Summary of the invention
The application provides the recognition methods of a kind of virus of A PK, in order to identify virus of A PK and mutation thereof fast, accurately and efficiently, improves the security that APK uses.
The application also provides the recognition device of a kind of virus of A PK, in order to guarantee application and the realization of said method in reality.
In order to address the above problem, the application discloses the recognition methods of a kind of virus of A PK, comprising:
Preset virus database, comprise virus signature and corresponding weighted value in the said virus database;
Whether comprise virus signature in the specified file of detection target Android installation kit APK, if then add up the corresponding weighted value sum of said virus signature;
If said weighted value sum more than or equal to certain viral decision threshold, is then judged the virus that has respective type among the said target Android installation kit APK.
Preferably, described method also comprises:
Generate the information that has the type virus among the said target Android installation kit APK.
Preferably, described method also comprises:
If said weighted value sum less than certain viral decision threshold, judges that then said target Android installation kit APK is virus of A PK.
Preferably, described method also comprises:
Generating said target Android installation kit APK is the information of virus of A PK.
Preferably, described method also comprises:
Call the fail-safe software interface, carry out checking and killing virus to said target Android installation kit APK.
Preferably, said specified file comprises executable file, and the said step that presets virus database comprises:
Executable file among the scan source Android installation kit APK;
Extract the particular data in the said executable file; Judge whether said particular data comprises Virus Info, wherein, said particular data comprises the header information of executable file, the constant in the executable file constant pool; And/or, the operational order in the executable file;
If then generate virus signature according to said particular data;
Be said virus signature value of assigning weight;
Said virus signature and corresponding weighted value are saved in the virus database.
Preferably, said executable file comprises the Dex file, and said Dex file comprises the classes.dex file, the file of expansion .jar by name, and, the file of Dex form.
Preferably, said virus signature comprises: header information condition code, constant condition code, operand condition code, instruction condition code, instruction feature code sequence, class name function name condition code; Operational order in the said executable file comprises operational code and operand two parts;
Said header information condition code, constant condition code, operand condition code, class name function name condition code directly generate according to the header information, constant, operand and the class name function name that comprise Virus Info;
Said instruction condition code, instruction feature code sequence directly generate according to the operational order that comprises Virus Info, perhaps, and according to the character string or the asterisk wildcard generation of operational code that comprises Virus Info and operand;
The said step that the weighted value of virus signature and correspondence is saved in the virus database comprises:
With said header information condition code, constant condition code, operand condition code, instruction condition code, instruction feature code sequence, class name function name condition code, and corresponding weighted value is kept at different storage regions in the database respectively;
Perhaps,
With said header information condition code, constant condition code, operand condition code, instruction condition code, instruction feature code sequence, class name function name condition code, and corresponding weighted value is kept in the database, and difference labeled bracketing label.
Preferably, the step that whether comprises said virus signature in the specified file among the said detection target Android installation kit APK comprises:
The header information of executable file among the localizing objects Android installation kit APK; Header information condition code in said header information and the virus database is mated; If coupling is then judged in the specified file among the target Android installation kit APK to comprise virus signature;
And/or,
Constant among the localizing objects Android installation kit APK in the executable file constant pool matees the constant condition code in said constant and the virus database, if coupling is then judged in the specified file among the target Android installation kit APK to comprise virus signature;
And/or,
Operand among the localizing objects Android installation kit APK in the executable file operational order; Operand condition code in said operand and the virus database is mated; If coupling is then judged in the specified file among the target Android installation kit APK to comprise virus signature;
And/or,
Operational code among the localizing objects Android installation kit APK in the executable file operational order; Instruction condition code in said operational code and the virus database is mated; If coupling is then judged in the specified file among the target Android installation kit APK to comprise virus signature;
And/or,
Operational code among the localizing objects Android installation kit APK in the executable file operational order; Instruction feature code sequence in said operational code and the virus database is mated; If coupling is then judged in the specified file among the target Android installation kit APK to comprise virus signature;
And/or,
Constant among the localizing objects Android installation kit APK in the executable file constant pool and class name that operand called and/or the function name in the operational order; Class name function name condition code in said class name and/or function name and the virus database is mated; If coupling is then judged in the specified file among the target Android installation kit APK to comprise virus signature.
