aspect of the present invention, a computer program comprising computer readable code causing the server to perform any of claims 1-7 when run on a server The method for intercepting an application's call to a service in an operating system of an electronic device.
根据本发明的再一个方面,提供了一种计算机可读介质,其中存储了 如权利要求 15所述的计算机程序。  According to still another aspect of the present invention, a computer readable medium storing the computer program according to claim 15 is provided.
本发明的有益效果为:  The beneficial effects of the invention are:
本发明能够在应用程序对服务进行调用时, 对于调用进行拦截, 并显示 有关应用程序和调用的信息, 这样就可以根据此信息来选择是否允许应用程 序对服务的调用。 在例如恶意应用程序对服务调用的情况下, 就可以拒绝该 调用, 并向恶意应用程序返回该调用成功的虚假服务结果, 使恶意应用程序 无法发现, 从而提高了系统的安全性。  The present invention is capable of intercepting calls and displaying information about applications and calls when the application makes a call to the service, so that it can be selected based on this information to allow the application to invoke the service. In the case of, for example, a malicious application calling a service, the call can be rejected, and the false service result of the successful call can be returned to the malicious application, so that the malicious application cannot be found, thereby improving the security of the system.
上述说明仅是本发明技术方案的概述,为了能够更清楚了解本发明的 技术手段, 而可依照说明书的内容予以实施, 并且为了让本发明的上述 和其它目的、 特征和优点能够更明显易懂, 以下特举本发明的具体实施 方式。 附图说明 The above description is merely an overview of the technical solutions of the present invention, and can be implemented in accordance with the contents of the specification in order to more clearly understand the technical means of the present invention, and The other objects, features and advantages of the invention will become more apparent and obvious. DRAWINGS
通过阅读下文优选实施方式的详细描述,各种其他的优点和益处对于 本领域普通技术人员将变得清楚明了。 附图仅用于示出优选实施方式的 目的, 而并不认为是对本发明的限制。 而且在整个附图中, 用相同的参 考符号表示相同的部件。 在附图中:  Various other advantages and benefits will become apparent to those skilled in the art from a The drawings are only for the purpose of illustrating the preferred embodiments and are not to be construed as limiting. Throughout the drawings, the same reference numerals are used to refer to the same parts. In the drawing:
图 1示意性地示出了根据本发明的实施例的用于拦截电子设备的操作 系统中应用程序对服务的调用的方法的流程图;  1 is a flow chart schematically showing a method for intercepting an application's call to a service in an operating system of an electronic device, in accordance with an embodiment of the present invention;
图 2示意性地示出了根据本发明的实施例的在电子设备上通过操作系 统对于调用进行选择的示例视图; 以及  2 schematically illustrates an example view of a selection of an invocation by an operating system on an electronic device in accordance with an embodiment of the present invention;
图 3 示意性地示出了根据本发明的实施例的用于拦截电子设备的操作 系统中应用程序对服务的调用的装置的框图;  3 is a block diagram schematically showing an apparatus for intercepting an application's call to a service in an operating system of an electronic device, in accordance with an embodiment of the present invention;
图 4示意性地示出了用于执行根据本发明的方法的服务器的框图;以 及  Figure 4 is a schematic block diagram showing a server for performing the method according to the present invention; and
图 5 示意性地示出了用于保持或者携带实现根据本发明的方法的程 序代码的存储单元。 具体实施例  Fig. 5 schematically shows a memory unit for holding or carrying a program code implementing a method according to the invention. Specific embodiment
下面结合附图和具体的实施方式对本发明作进一步的描述。  The invention is further described below in conjunction with the drawings and specific embodiments.
图 1 是根据本发明的实施例的用于拦截电子设备的操作系统中应用 程序对服务的调用的方法的流程图。根据本发明, 所述电子设备包括但不 限于安装有操作系统的以下电子设备: 移动电话、 平板电脑、 笔记本计算 机、 导航仪、 音频和 /或视频播放器、 收音机、 移动电视、 多功能遥控器 等便携式计算设备; 台式计算机、 大型计算机、 打印机、传真机、 复印机、 多功能一体机、 机顶盒、 公共信息查询设备、 多媒体信息交互设备等固定 式计算设备; 以及其它安装有操作系统的电子设备。  1 is a flow diagram of a method for intercepting an application's call to a service in an operating system of an electronic device, in accordance with an embodiment of the present invention. According to the present invention, the electronic device includes, but is not limited to, the following electronic devices with an operating system installed: mobile phone, tablet, notebook computer, navigator, audio and/or video player, radio, mobile TV, multi-function remote control Such as portable computing devices; desktop computers, mainframe computers, printers, fax machines, copiers, all-in-ones, set-top boxes, public information inquiry devices, multimedia computing devices, and other fixed computing devices; and other electronic devices with operating systems installed.
在下文中, 以安装有 Andro id系统的移动电话为例, 对本发明的原理 进行示例性描述,然而此描述仅仅是示例性的,本发明的范围并不限于此, 本发明的原理也可以适用于安装有其它操作系统(例如 L i nux、 i OS、 Wi ndow Phone, Symbi an等) 的任何电子设备, 例如前面提及的那些电子设备。 在用于拦截电子设备的操作系统中应用程序对服务的调用的方法 100 中 , 以下以应用程序通过 Andro id系统的 Binder机制对服务进行调用为 例进行描述, 但此描述仅仅是示例性的, 本发明也适用于其它通信机制。 In the following, the principle of the present invention is exemplarily described by taking a mobile phone equipped with an Andro id system as an example, but the description is merely exemplary, and the scope of the present invention is not limited thereto, and the principle of the present invention can also be applied to Any electronic device installed with other operating systems (eg, Lenovo, i OS, Wi ndow Phone, Symbi an, etc.), such as those previously mentioned. In the method 100 for intercepting an application's call to a service in an operating system for intercepting an electronic device, the following is described by taking an application call to the service through the Binder mechanism of the Andro id system, but the description is merely exemplary. The invention is also applicable to other communication mechanisms.
