Method and device for intercepting call for service by application

US 9,697,353 B2
Filed: 05/30/2013
Issued: 07/04/2017
Est. Priority Date: 06/07/2012
Status: Active Grant

First Claim

Patent Images

1. A method for intercepting a call for a service by an application among a plurality of applications running on an operating system of an electronic apparatus comprising:

loading, by at least one processor, an interception dynamic link library to a process where the service is located;

replacing, by the at least one processor, an address of an input/output control function in the process with a first address of the interception dynamic link library;

when the application is calling the service, executing, by the at least one processor, the interception dynamic link library based on the first address to obtain a name and information of the application and information of the call, and replacing an address of the service to be called included in the information of the call with a second address of the interception dynamic link library; and

determining, by the at least one processor, the application to be malicious or not, and executing processing based on the second address according to at least one of the name and the information of the application, wherein the determining the application to be malicious or not and executing processing according to at least one of the name and the information of the application further comprises;

comparing at least one of the name and the information of the application with information in a predefined database, and one of (a) executing the call according to the address of the service and returning an actual service result to the application, and (b) returning a predefined service result to the application.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed are a method and a device for intercepting a call for a service by an application in an operating system of an electronic apparatus. The method comprises: loading an interception dynamic link library to a process where the service is located; replacing the address of an input/output control function in the process with a first address of the interception dynamic link library; when the application is calling the service, executing the interception dynamic link library based on the first address so as to obtain the name and information of the application as well as the information of the call, and replacing the address of the service to be called comprised in the information of the call with a second address of the interception dynamic link library; and executing processing based on the second address according to the name and/or information of the application. The invention increases the security of the operating system of the electronic apparatus.

16 Citations

View as Search Results

18 Claims

1. A method for intercepting a call for a service by an application among a plurality of applications running on an operating system of an electronic apparatus comprising:
- loading, by at least one processor, an interception dynamic link library to a process where the service is located;
  
  replacing, by the at least one processor, an address of an input/output control function in the process with a first address of the interception dynamic link library;
  
  when the application is calling the service, executing, by the at least one processor, the interception dynamic link library based on the first address to obtain a name and information of the application and information of the call, and replacing an address of the service to be called included in the information of the call with a second address of the interception dynamic link library; and
  
  determining, by the at least one processor, the application to be malicious or not, and executing processing based on the second address according to at least one of the name and the information of the application, wherein the determining the application to be malicious or not and executing processing according to at least one of the name and the information of the application further comprises;
  
  comparing at least one of the name and the information of the application with information in a predefined database, and one of (a) executing the call according to the address of the service and returning an actual service result to the application, and (b) returning a predefined service result to the application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method as claimed in claim 1, wherein the determining the application to be malicious or not and executing processing according to the name of the application comprises one of:
    - (a) when the name of the application is included in a white list in a predefined database, executing the call according to the address of the service, and returning an actual service result to the application, (b) when the name of the application is included in a black list in the predefined database, returning a predefined service result to the application, and (c) when the name of the application is not included in the white list or in the black list in the predefined database, displaying the name and the information of the application and the information of the call, and executing processing according to a selection with respect to the call via the operating system of the electronic apparatus.
  - 3. The method as claimed in claim 2, wherein the determining the application to be malicious or not and executing processing according to the selection with respect to the call via the operating system on the electronic apparatus comprises one of:
    - (a) in the event that the call for the service by the application is allowed, executing the call according to the address of the service and returning the actual service result to the application, and (b) in the event that the call for the service by the application is not allowed, returning the predefined service result to the application.
  - 4. The method as claimed in claim 1, wherein the determining the application to be malicious or not and executing processing according to the name of the application comprises one of:
    - (a) when the information of the application comprises feature data in a predefined database, returning a predefined service result to the application, and (b) when the information of the application does not comprise the feature data in the predefined database, displaying the name and the information of the application and the information of the call, and executing processing according to a selection with respect to the call via the operating system on the electronic apparatus.
  - 5. The method as claimed in claim 4, wherein executing processing according to the selection with respect to the call via the operating system of the electronic apparatus comprises one of:
    - (a) in the event that the call for the service by the application is allowed, executing the call according to the address of the service, and returning an actual service result to the application and (b) in the event that the call for the service by the application is not allowed, returning the predefined service result to the application.
  - 6. The method as claimed in claim 1, further comprising:
    - suspending the process before loading the interception dynamic link library to the process where the service is located and resuming the process after replacing the address of an input/output control function in the process with the first address of the interception dynamic link library.
  - 7. The method as claimed in claim 1, wherein the information of the call comprises a sequence number of an interface of the call and the address of the service to be called.
  - 8. The method as claimed in claim 1, wherein the operating system is an Android operating system, and the application calls the service through a Binder mechanism of the Android operating system.
  - 9. The method as claimed in claim 8, wherein the input/output control function is an input/output control (IOCTL) function in the Binder mechanism.
  - 10. The method as claimed in claim 9, wherein when the application is calling the service, executing the interception dynamic link library based on the first address, to obtain, via the IOCTL function, the name and the information of the application and the information of the call ahead of the Android operating system.