Preferably, said specified file also comprises text, and the said step that presets virus database also comprises:
Extract the linux order in the said text, judge whether said linux order comprises Virus Info;
If then generate virus signature according to said linux order.
Preferably, said virus signature also comprises linux command characteristics sign indicating number, and the step that whether comprises virus signature in the specified file among the said detection target Android installation kit APK also comprises:
Text among the localizing objects Android installation kit APK; Linux command characteristics sign indicating number in linux in said text order and the virus database is mated; If coupling is then judged in the specified file among the target Android installation kit APK to comprise virus signature.
Preferably, the constant in the constant pool comprises the constant among character string strings, type types, territory fields and the method methods in the said executable file; Comprise summary info checksum and/or signing messages Signature in the header information of said executable file.
The application embodiment also discloses the recognition device of a kind of virus of A PK, comprising:
The virus database generation module is used to preset virus database, comprises virus signature and corresponding weighted value in the said virus database;
The virus detection module is used for detecting in the specified file of target Android installation kit APK whether comprise said virus signature; If then call viral weighted value statistical module;
Virus weighted value statistical module is used to add up the corresponding weighted value sum of said virus signature;
The threshold decision module is used to judge that whether said weighted value sum is more than or equal to certain viral decision threshold; If then call viral determination module;
The virus determination module is used for judging that there is the virus of respective type in said target Android installation kit APK.
Preferably, described device also comprises:
The first information generation module is connected with said viral determination module, is used for generating the information that there is the type virus in said target Android installation kit APK.
Preferably, described device also comprises:
The virus identification module is used for during less than certain viral decision threshold, judging that said target Android installation kit APK is virus of A PK in said weighted value sum.
Preferably, described device also comprises:
The second information generation module is connected with said viral identification module, and being used to generate said target Android installation kit APK is the information of virus of A PK.
Preferably, described device also comprises:
The checking and killing virus module is used to call the fail-safe software interface, carries out checking and killing virus to said target Android installation kit APK.
Preferably, said specified file comprises executable file, and said virus database generation module comprises:
Source file scans submodule, is used for the executable file of scan source Android installation kit APK;
Particular data extracts submodule; Be used for extracting the particular data of said executable file; Judge whether said particular data comprises Virus Info, wherein, said particular data comprises the header information of executable file, the constant in the executable file constant pool; And/or, the operational order in the executable file;
First condition code generates submodule, is used for when said particular data comprises Virus Info, generates virus signature according to said particular data;
The weighted value distribution module is used to said virus signature value of assigning weight;
Condition code is preserved submodule, is used for said virus signature and corresponding weighted value are saved to virus database.
Preferably, said executable file comprises the Dex file, and said Dex file comprises the classes.dex file, the file of expansion .jar by name, and, the file of Dex form.
Preferably, said virus signature comprises: header information condition code, constant condition code, operand condition code, instruction condition code, instruction feature code sequence, class name function name condition code; Operational order in the said executable file comprises operational code and operand two parts;
Said header information condition code, constant condition code, operand condition code, class name function name condition code directly generate according to the header information, constant, operand and the class name function name that comprise Virus Info;
Said instruction condition code, instruction feature code sequence directly generate according to the operational order that comprises Virus Info, perhaps, and according to the character string or the asterisk wildcard generation of operational code that comprises Virus Info and operand;
Said condition code is preserved submodule and is further comprised:
Subregion is preserved the unit; Be used for said header information condition code, constant condition code, operand condition code, instruction condition code, instruction feature code sequence, class name function name condition code; And corresponding weighted value is kept at different storage regions in the database respectively;
Perhaps,
Label is preserved the unit; Be used for said header information condition code, constant condition code, operand condition code, instruction condition code, instruction feature code sequence, class name function name condition code; And corresponding weighted value is kept in the database, and difference labeled bracketing label.
