阅读说明：本技术 一种基于http流量host字段特征的游戏外挂行为监控方法 (A kind of plug-in behavior monitoring method of game based on HTTP flow HOST field feature ) 是由 刘德建 任佳伟 陈宏展 于 2019-08-19 设计创作，主要内容包括：本发明提供了一种基于HTTP流量HOST字段特征的游戏外挂行为监控方法,所述方法包括如下步骤：步骤S1、Windows系统应用层的客户端在驱动层创建网络过滤驱动；步骤S2、建立一HOST黑名单,所述HOST黑名单存储外挂发出的HTTP包所包含的HOST域名字符串；步骤S3、网络过滤驱动在数据流层捕获所有TCP数据包,并将TCP数据包请求解析的HOST域名参数与所述HOST黑名单进行比对判定,如果域名参数与HOST黑名单中任意一域名字符串相同,则判定游戏玩家有外挂使用行为；本发明可以高效地监控已知HTTP流量特征的外挂的使用行为。(The present invention provides a kind of plug-in behavior monitoring methods of game based on HTTP flow HOST field feature, and described method includes following steps: step S1, the client of Windows system application layer creates networks filter driver in driving layer；Step S2, a HOST blacklist is established, the HOST blacklist stores the HOST domain name character string that the HTTP packet of plug-in sending is included；Step S3, networks filter driver captures all TCP data packets in layer data stream, and judgement is compared with the HOST blacklist in the HOST domain name parameters of TCP data packet request analysis, if domain name parameters are identical as domain name character string any one in HOST blacklist, determine that game player has plug-in usage behavior；The present invention can efficiently monitor the plug-in usage behavior of known HTTP traffic characteristic.)

1. a kind of plug-in behavior monitoring method of game based on HTTP flow HOST field feature, it is characterised in that: the method Include the following steps: the client of step S1, Windows system application layer in driving layer creation networks filter driver；

Step S2, a HOST blacklist is established, the HOST blacklist stores the domain HOST that the HTTP packet of plug-in sending is included Name character string；

Step S3, networks filter driver captures all TCP data packets in layer data stream, and by TCP data packet request analysis Judgement is compared with the HOST blacklist in HOST domain name parameters, if any one domain name in domain name parameters and HOST blacklist Character string is identical, then determines that game player has plug-in usage behavior.

2. a kind of plug-in behavior monitoring method of game based on HTTP flow HOST field feature according to claim 1, It is characterized by: the step S2 is further specifically: during creation networks filter driver, by plug-in carry out network interaction The HOST domain name that can be accessed in the process is written in the file of networks filter driver, and Windows system application is loaded and opened Open networks filter driver；After networks filter driver is opened successfully, HOST blacklist is initialized, in the process of initialization blacklist In, all HOST domain names being written in file are inserted into HOST blacklist by networks filter driver.

3. a kind of plug-in behavior monitoring method of game based on HTTP flow HOST field feature according to claim 1, It is characterized by: between the step S2 and step S3 further include: step S21, networks filter driver uses FwpmEngineOpen function obtains basic filtering engine BFE handle, the parameter as subsequent operation；

Step S22, networks filter driver uses FwpsCalloutRegister function registration returning in layer data stream monitoring data Letter of transfer number；

Step S23, networks filter driver is infused using FwpmCalloutAdd function to basic filtering engine BFE application addition before The call back function of volume；

Step S24, networks filter driver uses FwpmSubLayerAdd function, sublayer is created in layer data stream, for capturing number According to；

Step S25, networks filter driver uses FwpmFilterAdd function, is created by basic filtering engine BFE in layer data stream Filter is built, and call back function is associated with sublayer；After completing association, when sublayer captures network packet, system can be adjusted With the corresponding call back function network data packet of sublayer；The call back function of the layer data stream is for handling TCP data packet.

4. a kind of plug-in behavior monitoring method of game based on HTTP flow HOST field feature according to claim 3, It is characterized by: the step S3 is further specifically: when step S31, the call back function of layer data stream is called, call back function Whether the remote port for judging data packet is 80, is that then, data packet is the TCP data packet an of http protocol and enters step S32；Otherwise call back function execution terminates；

Step S32, call back function parses packet content according to HTTP message format, from the TCP data Bao Zhongti of http protocol HOST field character string is taken out, HOST blacklist is then traversed, each in HOST field character string and HOST blacklist is black Name individual event carries out character string comparison, and the HOST field character string extracted in blacklist item and TCP data packet if it exists is identical, then sentences Determining player has plug-in usage behavior.