根据本发明, 预先在 Andro id系统中找到各个服务所在的进程, 在步 骤 S101中, 将拦截动态库加载到服务所在的进程。根据本发明的实施例, 例如可以通过 Andro id系统所基于的 L inux系统提供的应用程序编程接口 ( Appl i ca t ion Programming Int erface, API ) d lopen 来将该拉截动态 库加载到所述服务所在的进程。 根据本发明的实施例, 在步骤 S101执行 之前, 可以暂停所述进程, 例如可以通过 Linux系统提供的应用程序编程 接口 pt race来实现此暂停操作。  According to the present invention, the process in which each service is located is found in the Andro id system in advance, and in step S101, the interception dynamic library is loaded to the process in which the service is located. According to an embodiment of the present invention, the pull dynamic library can be loaded into the The process in which the service is located. According to an embodiment of the present invention, the process may be suspended before execution of step S101, for example, by the application programming interface pt race provided by the Linux system.
在上述步骤 S101之后, 执行步骤 S102 , 其中, 将所述进程中的输入 输出控制函数的地址替换为所述拦截动态库的第一地址。根据本发明的实 施例, 所述输入输出控制函数是 Binder机制中的 I0CTL函数。 所述拦截 动态库的第一地址用于执行所述拦截动态库。 在步骤 S102执行之后, 可 以恢复所述进程。  After the above step S101, step S102 is performed, in which the address of the input/output control function in the process is replaced with the first address of the intercepting dynamic library. According to an embodiment of the invention, the input and output control function is an I0CTL function in the Binder mechanism. The first address of the intercepting dynamic library is used to execute the intercepting dynamic library. After the execution of step S102, the process can be resumed.
接下来, 在步骤 S103 中, 在应用程序对所述服务进行调用时, 基于 所述第一地址执行所述拦截动态库 , 以获得所述应用程序的信息和所述调 用的信息,并且将所述调用的信息中包括的要被调用的服务的地址替换为 所述拦截动态库的第二地址。 才艮据本发明的实施例, 在所述应用程序通过 Binder机制来对所述服务进行调用时,将到达所述 I0CTL函数,由于 I0CTL 函数的地址已经被替换为所述拦截动态库的第一地址, 因此就将基于所述 第一地址执行所述拦截动态库。 此时, 所述拦截动态库就可以通过所述 I0CTL函数而先于 Andro id系统获得所述应用程序的信息和所述调用的信 根据本发明的实施例,所述应用程序的信息包括所述应用程序的名称 和描述,所述调用的信息包括所述调用的接口序号以及要被调用的服务的 地址。 将所述要被调用的服务的地址替换为所述拦截动态库的第二地址, 可以基于该第二地址来显示所述应用程序的信息和所述调用的信息,并且 根据对于所述调用的选择来对所述调用执行处理。  Next, in step S103, when the application invokes the service, executing the intercepting dynamic library based on the first address, obtaining information of the application and the invoked information, and The address of the service to be called included in the called information is replaced with the second address of the intercepting dynamic library. According to an embodiment of the present invention, when the application calls the service through the Binder mechanism, the I0CTL function will be reached, since the address of the IOCTTL function has been replaced with the first of the intercepting dynamic library. The address, so the intercepting dynamic library will be executed based on the first address. At this time, the intercepting dynamic library may obtain the information of the application and the called message according to the Andro id system by using the IOCT function according to an embodiment of the present invention, where the information of the application includes the The name and description of the application, the information of the call includes the interface number of the call and the address of the service to be called. Replacing the address of the service to be called with the second address of the intercepting dynamic library, the information of the application and the called information may be displayed based on the second address, and according to the call Select to perform processing on the call.
由于所述要被调用的服务的地址已经被替换为所述拦截动态库的第 二地址, 因此, 在步骤 S104 中, 就将基于所述第二地址, 来显示所述应 用程序的信息和所述调用的信息,并且根据在电子设备上通过操作系统对 于所述调用的选择来执行处理。 Since the address of the service to be called has been replaced with the second address of the intercepting dynamic library, in step S104, the information and the application of the application will be displayed based on the second address. Said information, and according to the operating system on the electronic device Processing is performed on the selection of the call.
图 2 是根据本发明的实施例的在电子设备上通过操作系统对于调用 进行选择的示例视图。 参见图 2 , 将应用程序的信息和调用的信息显示在 移动电话的显示屏上,并向用户询问是否允许所述应用程序对所述服务的 调用。 在用户选择了允许所述应用程序对所述服务的调用的情况下, 根据 所述服务的地址执行所述调用, 并向所述应用程序返回实际服务结果; 或 者在用户选择了不允许所述应用程序对所述服务的调用的情况下 ,向所述 应用程序返回预先定义的服务结果。所述预先定义的服务结果可以例如是 表示所述调用已经成功的服务结果,以便令所述应用程序认为其对于所述 服务的调用已经成功, 而对于根据本发明的实施例所进行的拦截一无所 知。  2 is an exemplary view of a selection of an invocation by an operating system on an electronic device in accordance with an embodiment of the present invention. Referring to Fig. 2, the information of the application and the called information are displayed on the display screen of the mobile phone, and the user is asked whether to allow the application to make a call to the service. In the case where the user selects to allow the application to make a call to the service, the call is performed according to the address of the service, and the actual service result is returned to the application; or when the user selects not to allow the In the case of an application's call to the service, a predefined service result is returned to the application. The predefined service result may, for example, be a service result indicating that the call has been successful, in order for the application to consider that its call to the service has succeeded, and to intercept the interception according to an embodiment of the present invention. Nothing to know.