Preferably, said viral detection module comprises:
First detection sub-module; The header information that is used for localizing objects Android installation kit APK executable file; Header information condition code in said header information and the virus database is mated; If coupling is then judged in the specified file among the target Android installation kit APK to comprise virus signature;
And/or,
Second detection sub-module; Be used for the constant in the localizing objects Android installation kit APK executable file constant pool; Constant condition code in said constant and the virus database is mated, if coupling is then judged in the specified file among the target Android installation kit APK to comprise virus signature;
And/or,
The 3rd detection sub-module; Be used for the operand in the localizing objects Android installation kit APK executable file operational order; Operand condition code in said operand and the virus database is mated; If coupling is then judged in the specified file among the target Android installation kit APK to comprise virus signature;
And/or,
The 4th detection sub-module; Be used for the operational code in the localizing objects Android installation kit APK executable file operational order; Instruction condition code in said operational code and the virus database is mated; If coupling is then judged in the specified file among the target Android installation kit APK to comprise virus signature;
And/or,
The 5th detection sub-module; Be used for the operational code in the localizing objects Android installation kit APK executable file operational order; Instruction feature code sequence in said operational code and the virus database is mated; If coupling is then judged in the specified file among the target Android installation kit APK to comprise virus signature;
And/or,
The 6th detection sub-module; Be used for constant and class name that operand called and/or the function name in the operational order in the localizing objects Android installation kit APK executable file constant pool; Class name function name condition code in said class name and/or function name and the virus database is mated; If coupling is then judged in the specified file among the target Android installation kit APK to comprise virus signature.
Preferably, said specified file also comprises text, and said virus database generation module also comprises:
Submodule is extracted in the linux order, is used for extracting the linux order of said text, judges whether said linux order comprises Virus Info;
Second condition code generates submodule, is used for when said linux order comprises Virus Info, generating virus signature according to said linux order.
Preferably, said virus signature also comprises linux command characteristics sign indicating number, and said viral detection module also comprises:
The 7th detection sub-module; The text that is used for localizing objects Android installation kit APK; Linux command characteristics sign indicating number in linux in said text order and the virus database is mated; If coupling is then judged in the specified file among the target Android installation kit APK to comprise virus signature.
Compared with prior art, the application has the following advantages:
The application is through the specified file in the APK file of scanning analysis source; Like executable file, text etc.; Generate corresponding virus signature to the instruction that comprises Virus Info, constant or header information by presetting rule; And, be assembled into virus database to each virus signature value of assigning weight; In the process of virus of A PK identification afterwards; Detect the specified file in the target AP K file; Judge and whether have corresponding virus signature in this specified file; If there is the weighted value that then adds up said virus signature,, then judge the virus that has respective type among the said target AP K if more than or equal to certain viral decision threshold.Use the application embodiment; Viral fabricator how through modification obscure mode, increase resource, (changing class name, function name etc.), the modes such as signature, bag name of changing are made the condition code of its virus of A of virus mutation PK and can not be become to revise code; Thereby the application can identify virus of A PK and mutation thereof fast, accurately and efficiently; And changing programmed logic and specific character string (malice number, malice network address) targetedly, to make the viral relatively fabricator of virus mutation be cumbersome, consuming time; Thereby difficulty that the person makes virus mutation that this mode also can effectively improve the viral production improves the security that APK uses.
Moreover the application can further judge the Virus Type of APK through the comparison of different virus type threshold value, thereby is convenient to more targetedly virus of A PK carried out subsequent treatment, further improves the accuracy of APK identification.
Embodiment
For above-mentioned purpose, the feature and advantage that make the application can be more obviously understandable, the application is done further detailed explanation below in conjunction with accompanying drawing and embodiment.
One of core idea of the application embodiment is; Through the specified file in the APK file of scanning analysis source; Like executable file, text etc.; Generate corresponding virus signature to the instruction that comprises Virus Info, constant or header information by presetting rule, and, be assembled into virus database to each virus signature value of assigning weight; In the process of virus of A PK identification afterwards; Detect the specified file in the target AP K file; Judge and whether have corresponding virus signature in this specified file; If there is the weighted value that then adds up said virus signature,, then judge the virus that has respective type among the said target AP K if more than or equal to certain viral decision threshold.
