Program monitoring method and defending method thereof, as well as relevant device

Abstract

The invention provides a program monitoring method and device. The program monitoring method comprises the following steps: writing in a skip instruction for positioned objective functions so as to perform a hook operation; distributing hook functions to registered Java callback functions, and preventing created temporary variables from being collected by a garbage collection mechanism of a system; enabling the objective functions which are not processed to skip back to hook positions, or else, continuing to process the objective functions. Through the adoption of the program monitoring method disclosed by the invention, any Java function of an Android system under an ART mode can be monitored without destroying the stack of the objective functions, so that the garbage collection mechanism of the ART can perform normal memory collection. The invention further provides a program defending method and device, which realize a defending mechanism of the Android system under the ART mode by adopting the program monitoring method disclosed by the invention.

Description

technical field [0001] The present invention relates to the technical field of computer software security. Specifically, the present invention relates to a program monitoring method and a related device, as well as a program defense method and a related device. Background technique [0002] The security defense technology in the Android system injects codes into the process in a known manner, hijacks the process function, and realizes the monitoring and response to the process by such means. The existing technology is mainly aimed at the Dalvik virtual Machine technology to achieve this purpose of security defense. Since Android 4.4, Android has gradually adopted the ART virtual machine instead of Dalvik, and there are some technical differences between the two. [0003] Dalvik is a Java virtual machine designed by Google itself for the Android platform. The Dalvik virtual machine is one of the core components of the Android mobile device platform jointly developed by manu...

AI Technical Summary

Problems solved by technology

Therefore, in the ART mode, it will become more difficult to attempt to monitor the functions called by the program process through the traditional security defense technology, especially some monitoring operations imposed on the process in the ART mode will be Improve the structure of its memory stack, leaving traces on the stack, resulting in memory access errors

[0006] More importantly, ART's garbage collection mechanism is also different from Dalvik. The former only recycles memory garbage in the virtual space, while the latter recycles garbage in the real space in a mixed environment. The memory data of itself, or the data of the monitored process itself, is prone to be improperly recycled by ART's garbage collection mechanism when resources are tight, causing the process to crash

In particular, after Android 5.0, the compact memory recovery mechanism will be used to move memory objects. If this change is not tracked, it will also cause memory access exceptions.

Images