根据本发明的原理,用户可以按照所显示的应用程序的信息和调用的 信息来判断所述应用程序是否为恶意应用程序 ,并在判断为非恶意的正常 应用程序的情况下选择允许该应用程序对于服务的调用,以保证该应用程 序的正常执行; 而在判断为恶意应用程序(例如通过所显示的应用程序的 信息或者调用的信息得知其为恶意应用程序)的情况下选择不允许该应用 程序对于服务的调用, 以保证系统安全, 同时向该恶意应用程序返回表示 调用已经成功的虛假服务结果,从而使该恶意应用程序对于根据本发明所 进行的拦截一无所知。  According to the principle of the present invention, the user can judge whether the application is a malicious application according to the displayed information of the application and the called information, and select to allow the application if it is determined to be a non-malicious normal application. For the invocation of the service to ensure the normal execution of the application; and in the case of determining that the malicious application (for example, by the information of the displayed application or the information of the called to know that it is a malicious application), the selection does not allow the The application invokes the service to ensure system security, while returning to the malicious application a false service result indicating that the call has succeeded, thereby rendering the malicious application unaware of the interception performed in accordance with the present invention.
下面以恶意应用程序 A发起对于拨打扣费电话号码 888的请求为例, 对于本发明的原理进行描述, 但此描述仅仅是示例性的, 本发明可应用于 拦截任何恶意应用程序。  The following describes the principle of the present invention with the malicious application A initiating a request to dial the debit phone number 888, but the description is merely exemplary, and the present invention is applicable to intercepting any malicious application.
根据本发明的实施例,预先在 Android系统中找到各个服务所在的进 程(包括通话服务所在的进程, 假设其名称为进程 S ) , 将拦截动态库加 载到各个服务所在的进程 (包括进程 S ) 。 恶意应用程序 A为了拨打扣费 电话号码 888 , 需要对于通话服务进行调用, 其会首先发起对于通话接口 的访问。  According to an embodiment of the present invention, the process in which each service is located in the Android system (including the process in which the call service is located, assuming that the name is the process S) is pre-loaded, and the interception dynamic library is loaded into the process (including the process S) where each service is located. . The malicious application A needs to make a call to the call service in order to dial the charge number 888, which first initiates access to the call interface.
根据本发明的实施例, 将 Binder机制中的 I0CTL函数的地址替换为 所述拦截动态库的第一地址。 由于恶意应用程序 A会通过 Binder机制来 实现对通话服务的调用, 因此其会执行 Binder机制中的 I0CTL函数。 该 I0CTL已被替换为所述第一地址, 因而将基于第一地址执行所述拦截动态 库。 此时, 所述拦截动态库就可以通过所述 I0CTL函数而先于 Android系 统获得所述应用程序的信息(恶意程序 A及其描述)和所述调用的信息(调 用通话服务, 拨打电话号码 888 ) 。 然后, 将所述通话服务的地址替换为 拦截动态库的第二地址。 According to an embodiment of the invention, the address of the IOCT function in the Binder mechanism is replaced with the first address of the intercepting dynamic library. Since the malicious application A will implement the call service through the Binder mechanism, it will execute the I0CTL function in the Binder mechanism. The IOCCTL has been replaced with the first address, and thus the interception dynamic library will be executed based on the first address. At this time, the intercepting dynamic library can be prior to the Android system through the IOCTTL function. The information of the application (the malicious program A and its description) and the called information (calling the call service, dialing the telephone number 888) are obtained. Then, the address of the call service is replaced with the second address of the interception dynamic library.
接下来, 由于通话服务的地址已被替换为所述第二地址, 因此将基于 第二地址,来在移动电话的显示屏上显示恶意应用程序 A的信息和有关其 希望调用通话服务来拨打电话号码 888的信息。 用户根据上述信息, 选择 不允许恶意应用程序 A对于通话服务的调用。 此时, 不进行调用, 而是直 接向恶意应用程序 A返回预先定义的服务结果,即表示所述调用已经成功 的服务结果, 以便令恶意应用程序 A 认为其对于通话服务的调用已经成 功, 而对于根据本发明的实施例所进行的拦截一无所知。  Next, since the address of the call service has been replaced with the second address, the information of the malicious application A and the call service for calling the call service are displayed on the display screen of the mobile phone based on the second address. Number 888 information. Based on the above information, the user chooses not to allow malicious application A to call the call service. At this point, instead of making a call, the pre-defined service result is returned directly to the malicious application A, that is, the service result indicating that the call has been successful, so that the malicious application A thinks that its call to the call service has succeeded, and Nothing is known about the interception performed in accordance with an embodiment of the present invention.
本发明提供了一种用于拦截电子设备的操作系统中应用程序对服务 的调用的方法。 本发明能够在应用程序对服务进行调用时, 对于调用进行 拦截, 并显示有关应用程序和调用的信息, 这样就可以根据此信息来选择 是否允许应用程序对服务的调用。在例如恶意应用程序对服务调用的情况 下, 就可以拒绝该调用, 并向恶意应用程序返回该调用成功的虛 支服务结 果, 使恶意应用程序无法发现, 从而提高了系统的安全性。  The present invention provides a method for intercepting an application's call to a service in an operating system of an electronic device. The present invention is capable of intercepting calls and displaying information about applications and calls when the application makes a call to the service, so that it can be selected based on this information to allow the application to invoke the service. In the case of, for example, a malicious application calling a service, the call can be rejected and the virtual service result of the successful call can be returned to the malicious application, so that the malicious application cannot be found, thereby improving the security of the system.
根据本发明, 可以拦截恶意应用程序偷窥电子设备用户的隐私信息 (包括联系人信息、通话记录、短信、 彩信、各种账户及密码等)的行为, 防止恶意应用程序拨打扣费电话、发送扣费短信、访问耗费网络流量的网 站, 防止恶意应用程序安装木马和病毒程序, 防止恶意应用程序记录用户 的 GPS或网络定位, 拦截恶意应用程序弹出骚扰广告信息等等, 可以对于 任何恶意应用程序对于服务的调用进行拦截, 从而提高了系统的安全性。  According to the present invention, the malicious application can intercept the privacy information of the electronic device user (including contact information, call history, short message, multimedia message, various accounts and passwords, etc.), and prevent the malicious application from dialing the charge call and sending the buckle. Pay SMS, visit websites that consume network traffic, prevent malicious applications from installing Trojans and virus programs, prevent malicious applications from recording users' GPS or network location, block malicious applications from popping up harassment ads, etc., for any malicious application. The call of the service is intercepted, thereby improving the security of the system.