With reference to figure 1, show the flow chart of steps of recognition methods embodiment 1 of a kind of virus of A PK of the application, specifically can comprise the steps:
Step 101, preset virus database, comprise virus signature and corresponding weighted value in the said virus database;
In a kind of preferred embodiment of the application, said specified file comprises executable file, can preset said virus database through following substep:
Executable file among substep S11, the scan source Android installation kit APK;
Particular data in substep S12, the said executable file of extraction; Judge whether said particular data comprises Virus Info, wherein, said particular data comprises the header information of executable file, the constant in the executable file constant pool; And/or, the operational order in the executable file;
If substep S13 then generates virus signature according to said particular data;
Substep S14, for said virus signature value of assigning weight;
Substep S15, said virus signature and corresponding weighted value are saved in the virus database.
The weighted value of virus signature that for example, comprises in the virus database and correspondence is as shown in table 1 below:
Table 1:
For APK, said executable file can comprise the Dex file, and the Dex file mainly is the classes.dex file among the APK, i.e. Dalvik Executable (Dalvik virtual machine executable file).Be well known that Dalvik is the Java Virtual Machine that is used for the Android platform.Dalvik virtual machine (Dalvik VM) is one of core ingredient of Android mobility device.It can support to have converted into the operation of the java application of .dex (being Dalvik Executable) form, and the .dex form is a kind of compressed format that aims at the Dalvik design, is fit to internal memory and the limited system of processor speed.Dalvik allows in limited internal memory, to move simultaneously the instance of a plurality of virtual machines through optimizing, and each Dalvik uses as an independently Linux process execution.Independently process can prevent that all programs all are closed in virtual machine crashes.
More preferably, said executable file can also comprise the file of expansion .jar by name.Jar file in the Android installation kit is exactly the Dex file in fact, and only its expansion .jar by name for the alternative document except that classes.dex among the APK, can determine whether scan as long as determine that it is the Dex file.
In practical application, said Dex file can also comprise the file of other Dex form.
In a kind of preferred embodiment of the application, the particular data in the said executable file can extract by following order:
1) constant in the executable file constant pool;
Particularly; Constant in the said specified file in the constant pool can comprise the constant among character string strings, type types, territory fields and the method methods; Constant in the said executable file constant pool can judge whether to comprise Virus Info through following substep:
Substep S21, judge whether the constant among the said character string strings comprises fallacious messages such as predefined malice website information, malice filename or malice number information;
And/or,
Substep S22, judge whether the constant among said type types, territory fields and the method methods calls self-defining class name, self-defining function name or the SDK of Android system class name, Android system function name.
In concrete the application, can be directly with the Virus Info in the said constant as virus signature, the virus signature of generation comprises constant condition code, class name function name condition code in an embodiment.
For example, comprise following character string in the constant pool in the classes.dex file of certain APK:
com.noshufou.android.su
/system/app/com.google.update.apk
After determining that it is Virus Info, can directly it be saved in the virus database as virus signature and after distributing corresponding weighted value.
For example, comprise following method in the constant pool in the classes.dex file of certain APK:
Lcom/android/main/SmsReceiver;
Lcom/android/main/ActionReceiver;
After determining that it is Virus Info, can directly it be saved in the virus database as virus signature and after distributing corresponding weighted value.
For example, comprise following type in the constant pool in the classes.dex file of certain APK:
Lcom/androidkernel/flash/Main$1;
After determining that it is Virus Info, can directly it be saved in the virus database as virus signature and after distributing corresponding weighted value.
For example, comprise following field in the constant pool in the classes.dex file of certain APK:
Lcom/androidkernel/flash/b/br$1;.this$0:Lcom/androidkernel/flash/b/br;
After determining that it is Virus Info, can directly it be saved in the virus database as virus signature and after distributing corresponding weighted value.
2) operational order in the executable file;
Dalvik VM is based on the register design; Data of using in the program such as strings; Types, fields and methods are kept in the special data storage area (constant pool), and the index through correspondence in the middle of program is quoted; The character literal constant then directly is kept among the instructions (operational order), and its operational code (opcode) is divided into two types:
One type data designated is put into register, as referring to following example 1 to example 4:
Example 1:
1303?6100 |0000:const/16v3,#int?97//#61
Integer 97 is put into register v3.