11. A device for intercepting a call for a service by an application among a plurality of applications running on an operating system of an electronic apparatus comprising:
- a memory having instructions stored thereon; and
  
  at least one processor configured to execute the instructions to perform operations for intercepting a call for a service by an application in an operating system of an electronic apparatus, the operations comprising;
  
  loading an interception dynamic link library to a process where the service is located;
  
  replacing an address of an input/output control function in the process with a first address of the interception dynamic link library;
  
  when the application is calling the service, executing the interception dynamic link library based on the first address to obtain a name and information of the application and information of the call, and replacing an address of the service to be called included in the information of the call with a second address of the interception dynamic link library; and
  
  determining the application to be malicious or not and executing processing based on the second address according to at least one of the name and the information of the application, wherein the determining the application to be malicious or not and executing processing according to at least one of the name and the information of the application comprises;
  
  comparing at least one of the name and the information of the application with information in a predefined database, and one of (a) executing the call according to the address of the service and returning an actual service result to the application, and (b) returning a predefined service result to the application.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. The device as claimed in claim 11, wherein the operation of determining the application to be malicious or not and executing processing according to the name of the application comprises:
    - (a) when the name of the application is included in a white list in a predefined database, executing the call according to the address of the service, and returning an actual service result to the application, or (b) when the name of the application is included in a black list in the predefined database, returning a predefined service result to the application, or (c) when the name of the application is not included in the white list or in the black list in the predefined database, displaying the name and the information of the application and the information of the call, and executing processing according to a selection with respect to the call via the operating system of the electronic apparatus.
  - 13. The device as claimed in claim 12, wherein the operation of determining the application to be malicious or not and executing processing according to the selection with respect to the call via the operating system of the electronic apparatus comprises:
    - (a) in the event that the call for the service by the application is allowed, executing the call according to the address of the service, and returning the actual service result to the application, or (b) in the event that the call for the service by the application is not allowed, returning the predefined service result to the application.
  - 14. The device as claimed in claim 11, wherein the operation of determining the application to be malicious or not and executing processing according to the information of the application comprises:
    - (a) returning a predefined service result to the application when the information of the application comprises feature data in a predefined database or (b) displaying the name and information of the application and the information of the call, and executing processing according to a selection with respect to the call via the operating system of the electronic apparatus when the information of the application does not comprise the feature data in the predefined database.
  - 15. The device as claimed in claim 11, the operations further comprising:
    - suspending the process before loading the interception dynamic link library to the process where the service is located and resuming the process after replacing the address of the input/output control function in the process with the first address of the interception dynamic link library.
  - 16. The device as claimed in claim 11, wherein the information of the call comprises a sequence number of an interface of the call and the address of the service to be called.
  - 17. The device as claimed in claim 11, wherein the operating system is an Android operating system, and the application calls the service through a Binder mechanism of the Android operating system.

18. A non-transitory computer readable medium having instructions stored thereon that, when executed by at least one processor, cause the at least one processor to perform operations for intercepting a call for a service by an application among a plurality of applications running on an operating system of an electronic apparatus comprising:
- loading an interception dynamic link library to a process where the service is located;
  
  replacing an address of an input/output control function in the process with a first address of the interception dynamic link library;
  
  when the application is calling the service, executing the interception dynamic link library based on the first address to obtain a name and information of the application and the information of the call, and replacing an address of the service to be called included in the information of the call with a second address of the interception dynamic link library; and
  
  determining the application to be malicious or not and executing processing based on the second address according to at least one of the name and the information of the application, wherein the determining the application to be malicious or not and executing processing according to at least one of the name and the information of the application further comprises;
  
  comparing at least one of the name and the information of the application with information in a predefined database, and one of (a) executing the call according to the address of the service and returning an actual service result to the application, and (b) returning a predefined service result to the application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Beijing Qihu Technology Co. Ltd. (360 Security Technology, Inc.)
Original Assignee
Beijing Qihu Technology Co. Ltd. (360 Security Technology, Inc.)
Inventors
Ding, Yi, Li, Yuan
Primary Examiner(s)
Arani, Taghi
Assistant Examiner(s)
VU, PHY ANH TRAN

Application Number

US14/405,846
Publication Number

US 20150169872A1
Time in Patent Office

1,496 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/54   by adding security routines...

G06F 2221/033   Test or assess software

Method and device for intercepting call for service by application

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

16 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Method and device for intercepting call for service by application

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

16 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links