与上述的方法 100相对应,本发明还提供了一种用于拦截电子设备的 操作系统中应用程序对服务的调用的装置 200 , 参见图 3 , 该装置 200包 括:  Corresponding to the method 100 described above, the present invention also provides an apparatus 200 for intercepting an application's call to a service in an operating system of an electronic device. Referring to Figure 3, the apparatus 200 includes:
加载模块 210 , 用于将拦截动态库加载到服务所在的进程, 该加载模 块 210可以用于执行上述方法 100中的步骤 S101 ;  The loading module 210 is configured to load the intercepting dynamic library into the process where the service is located, and the loading module 210 can be used to perform step S101 in the foregoing method 100;
第一替换模块 220 , 用于将所述进程中的输入输出控制函数的地址替 换为所述拦截动态库的第一地址,该第一替换模块 220可以用于执行上述 方法 100中的步骤 S102 ; a first replacement module 220, configured to replace an address of the input/output control function in the process with a first address of the intercepting dynamic library, where the first replacement module 220 is configured to perform step S10 2 in the foregoing method 100. ;
第二替换模块 230 , 用于在应用程序对所述服务进行调用时, 基于所 述第一地址执行所述拦截动态库,以获得所述应用程序的信息和所述调用 的信息,并且将所述调用的信息中包括的要被调用的服务的地址替换为所 述拦截动态库的第二地址, 该第二替换模块 230 可以用于执行上述方法 100中的步骤 S103; 以及 a second replacement module 230, configured to execute the intercepting dynamic library based on the first address when the application invokes the service, to obtain information about the application and the calling Information, and the address of the service to be called included in the called information is replaced with the second address of the intercepting dynamic library, the second replacement module 230 can be used to perform step S103 in the above method 100; as well as
处理模块 240, 用于基于所述第二地址, 显示所述应用程序的信息和 所述调用的信息,并且根据在电子设备上通过操作系统对于所述调用的选 择来执行处理 ,该处理模块 240可以用于执行上述方法 100中的步骤 S 104。  The processing module 240 is configured to display information about the application and the invoked information based on the second address, and perform processing according to selection of the call by an operating system on an electronic device, the processing module 240 It can be used to perform step S104 in the above method 100.
在本发明的优选实施例中,在所述应用程序对所述服务的调用被选择 为允许的情况下, 所述处理模块 240根据所述服务的地址执行所述调用 , 并向所述应用程序返回实际服务结果;或者在所述应用程序对所述服务的 调用被选择为不允许的情况下,所述处理模块 240向所述应用程序返回预 先定义的服务结果。  In a preferred embodiment of the present invention, in the case where the application's call to the service is selected as allowed, the processing module 240 performs the call according to the address of the service, and to the application Returning the actual service result; or in the event that the application's call to the service is selected to be disallowed, the processing module 240 returns a predefined service result to the application.
在本发明的优选实施例中,所述装置 200还包括用于在所述加载模块 210 将拦截动态库加载到服务所在的进程之前暂停所述进程的暂停模块 250、 以及用于在所述第一替换模块 220将所述进程中的输入输出控制函 数的地址替换为所述拦截动态库的第一地址之后恢复所述进程的恢复模 块 260。  In a preferred embodiment of the present invention, the apparatus 200 further includes a suspending module 250 for suspending the process before the loading module 210 loads the intercepting dynamic library to a process in which the service is located, and for the A replacement module 220 replaces the address of the input-output control function in the process with the recovery module 260 that resumes the process after intercepting the first address of the dynamic library.
在本发明的优选实施例中 ,所述应用程序的信息包括所述应用程序的 名称和描述,所述调用的信息包括所述调用的接口序号以及要被调用的服 务的地址。  In a preferred embodiment of the invention, the information of the application includes the name and description of the application, and the information of the call includes the interface number of the call and the address of the service to be called.
在本发明的优选实施例中, 所述操作系统是 Andro id系统, 所述应用 程序通过 Andro id系统的 Binder机制对所述服务进行调用。  In a preferred embodiment of the present invention, the operating system is an Andro id system, and the application invokes the service through a Binder mechanism of the Andro id system.
在本发明的优选实施例中, 所述输入输出控制函数是 Binder机制中 的 I0CTL函数。  In a preferred embodiment of the invention, the input and output control function is an I0CTL function in the Binder mechanism.
在本发明的优选实施例中, 在应用程序对所述服务进行调用时, 所述 第二替换模块 230 基于所述第一地址执行所述拦截动态库, 以通过所述 In a preferred embodiment of the present invention, when the application invokes the service, the second replacement module 230 executes the intercepting dynamic library based on the first address to pass the
I0CTL函数而先于 Andro id系统获得所述应用程序的信息和所述调用的信 if The I0CTL function obtains the information of the application and the letter of the call before the Andro id system.
由于上述各装置实施例与前述各方法实施例相对应 ,因此不再对各装 置实施例进行详细描述。  Since the above-described respective device embodiments correspond to the foregoing respective method embodiments, the respective device embodiments will not be described in detail.