Example 2:
1700?0000?0040 |0049:const-wide/32?v0,#float?2.000000?//#40000000
Floating number 2.000000 is put into register v0.
Example 3:
1a00?7d00 |000b:const-string?v0,"%.2fMB"//
string007d
" %.2fMB " puts into register v0 with character string.
Example 4:
1c03?6e04 |0015: const-class v3,
Lcom/qihoo360/mobilesafe/service/NetTrafficService;//type046e
Class com.qihoo360.mobilesafe.service.NetTrafficService is put into register v3.
Then operate for other one type based on register, as referring to following example 5 to example 10:
Example 5:
3100?0305 |0042:cmp-long?v0,
v3,v5
Long value among comparand register v3 and the v5 deposits comparative result in register v0.
Example 6:
3221?0400 |001a:if-eq?v1,v2,?001e//+0004
Whether condition if equates to decide the execution flow process according to v1 and v2.
Example 7:
3800?1500 |001e:if-eqz?v0,?0033//+0015
Condition if judges whether v0 equals 0 and decide the execution flow process.
Example 8:
6e10?0e29?0500 |0006:invoke-virtual{v5}, Ljava/io/File;.length:()J//method290e
Call the length () function of File.
Example 9:
7010 042a?0800 |011d: invoke-direct {v8},
Ljava/lang/StringBuilder;.<init>:()V//method2a04
Call the init function of StringBuilder.
Example 10:
b021 |0035:add-int/2addr?v1,v2
The result of v1+v2 is kept among the v1.
Classes.dex file among the APK and the user's class name in the jar file; Function name; Character string can be obscured or revised and changed, but the calling and can not receive user's class name, function name of the instruction of Dalvik VM and class that the SDK of Android system is provided; Therefore the influence that variable name etc. are confused or revise can discern APK through one group of orderly specific instruction.Because Dalvik VM is based on register, so its instruction itself can only operation note, the character literal constant; The data storage area; Therefore and register address is variable, wants fuzzy matching also to pass through the fixed part in the recognition instruction when discerning---opcode and relevant character literal constant parameter thereof or the strings in the data storage area, types; Fields and methods etc. can certainly directly use instruction and operand itself thereof as virus signature.
In a kind of preferred embodiment of the application, can judge whether said operational order comprises Virus Info through following substep:
Substep S31, judge whether comprise predefined illegal operation number in the said operand;
And/or,
Whether substep S32, the combination of judging said operational code and operand meet predefined illegal collocation rule.
In a kind of preferred embodiment of the application, can generate virus signature according to said operational order through following substep:
Substep S41, with said operational order itself as virus signature;
And/or,
Substep S42, with the operational code of said operational order, and the character string of operand or asterisk wildcard are as virus signature.
The virus signature of using the present embodiment generation comprises operand condition code, instruction condition code, instruction feature code sequence.
Condition code generates scheme one:
Directly classes.dex file among the use APK and the particular, instruction set itself in the jar file are as virus signature.
For example, above-mentioned routine 1 condition code can be 1,303 6100, and the condition code of example 2 can be 17,000,000 0040; The condition code of example 3 can be 1a00 7d00, and the condition code of example 4 can be 1c036e04, and the condition code of example 5 can be 3,100 0305; The condition code of example 6 can be 3,221 0400, and the condition code of example 7 can be 3,800 1500, and the condition code of example 8 can be 6e10 0,e29 0500; The condition code of example 9 can be 7010 042a 0800, and the condition code of example 10 can be b021.
Condition code generates scheme two:
The classes.dex file among the use APK and the character string of specific opcode in the jar file and operand thereof or asterisk wildcard are as virus signature.
For example, above-mentioned routine 1 condition code can (wherein * represents fuzzy matching, down together for 13$*; Need to prove that " * " here only as for example, can use any character in the reality); The condition code of example 2 can be 17$*, and the condition code of example 3 can be 1a$, and the condition code of example 4 can be 1c$Lcom/qihoo360/mobilesafe/service/NetTrafficService; The condition code of example 5 can be 31$*; The condition code of example 6 can be 32$*, and the condition code of example 7 can be 38$*, and the condition code of example 8 can be 6e$Ljava/io/File; .length: (), the condition code of example 9 can be 70$Ljava/lang/StringBuilder; . < init >, the condition code of example 10 can be b0$*.