5. a kind of plug-in behavior monitoring method of game based on HTTP flow HOST field feature according to claim 4, It is characterized by: the call back function parses packet content according to HTTP message format, from the TCP data packet of http protocol HOST field character string is extracted to specifically comprise the following steps:

Step 1, using string matching algorithm, whether search in the TCP data packet of http protocol comprising character string " Host: ", If not including, this process terminates；If including character string " Host: ", it records and occurs the memory of character string " Host: " for the first time Address, the address that the latter byte of this memory address is arranged is Start；

Step 2, the mode compared using character, using Start as starting point, the TCP data packet penultimate byte of http protocol For terminal, search " x0d x0a ", i.e., continuous two bytes, front and back store respectively ' x0d ' and ' x0a ', if search for less than, Then exit the process of HOST extraction；Otherwise the previous byte that the memory address searched is arranged is End；

Step 3, the data of this section of memory storage in centre are exactly the HOST field of the TCP data packet of http protocol from Start to End Content.

Technical field

The present invention relates to computer system field of communication technology, software security, the plug-in detection fields of game, especially a kind of The plug-in behavior monitoring method of game based on HTTP flow HOST field feature.

Background technique

Existing plug-in behavior monitoring module is usually using the detection method based on proceeding internal memory scanning, such as scan procedure Memory headroom judges whether comprising plug-in condition code etc., temporarily without disclosed based on HTTP flow HOST field feature, for trip It plays the inner nuclear layer monitoring means of plug-in behavior.

The above-mentioned existing plug-in behavior monitoring scheme of game may use hidden process, memory polymorphicization etc. by plug-in Method is around detection.The scheme of this patent description can monitor such plug-in usage behavior.In addition this patent is being applied to It monitors in the plug-in usage scenario for having HTTP flow HOST field feature and shows to obtain precise and high efficiency.

Technical term is explained:

The WFP filter frame that Microsoft provides delimit many layers in network packet transmission process, such as: FWPM_ LAYER_ALE_FLOW_ESTABLISHED_V4 layers (i.e. data flow foundation layer), FWPM_LAYER_STREAM_V4 layers of (i.e. data Fluid layer) and FWPM_LAYER_DATAGRAM_DATA_V4 layers (i.e. layer data packet)；Since data packet needs basis in system bottom Different network protocols are packaged, therefore the data content that different layers capture is different.This patent scheme mentions FWPM_ LAYER_STREAM_V4 layers (layer data stream) can capture all TCP data packets for being free of IP.

WFP (Windows Filter Platform), computerese are a kind of Windows filter stages, were used for Filter network packet.

Basic filtering engine BFE is the included user mode services of a Windows operating system, coordinates WFP component, base The main task that this filter engine BFE is executed is to add or remove filter, the configuration of stored filter device into system and strengthen WFP configures safety.The communication of application program and basic filtering engine BFE pass through the WFP management functions such as FwpmEngineOpen It carries out.

HOST field in HTTP data packet is used for the domain name of identification server.

Summary of the invention

In order to overcome the problems referred above, the object of the present invention is to provide outside a kind of game based on HTTP flow HOST field feature Behavior monitoring method is hung, is a kind of hidden plug-in behavior monitoring means, can efficiently monitor the outer of known HTTP traffic characteristic The usage behavior of extension.

The present invention is realized using following scheme: a kind of plug-in behavior monitoring of game based on HTTP flow HOST field feature Method, described method includes following steps: step S1, the client of Windows system application layer creates network mistake in driving layer Filter driving；

Step S2, a HOST blacklist is established, the HTTP packet that the HOST blacklist stores plug-in sending is included HOST domain name character string；

Step S3, networks filter driver captures all TCP data packets in layer data stream, and by TCP data packet request analysis HOST domain name parameters judgement is compared with the HOST blacklist, if any one domain in domain name parameters and HOST blacklist Name character string is identical, then determines that game player has plug-in usage behavior.

Further, the step S2 is further specifically: during creation networks filter driver, carries out net for plug-in The HOST domain name that can be accessed in network interactive process is written in the file of networks filter driver, and Windows system application adds Carry simultaneously opening network filtration drive；After networks filter driver is opened successfully, HOST blacklist is initialized, in initialization blacklist In the process, all HOST domain names being written in file are inserted into HOST blacklist by networks filter driver.

Further, between the step S2 and step S3 further include: step S21, networks filter driver uses FwpmEngineOpen function obtains basic filtering engine BFE handle, the parameter as subsequent operation；

Step S22, networks filter driver is using FwpsCalloutRegister function registration in layer data stream monitoring data Call back function；

Step S23, networks filter driver uses FwpmCalloutAdd function to basic filtering engine BFE application addition The call back function of preceding registration；

Step S24, networks filter driver uses FwpmSubLayerAdd function, sublayer is created in layer data stream, for catching Obtain data；

Step S25, networks filter driver uses FwpmFilterAdd function, by basic filtering engine BFE in data flow Layer creation filter, and call back function is associated with sublayer；After completing association, when sublayer captures network packet, system The corresponding call back function network data packet of sublayer can be called；The call back function of the layer data stream is for handling TCP data Packet.