本发明的各个部件实施例可以以硬件实现, 或者以在一个或者多个 处理器上运行的软件模块实现, 或者以它们的组合实现。 本领域的技术 人员应当理解, 可以在实践中使用微处理器或者数字信号处理器 (DSP ) 来实现根据本发明实施例的用于拦截电子设备的操作系统中应用程序对 服务的调用的装置中的一些或者全部部件的一些或者全部功能。本发明还 可以实现为用于执行这里所描述的方法的一部分或者全部的设备或者装 置程序 (例如, 计算机程序和计算机程序产品) 。 这样的实现本发明的 程序可以存储在计算机可读介质上, 或者可以具有一个或者多个信号的 形式。 这样的信号可以从因特网网站上下载得到, 或者在载体信号上提 供, 或者以任何其他形式提供。 The various component embodiments of the present invention may be implemented in hardware, or in a software module running on one or more processors, or in a combination thereof. Those skilled in the art will appreciate that a microprocessor or digital signal processor (DSP) can be used in practice. Some or all of the functionality of some or all of the means for intercepting an application's call to a service in an operating system of an electronic device in accordance with an embodiment of the present invention is implemented. The invention can also be implemented as a device or device program (e.g., a computer program and a computer program product) for performing some or all of the methods described herein. Such a program implementing the invention may be stored on a computer readable medium or may be in the form of one or more signals. Such signals may be downloaded from an Internet website, provided on a carrier signal, or provided in any other form.
例如,图 4示出了可以实现根据本发明的用于拦截电子设备的操作系 统中应用程序对服务的调用的方法的服务器, 例如应用服务器。 该服务器 传统上包括处理器 410和以存储器 420形式的计算机程序产品或者计算 机可读介质。 存储器 420 可以是诸如闪存、 EEPR0M (电可擦除可编程只 读存储器) 、 EPR0M、 硬盘或者 ROM之类的电子存储器。 存储器 420具有 用于执行上述方法中的任何方法步骤的程序代码 431的存储空间 430。例 如, 用于程序代码的存储空间 430 可以包括分别用于实现上面的方法中 的各种步骤的各个程序代码 431。这些程序代码可以从一个或者多个计算 机程序产品中读出或者写入到这一个或者多个计算机程序产品中。 这些 计算机程序产品包括诸如硬盘, 紧致盘 (CD ) 、 存储卡或者软盘之类的 程序代码载体。 这样的计算机程序产品通常为如参考图 5 所述的便携式 或者固定存储单元。该存储单元可以具有与图 4的服务器中的存储器 420 类似布置的存储段、 存储空间等。 程序代码可以例如以适当形式进行压 缩。 通常, 存储单元包括计算机可读代码 431, , 即可以由例如诸如 410 之类的处理器读取的代码, 这些代码当由服务器运行时, 导致该服务器 执行上面所描述的方法中的各个步骤。  For example, Figure 4 illustrates a server, such as an application server, that can implement a method for intercepting an application's call to a service in an operating system of an electronic device in accordance with the present invention. The server conventionally includes a processor 410 and a computer program product or computer readable medium in the form of a memory 420. Memory 420 can be an electronic memory such as flash memory, EEPROM (Electrically Erasable Programmable Read Only Memory), EPROM, hard disk or ROM. Memory 420 has a memory space 430 for program code 431 for performing any of the method steps described above. For example, storage space 430 for program code may include various program code 431 for implementing various steps in the above methods, respectively. The program code can be read from or written to one or more computer program products. These computer program products include program code carriers such as hard disks, compact disks (CDs), memory cards or floppy disks. Such computer program products are typically portable or fixed storage units as described with reference to Figure 5. The storage unit may have a storage section, a storage space, and the like arranged similarly to the storage 420 in the server of FIG. The program code can be compressed, for example, in an appropriate form. Typically, the storage unit includes computer readable code 431, i.e., code that can be read by a processor, such as 410, which, when executed by a server, causes the server to perform various steps in the methods described above.
本文中所称的 "一个实施例" 、 "实施例" 或者 "一个或者多个实 施例" 意味着, 结合实施例描述的特定特征、 结构或者特性包括在本发 明的至少一个实施例中。 此外, 请注意, 这里 "在一个实施例中" 的词 语例子不一定全指同一个实施例。  "an embodiment," or "an embodiment," or "one or more embodiments" as used herein means that the particular features, structures, or characteristics described in connection with the embodiments are included in at least one embodiment of the invention. In addition, it should be noted that the phrase "in one embodiment" herein does not necessarily refer to the same embodiment.
在此处所提供的说明书中, 说明了大量具体细节。 然而, 能够理解, 本发明的实施例可以在没有这些具体细节的情况下被实践。 在一些实例 中, 并未详细示出公知的方法、 结构和技术, 以便不模糊对本说明书的 理解。  Numerous specific details are set forth in the description provided herein. However, it is understood that the embodiments of the invention may be practiced without these specific details. In some instances, well known methods, structures, and techniques have not been shown in detail so as not to obscure the description.
应该注意的是上述实施例对本发明进行说明而不是对本发明进行限 制, 并且本领域技术人员在不脱离所附权利要求的范围的情况下可设计 出替换实施例。 在权利要求中, 不应将位于括号之间的任何参考符号构 造成对权利要求的限制。 单词 "包含" 不排除存在未列在权利要求中的 元件或步骤。 位于元件之前的单词 "一" 或 "一个" 不排除存在多个这 样的元件。 本发明可以借助于包括有若干不同元件的硬件以及借助于适 当编程的计算机来实现。 在列举了若干装置的单元权利要求中, 这些装 置中的若干个可以是通过同一个硬件项来具体体现。 单词第一、 第二、 以及第三等的使用不表示任何顺序。 可将这些单词解释为名称。 It should be noted that the above embodiments illustrate the invention and are not intended to limit the invention. Alternative embodiments can be devised by those skilled in the art without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as a limitation. The word "comprising" does not exclude the presence of the elements or steps that are not in the claims. The word "a" or "an" preceding a component does not exclude the presence of a plurality of such elements. The invention can be implemented by means of hardware comprising several distinct elements and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means can be embodied by the same hardware item. The use of the words first, second, and third does not indicate any order. These words can be interpreted as names.
此外, 还应当注意, 本说明书中使用的语言主要是为了可读性和教 导的目的而选择的, 而不是为了解释或者限定本发明的主题而选择的。 因此, 在不偏离所附权利要求书的范围和精神的情况下, 对于本技术领 域的普通技术人员来说许多修改和变更都是显而易见的。 对于本发明的 范围, 对本发明所做的公开是说明性的, 而非限制性的, 本发明的范围 由所附权利要求书限定。  In addition, it should be noted that the language used in the specification has been selected primarily for the purpose of readability and teaching, and is not intended to be interpreted or limited. Therefore, many modifications and variations will be apparent to those of ordinary skill in the art. The disclosure of the present invention is intended to be illustrative, and not restrictive, and the scope of the invention is defined by the appended claims.