Condition code selection scheme three:
Mix such scheme one and the scheme two used.Be about to the particular, instruction set itself among the classes.dex among the above-mentioned APK, and the specific opcode among the classes.dex among the APK and the character string of operand thereof or asterisk wildcard are all as virus signature.
Need to prove that in the application embodiment, employing $ is a separator, in reality, also can adopt any other characters as separator; In the application embodiment, adopt * as asterisk wildcard, in reality, also can adopt any other characters as asterisk wildcard.
For making those skilled in the art understand the process that above-mentioned condition code generates better, below describe through a concrete example.
The condition code of extracting to the constant in the middle of the constant pool of extracting among the classes.dex (string, type, field and meth) is following: for example, certain virus comprises following feature string in the middle of its character string constant pond:
Zjphonecall.txt and zjsms.txt have comprised that in these 2 files malicious call number and special clothes note number then can extract it as virus signature.
The condition code of extracting to dis-assembling classes.dex is following:
For example, comprise among the viral X planted agent .apk giving an order in order to backup privacy of user data, be listed below according to the sequencing of its appearance to http://www.mybackup.me:
2200?f600 |0000:new-instance?v0,?Ljava/lang/StringBuilder;
//type00f6
Extracting its virus signature is: 2200f600 or 22$Ljava/lang/StringBuilder
7010 9804 0000 ?|0002: invoke-direct {v0},
Ljava/lang/StringBuilder;.<init>:(?)V//method0498
Extracting its virus signature is: 701098040000 or
70$Ljava/lang/StringBuilder;.<init>
1a01?5506 |0005:const-string?v1,"http://www.mybackup.me"//string0655
Extracting its virus signature is: 701098040000 or 1a$http: //www.mybackup.me
6e20?9e04?1000 |0007:invoke-virtual{v0,v1},
Ljava/lang/StringBuilder;.append:(Ljava/lang/String;)
Ljava/lang/StringBuilder;//method049e
Extracting its virus signature is: 6e209e041000 or 6e$Ljava/lang/StringBuilder; .append
3902?0900 |0005:if-nez?v2,000e//+0009
Extracting its virus signature is: 39020900 or 39$*
0c02 |0003:move-result-object?v2
Extracting its virus signature is: 0c02 or 0c$*
The final condition code that obtains is:
Condition code selection scheme one:
2200f6007010980400007010980400006e209e041000390209000c02
Condition code selection scheme two:
22$Ljava/lang/StringBuilder$70$Ljava/lang/StringBuilder;.<init>$1a$http://www.mybackup.me$6e$Ljava/lang/StringBuilder;.append$39$*$0c$*
Condition code selection scheme three:
22$Ljava/lang/StringBuilder$701098040000$1a$http://www.mybackup.me$6e$Ljava/lang/StringBuilder;.append$39$*$0c02
And for example, the Instructions (operational order) in the classes.dex file of certain APK is as follows:
1a0c?bb08 |009b:const-string?v12,"tiger"//string08bb
1a0d?1e03 |009d:const-string?v13,"P5"//string031e
7120?1404?dc00 |009f:invoke-static{v12,v13},
Lcom/androidkernel/flash/util/LogUtil;.i:
(Ljava/lang/String;Ljava/lang/String;)V//method0414
2205?9700 |00a2:new-instance
v5,Lcom/androidkernel/flash/http/base/DlStruct;//type0097
7010?1603?0500 |00a4:invoke-direct{v5},
Lcom/androidkernel/flash/http/base/DlStruct;.<init>:(?)V//method0316
1a0c?7200 |00a7:const-string?v12,"AA"//string0072
7020?f402?ce00 |00a9:invoke-direct{v14,v12},
Lcom/androidkernel/flash/helper/Tiger;.getUrl:(Ljava/lang/String;)
Ljava/lang/String;//method02f4
0c0b |00ac:move-result-object?v11
When the collocation of judging aforesaid operations sign indicating number and operand meets predefined illegal collocation rule, perhaps, when comprising predefined illegal operation in the judgement aforesaid operations number and counting, generating feature sign indicating number as follows:
Mode one:
1a0cbb081a0d1e0371201404dc00220597007010160305001a0c72007020f402ce000c0b
Mode two:
1a$tiger$1a$P5$71$Lcom/androidkernel/flash/util/LogUtil;.i:(Ljava/lang/String;Ljava/lang/String;)V$22$Lcom/androidkernel/flash/http/base/DlStruct;$70$Lcom/androidkernel/flash/http/base/DlStruct;.<init>:( )V$1a$AA$70$Lcom/androidkernel/flash/helper/Tiger;.getUrl:(Ljava/lang/String;)Ljava/lang/String;$0c$*
Mode three:
1a0cbb08$1a$P5$71201404dc00$22$*$70$Lcom/androidkernel/flash/http/base/DlStruct;.<init>:( )V$1a$AA$70$Lcom/androidkernel/flash/helper/Tiger;.getUrl:(Ljava/lang/String;)Ljava/lang/String;$0c$*
3) header information of executable file.