Further, the step S3 is further specifically: when step S31, the call back function of layer data stream is called, returns Letter of transfer number judges whether the remote port of data packet is 80, is that then, data packet is the TCP data packet an of http protocol and enters Step S32；Otherwise call back function execution terminates；

Step S32, call back function parses packet content according to HTTP message format, from the TCP data packet of http protocol In extract HOST field character string, then traverse HOST blacklist, will be each in HOST field character string and HOST blacklist A blacklist item carries out character string comparison, and the HOST field character string extracted in blacklist item and TCP data packet if it exists is identical, Then determine that player has plug-in usage behavior.

Further, the call back function parses packet content according to HTTP message format, from the TCP number of http protocol Specifically comprise the following steps: according to HOST field character string is extracted in packet

Step 1, using string matching algorithm, whether search in the TCP data packet of http protocol comprising character string " Host: ", if not including, this process terminates；If including character string " Host: ", it records and occurs character string for the first time The memory address of " Host: ", the address that the latter byte of this memory address is arranged is Start；

Step 2, the mode compared using character, using Start as starting point, the TCP data packet penultimate of http protocol Byte is terminal, search " x0d x0a ", i.e., continuous two bytes, front and back store respectively ' x0d ' and ' x0a ', if searched for Less than, then exit HOST extraction process；Otherwise the previous byte that the memory address searched is arranged is End；

Step 3, the data of this section of memory storage in centre are exactly the HOST of the TCP data packet of http protocol from Start to End Field contents.

The beneficial effects of the present invention are: 1. usage behavior blacklist mechanisms can efficiently monitor known HTTP flow The plug-in usage behavior of feature.

2. plug-in to bypass this by traditional application layer API hook technology using the network filtering technology of inner nuclear layer Detection greatly increases plug-in reverse-examination and surveys and instead monitor difficulty.

Include login module, therefore this programme application surface is extremely wide 3. plug-in major part is all charge, can be applied to big Measure plug-in detection.

4. the plug-in behavior monitoring method of the game of this patent is a kind of hidden plug-in behavior monitoring means, monitoring is improved Ability.

5. being improved the present invention provides a kind of technical solution for extracting HOST field from HTTP data packet in inner nuclear layer The accuracy of monitoring.

Detailed description of the invention

Fig. 1 is method flow schematic diagram of the invention.

Specific embodiment

The present invention will be further described with reference to the accompanying drawing.

Refering to Figure 1, a kind of plug-in behavior monitoring of game based on HTTP flow HOST field feature of the invention Method, the present invention is based on the WFP networks filter driver frames of Microsoft, and by installing network filter in system bottom, capture is outer The network request behavior of extension.Described method includes following steps: step S1, the client of Windows system application layer is driving Layer creation networks filter driver；

Step S2, a HOST blacklist is established, the HTTP packet that the HOST blacklist stores plug-in sending is included HOST domain name character string；The step S2 is further specifically: during creation networks filter driver, by plug-in carry out network The HOST domain name that can be accessed in interactive process is written in the file of networks filter driver, the load of Windows system application And opening network filtration drive；After networks filter driver is opened successfully, HOST blacklist is initialized, in the mistake of initialization blacklist All HOST domain names being written in file are inserted into HOST blacklist by Cheng Zhong, networks filter driver.In addition, being deposited in blacklist The blacklist item of storage must be plug-in distinctive feature, i.e., in addition to this remaining plug-in program does not have this network access row For or probability it is extremely low, otherwise exist wrong report risk.

Step S3, networks filter driver is in (i.e. FWPM_LAYER_STREAM_V4 layers) of layer data stream all TCP numbers of capture Judgement is compared with the HOST blacklist according to packet, and by the HOST domain name parameters of TCP data packet request analysis, if domain name Parameter is identical as domain name character string any one in HOST blacklist, then determines that game player has plug-in usage behavior.

Between the step S2 and step S3 further include: step S21, networks filter driver uses FwpmEngineOpen letter Number obtains basic filtering engine BFE handle, the parameter as subsequent operation；

Step S22, networks filter driver is using FwpsCalloutRegister function registration in layer data stream monitoring data Call back function；

Step S23, networks filter driver uses FwpmCalloutAdd function to basic filtering engine BFE application addition The call back function of preceding registration；

Step S24, networks filter driver uses FwpmSubLayerAdd function, sublayer is created in layer data stream, for catching Obtain data；

Step S25, networks filter driver uses FwpmFilterAdd function, by basic filtering engine BFE in data flow Layer creation filter, and call back function is associated with sublayer；After completing association, when sublayer filter captures network packet When, system can call the corresponding call back function network data packet of sublayer；The call back function of the layer data stream is for handling TCP data packet.