Claims

权 利 要 求 Rights request
1. 一种用于拦截电子设备的操作系统中应用程序对服务的调用的方 法 (100 ) , 包括: A method (100) for intercepting an application's call to a service in an operating system of an electronic device, comprising:
将拦截动态库加载到服务所在的进程 (S101 ) ;  Loading the intercepting dynamic library into the process where the service is located (S101);
将所述进程中的输入输出控制函数的地址替换为所述拦截动态库的 第一地址(S102 ) ;  Replacing an address of the input/output control function in the process with a first address of the intercepting dynamic library (S102);
在应用程序对所述服务进行调用时,基于所述第一地址执行所述拦截 动态库, 以获得所述应用程序的信息和所述调用的信息, 并且将所述调用 的信息中包括的要被调用的服务的地址替换为所述拦截动态库的第二地 址(S103 ) ; 以及  When the application makes a call to the service, executing the intercepting dynamic library based on the first address, obtaining information about the application and the called information, and including the information included in the called information The address of the called service is replaced with the second address of the intercepting dynamic library (S103);
基于所述第二地址, 显示所述应用程序的信息和所述调用的信息, 并 且根据在电子设备上通过操作系统对于所述调用的选择来执行处理 ( S104 ) 。  Based on the second address, information of the application and the invoked information are displayed, and processing is performed according to selection of the call by an operating system on the electronic device (S104).
2. 如权利要求 1所述的方法, 其中根据在电子设备上通过操作系统 对于所述调用的选择来执行处理的步骤包括:在选择了允许所述应用程序 对所述服务的调用的情况下, 根据所述服务的地址执行所述调用, 并向所 述应用程序返回实际服务结果;或者在选择了不允许所述应用程序对所述 服务的调用的情况下, 向所述应用程序返回预先定义的服务结果。  2. The method of claim 1, wherein the step of performing processing according to selection of the call by an operating system on an electronic device comprises: in the case where a call to the application is permitted to be selected by the application Executing the call according to the address of the service, and returning an actual service result to the application; or returning to the application in advance if the application is not allowed to invoke the service Defined service results.
3. 如权利要求 1或 2所述的方法, 还包括在将拦截动态库加载到服 务所在的进程 ( S101 )的步骤之前暂停所述进程, 以及在将所述进程中的 输入输出控制函数的地址替换为所述拦截动态库的第一地址( S102 )的步 骤之后恢复所述进程。  3. The method according to claim 1 or 2, further comprising suspending the process before loading the intercepting dynamic library to the process in which the service is located (S101), and outputting the control function in the process of inputting the process The process is resumed after the step of replacing the address with the first address of the intercepting dynamic library (S102).
4. 如权利要求 1或 2所述的方法, 其中所述应用程序的信息包括所 述应用程序的名称和描述,所述调用的信息包括所述调用的接口序号以及 要被调用的服务的地址。  4. The method according to claim 1 or 2, wherein the information of the application includes a name and a description of the application, and the information of the call includes an interface number of the call and an address of a service to be called. .
5. 如权利要求 1或 2所述的方法, 其中所述操作系统是 Andro id系 统,所述应用程序通过 Andro id系统的 Binder机制对所述服务进行调用。  The method according to claim 1 or 2, wherein the operating system is an Andro id system, and the application calls the service through a Binder mechanism of the Andro id system.
6. 如权利要求 5所述的方法, 其中所述输入输出控制函数是 Binder 机制中的 I0CTL函数。 6. The method of claim 5, wherein the input and output control function is an IOCTTL function in a Binder mechanism.
7. 如权利要求 5所述的方法, 其中在应用程序对所述服务进行调用 时, 基于所述第一地址执行所述拦截动态库, 以通过所述 I0CTL函数而先 于 Andro id系统获得所述应用程序的信息和所述调用的信息。 7. The method of claim 5, wherein when the application makes a call to the service, executing the intercepting dynamic library based on the first address to obtain the prior to the Andro id system by the IOCT function The information of the application and the information of the call.
8. 一种用于拦截电子设备的操作系统中应用程序对服务的调用的装 置 ( 200 ) , 包括:  8. A device (200) for intercepting an application's call to a service in an operating system of an electronic device, comprising:
加载模块(210 ) , 用于将拦截动态库加载到服务所在的进程; 第一替换模块( 220 ) , 用于将所述进程中的输入输出控制函数的地 址替换为所述拦截动态库的第一地址;  a loading module (210), configured to load the intercepting dynamic library into a process where the service is located; a first replacement module (220), configured to replace an address of the input/output control function in the process with the intercepting dynamic library An address
第二替换模块( 230 ) , 用于在应用程序对所述服务进行调用时, 基 于所述第一地址执行所述拦截动态库,以获得所述应用程序的信息和所述 调用的信息,并且将所述调用的信息中包括的要被调用的服务的地址替换 为所述拦截动态库的第二地址; 以及  a second replacement module (230), configured to execute the intercepting dynamic library based on the first address when the application invokes the service, to obtain information about the application and the invoked information, and Replacing the address of the service to be called included in the invoked information with the second address of the intercepting dynamic library;
处理模块 ( 240 ) , 用于基于所述第二地址, 显示所述应用程序的信 息和所述调用的信息,并且根据在电子设备上通过操作系统对于所述调用 的选择来执行处理。  The processing module (240) is configured to display information of the application and the invoked information based on the second address, and perform processing according to selection of the call by an operating system on an electronic device.
9. 如权利要求 8所述的装置, 其中在所述应用程序对所述服务的调 用被选择为允许的情况下, 所述处理模块( 240 )根据所述服务的地址执 行所述调用, 并向所述应用程序返回实际服务结果; 或者在所述应用程序 对所述服务的调用被选择为不允许的情况下, 所述处理模块( 240 ) 向所 述应用程序返回预先定义的服务结果。  9. The apparatus of claim 8, wherein in the case where the application's call to the service is selected to be allowed, the processing module (240) performs the call according to an address of the service, and Returning the actual service result to the application; or in the event that the application's call to the service is selected to be disallowed, the processing module (240) returns a predefined service result to the application.
10. 如权利要求 8或 9所述的装置,还包括用于在所述加载模块( 210 ) 将拦截动态库加载到服务所在的进程之前暂停所述进程的暂停模块 10. Apparatus according to claim 8 or claim 9, further comprising a pause module for suspending the process before the load module (210) loads the intercept dynamic library to the process in which the service is located
( 250 ) , 以及用于在所述第一替换模块( 220 )将所述进程中的输入输出 控制函数的地址替换为所述拦截动态库的第一地址之后恢复所述进程的 恢复模块( 260 ) 。 (250), and a recovery module for restoring the process after the first replacement module (220) replaces an address of the input/output control function in the process with the first address of the intercepting dynamic library (260) ).
11. 如权利要求 8或 9所述的装置, 其中所述应用程序的信息包括所 述应用程序的名称和描述,所述调用的信息包括所述调用的接口序号以及 要被调用的服务的地址。  The apparatus according to claim 8 or 9, wherein the information of the application includes a name and a description of the application, and the information of the call includes an interface serial number of the call and an address of a service to be called. .
12. 如权利要求 8 或 9 所述的装置, 其中所述操作系统是 Andro id 系统, 所述应用程序通过 Andro id系统的 Binder机制对所述服务进行调 用。 12. The apparatus according to claim 8 or 9, wherein the operating system is an Andro id system, and the application tunes the service through a Binder mechanism of an Andro id system use.
13. 如权利要求 12 所述的装置, 其中所述输入输出控制函数是 Binder机制中的 I0CTL函数。  13. The apparatus of claim 12, wherein the input and output control function is an IOCCTL function in a Binder mechanism.
14. 如权利要求 12所述的装置, 其中在应用程序对所述服务进行调 用时, 所述第二替换模块( 230 )基于所述第一地址执行所述拦截动态库, 以通过所述 I0CTL函数而先于 Android系统获得所述应用程序的信息和所 述调用的信息。  14. The apparatus of claim 12, wherein when the application invokes the service, the second replacement module (230) executes the intercept dynamic library based on the first address to pass the IOCTL The function obtains the information of the application and the called information before the Android system.
15、 一种计算机程序, 包括计算机可读代码, 当所述计算机可读代 码在服务器上运行时, 导致所述服务器执行根据权利要求 1-7 中的任一 个所述的用于拦截电子设备的操作系统中应用程序对服务的调用的方法。  15. A computer program comprising computer readable code, when the computer readable code is run on a server, causing the server to perform the interception of an electronic device according to any one of claims 1-7 The method of the application's call to the service in the operating system.
16、 一种计算机可读介质, 其中存储了如权利要求 15所述的计算机 程序。  A computer readable medium storing the computer program of claim 15.
PCT/CN2013/076450 2012-06-07 2013-05-30 Method and device for use in intercepting call for service by application WO2013182005A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201210186961.7 2012-06-07
CN201210186961.7A CN102693394B (en) 2012-06-07 2012-06-07 Method and device for intercepting calling for service of application program