The step S3 is further specifically: when step S31, the call back function of layer data stream is called, call back function is sentenced Whether the remote port of disconnected data packet is 80, is that then, data packet is the TCP data packet an of http protocol and enters step S32； Otherwise call back function execution terminates；

Step S32, call back function parses packet content according to HTTP message format, from the TCP data packet of http protocol In extract HOST field character string, then traverse HOST blacklist, will be each in HOST field character string and HOST blacklist A blacklist item carries out character string comparison, and the HOST field character string extracted in blacklist item and TCP data packet if it exists is identical, Then determine that player has plug-in usage behavior.

The call back function parses packet content according to HTTP message format, from the TCP data Bao Zhongti of http protocol HOST field character string is taken out to specifically comprise the following steps:

Step 1, using string matching algorithm, whether search in the TCP data packet of http protocol comprising character string " Host: ", if not including, this process terminates；If including character string " Host: ", it records and occurs character string for the first time The memory address of " Host: ", the address that the latter byte of this memory address is arranged is Start；

Step 2, the mode compared using character, using Start as starting point, the TCP data packet penultimate of http protocol Byte is terminal, search " x0d x0a ", i.e., continuous two bytes, front and back store respectively ' x0d ' and ' x0a ', if searched for Less than, then exit HOST extraction process；Otherwise the previous byte that the memory address searched is arranged is End；

Step 3, the data of this section of memory storage in centre are exactly the HOST of the TCP data packet of http protocol from Start to End Content of parameter.Such as: HOST content of parameter is referring to such as the following table 1

Table 1

Other data

“Host:”

HOST parameter

“\x0d\x0a”

Other data

Wherein, string matching algorithm can use KMP algorithm, can also use other algorithms in practical application.This is specially " HOST field " can also be illustrated with " HOST parameter " in benefit, i.e., " HOST field " and " HOST parameter " states identical number According to object (for describing the data segment of HOST domain name in HTTP data packet), in order to facilitate local read and understanding, in part text " HOST parameter " replacement " HOST field " is used in section.

Below with reference to a specific embodiment, to further describe the specific implementation of this patent scheme:

Assuming that the plug-in A of game is the externally hung software for destroying the network game client C of game company B product.Plug-in A " tools.cheat.com/key.txt " being accessed after process initiation, (the HOST field of this network address is " tools.cheat.com "), in addition to the plug-in A of game, other processes not will do it identical network request.

Whether run during the networks filter driver D detection player developed based on this programme 1. game company B is used Plug-in A, and scheme protects game client C whereby.

2. after player's running game client C, game client C can automatic load networks filtration drive D, network filtering drives Dynamic D initializes HOST blacklist after loading successfully, and is inserted into HOST blacklist dedicated for the black of the detection plug-in A of game Name individual event " tools.cheat.com ".

3. networks filter driver D is in FWPM_LAYER_STREAM_V4 layers of completion registered callbacks function, creation sublayer, unlatching Start to play network data packet filtering function after the sequence of operations such as filter.

4. assuming in game client C operational process, player brings into operation the plug-in A of game.Game plug-in A starting at Access " tools.cheat.com/key.txt " is attempted after function, having sent a HOST field is " tools.cheat.com " The TCP data packet of http protocol.

After 5.FWPM_LAYER_STREAM_V4 layers of filters trap to this TCP data packet, this data packet is judged Distal end slogan whether be 80, if port numbers be equal to 80 if be a http protocol TCP data packet, it is assumed that http protocol report The content of text is " xxxHost:tools.cheat.com ' 0d ' ' 0a ' xxxxxx ", enters step 7.Otherwise call back function is held Row terminates.(x represents extraneous data)

6. call back function parses packet content according to HTTP message format.HTTP data packet is parsed, HOST field is obtained Character string " tools.cheat.com ".

7. call back function traverses URI blacklist, by HOST field character string " tools.cheat.com " and each black name Individual event carries out character string comparison, and when blacklist item " tools.cheat.com " is arrived in comparison, two character strings are equal, determine this HTTP data packet meets URI blacklist rule, thus determines that player has the behavior using the plug-in A of game.

The foregoing is merely presently preferred embodiments of the present invention, all equivalent changes done according to scope of the present invention patent with Modification, is all covered by the present invention.