Publications (1)

Publication Number Publication Date
WO2013182005A1 true WO2013182005A1 (en) 2013-12-12

Family

ID=46858819

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2013/076450 WO2013182005A1 (en) 2012-06-07 2013-05-30 Method and device for use in intercepting call for service by application

Country Status (2)

Country Link
CN (1) CN102693394B (en)
WO (1) WO2013182005A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109726548A (en) * 2018-12-29 2019-05-07 360企业安全技术(珠海)有限公司 Processing method, server, system and the storage medium of application behavior

Families Citing this family (23)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103108320A (en) 2011-11-15 2013-05-15 网秦无限(北京)科技有限公司 Method and system for monitoring application program of mobile device
CN102693395B (en) * 2012-06-07 2015-02-11 北京奇虎科技有限公司 Method and device for intercepting calling of application program for service
CN102693394B (en) * 2012-06-07 2015-04-22 北京奇虎科技有限公司 Method and device for intercepting calling for service of application program
CN103049707B (en) * 2012-12-21 2015-09-30 武汉大学 A kind of interception of the gps data based on Android platform control method
CN103116722A (en) 2013-02-06 2013-05-22 北京奇虎科技有限公司 Processing method, processing device and processing system of notification board information
CN103198255B (en) * 2013-04-03 2015-06-24 武汉大学 Method and system for monitoring and intercepting sensitive behaviour of Android software
CN109063467A (en) * 2013-05-27 2018-12-21 华为终端(东莞)有限公司 The method, apparatus and terminal of system function call
CN103763686A (en) * 2013-12-23 2014-04-30 北京奇虎科技有限公司 Processing method and device for short messages
CN105373734A (en) * 2014-09-01 2016-03-02 中兴通讯股份有限公司 Application data protection method and apparatus
CN105488386B (en) * 2014-10-13 2020-05-05 腾讯科技(深圳)有限公司 Protection method of iOS terminal and terminal
CN105893000A (en) * 2014-10-28 2016-08-24 北京确安科技股份有限公司 Method for preventing system time of test machine from being illegally modified
CN104484176B (en) * 2014-12-16 2018-01-19 北京奇虎科技有限公司 A kind of Android system window object acquisition methods and device
CN105183307B (en) * 2015-06-15 2018-05-04 北京奇虎科技有限公司 Application messages display control method and device
CN105516089B (en) * 2015-11-27 2019-04-12 北京指掌易科技有限公司 A kind of stable Security distillation method and apparatus
CN106909838A (en) * 2015-12-22 2017-06-30 北京奇虎科技有限公司 A kind of method and device of hooking system service call
CN107979684A (en) * 2016-10-21 2018-05-01 中兴通讯股份有限公司 Right management method, device and terminal
CN107068150A (en) * 2017-05-03 2017-08-18 安利军 A kind of Android intelligent sounds control method and system
CN108446149B (en) * 2018-02-28 2021-07-20 北京凌宇智控科技有限公司 Third-party dynamic library interface interception method and system
CN108762825B (en) * 2018-04-20 2021-04-27 烽火通信科技股份有限公司 Method and system for realizing heavy load of dynamic library
CN109639884A (en) * 2018-11-21 2019-04-16 惠州Tcl移动通信有限公司 A kind of method, storage medium and terminal device based on Android monitoring sensitive permission
CN111367684B (en) * 2018-12-26 2023-11-10 北京天融信网络安全技术有限公司 Method and device for filtering remote procedure call
CN109992328B (en) * 2019-03-14 2023-05-12 北京椒图科技有限公司 Function redirection method and device
CN113704753A (en) * 2020-05-22 2021-11-26 网神信息技术(北京)股份有限公司 Method and device for intercepting and replacing system call, electronic equipment and medium

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5974549A (en) * 1997-03-27 1999-10-26 Soliton Ltd. Security monitor
CN101493873A (en) * 2009-03-04 2009-07-29 浪潮电子信息产业股份有限公司 Read-write operation access control method for WIN platform based on inner core layer technology
CN101620660A (en) * 2009-07-31 2010-01-06 北京大学 Method for defending hooks in Windows operating system
US7797733B1 (en) * 2004-01-08 2010-09-14 Symantec Corporation Monitoring and controlling services
CN102693394A (en) * 2012-06-07 2012-09-26 奇智软件(北京)有限公司 Method and device for intercepting calling for service of application program
CN102693395A (en) * 2012-06-07 2012-09-26 奇智软件(北京)有限公司 Method and device for intercepting calling of application program for service
CN103198255A (en) * 2013-04-03 2013-07-10 武汉大学 Method and system for monitoring and intercepting sensitive behaviour of Android software

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5974549A (en) * 1997-03-27 1999-10-26 Soliton Ltd. Security monitor
US7797733B1 (en) * 2004-01-08 2010-09-14 Symantec Corporation Monitoring and controlling services
CN101493873A (en) * 2009-03-04 2009-07-29 浪潮电子信息产业股份有限公司 Read-write operation access control method for WIN platform based on inner core layer technology
CN101620660A (en) * 2009-07-31 2010-01-06 北京大学 Method for defending hooks in Windows operating system
CN102693394A (en) * 2012-06-07 2012-09-26 奇智软件(北京)有限公司 Method and device for intercepting calling for service of application program
CN102693395A (en) * 2012-06-07 2012-09-26 奇智软件(北京)有限公司 Method and device for intercepting calling of application program for service
CN103198255A (en) * 2013-04-03 2013-07-10 武汉大学 Method and system for monitoring and intercepting sensitive behaviour of Android software

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
SHI, YONGLIN ET AL.: "Windows API Interception Method", COMPUTER KNOWLEDGE AND TECHNOLOGY, vol. 3, no. 9, September 2008 (2008-09-01), pages 1920 - 1922 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109726548A (en) * 2018-12-29 2019-05-07 360企业安全技术(珠海)有限公司 Processing method, server, system and the storage medium of application behavior

Also Published As

Publication number Publication date
CN102693394B (en) 2015-04-22
CN102693394A (en) 2012-09-26

Similar Documents

Publication Publication Date Title
WO2013182005A1 (en) Method and device for use in intercepting call for service by application
US9697353B2 (en) Method and device for intercepting call for service by application
US10623431B2 (en) Discerning psychological state from correlated user behavior and contextual information
US9811672B2 (en) Systems and methods for provisioning and using multiple trusted security zones on an electronic device
US9104840B1 (en) Trusted security zone watermark
US8667487B1 (en) Web browser extensions
Beresford et al. Mockdroid: trading privacy for application functionality on smartphones
US8484728B2 (en) Managing securely installed applications
US8850135B2 (en) Secure software installation
WO2018228199A1 (en) Authorization method and related device
US20110010759A1 (en) Providing a customized interface for an application store
US20130055387A1 (en) Apparatus and method for providing security information on background process
US10623410B2 (en) Multi-level, distributed access control between services and applications
CN110780930B (en) Method and device for starting Android system, electronic equipment and storage medium
WO2017156784A1 (en) Method and device for processing notification message, and terminal
WO2013133916A1 (en) Tiers of data storage for web applications and browser extensions
KR101837678B1 (en) Computing apparatus based on trusted execution environment
US9600662B2 (en) User configurable profiles for security permissions
CN111782416A (en) Data reporting method, device, system, terminal and computer readable storage medium
CN111079125A (en) Method and device for calling third-party library dynamic lifting authority by application program
US9628939B2 (en) Data calling method and device
WO2019015491A1 (en) Application program cloning method and apparatus, device and medium
CN112651040A (en) Permission application method, component, device and computer readable storage medium
WO2014039313A2 (en) Management of digital receipts
WO2016070690A1 (en) Method, device and system for realizing communication between application and webpage on terminal device

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 13801280

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 13801280

Country of ref document: EP

Kind code of ref document: A1