In concrete the realization; Comprise summary info checksum and/or signing messages Signature in the header information of said executable file; In this case; Can whether comprise predefined unallowable instruction digit string among said summary info checksum and/or the signing messages Signature through judging, confirm whether comprise Virus Info in the said header information.
In concrete the application, also can be directly with said summary info checksum and/or signing messages Signature as virus signature.In the present embodiment promptly, said virus signature comprises the header information condition code.
For example, the checksum of the classes.dex top of file information header among the APK is: 11f26cac; Signature is: 2911621AD071F675ADF0F590C3F1AFB5443BEBBE; After determining that it is trojan horse; Directly 11f26cac and 2911621AD071F675ADF0F590C3F1AFB5443BEBBE are extracted as virus signature, and said virus signature is saved in the database.
As the concrete a kind of example used of the application embodiment, the said step that virus signature is saved in the virus database can comprise following substep:
Substep S51, with said header information condition code, constant condition code, operand condition code, instruction condition code, instruction feature code sequence, class name function name condition code; And the corresponding weighted value of above-mentioned each condition code is kept at different storage regions in the database respectively;
Perhaps,
Substep S52, with said header information condition code, constant condition code, operand condition code, instruction condition code, instruction feature code sequence, class name function name condition code; And; The corresponding weighted value of above-mentioned each condition code is kept in the database, and difference labeled bracketing label.
Certainly, the mode of above-mentioned preservation virus signature is only as example, and it all is feasible that those skilled in the art adopt any preserving type according to actual conditions, and the application need not this to limit.
Whether comprise said virus signature in the specified file among step 102, the detection target Android installation kit APK, said specified file comprises executable file;
As the concrete a kind of example used of the application embodiment, said virus signature can comprise: header information condition code, constant condition code, operand condition code, instruction condition code, instruction feature code sequence, class name function name condition code; In this case, said step 102 specifically can comprise following substep:
The header information of executable file among substep S41, the localizing objects Android installation kit APK; Header information condition code in said header information and the virus database is mated; If coupling is then judged in the specified file among the target Android installation kit APK to comprise virus signature;
And/or,
Constant among substep S42, the localizing objects Android installation kit APK in the executable file constant pool; Constant condition code in said constant and the virus database is mated; If coupling is then judged in the specified file among the target Android installation kit APK to comprise virus signature;
And/or,
Operand among substep S43, the localizing objects Android installation kit APK in the executable file operational order; Operand condition code in said operand and the virus database is mated; If coupling is then judged in the specified file among the target Android installation kit APK to comprise virus signature;
And/or,
Operational code among substep S44, the localizing objects Android installation kit APK in the executable file operational order; Instruction condition code in said operational code and the virus database is mated; If coupling is then judged in the specified file among the target Android installation kit APK to comprise virus signature;
And/or,
Operational code among substep S45, the localizing objects Android installation kit APK in the executable file operational order; Instruction feature code sequence in said operational code and the virus database is mated; If coupling is then judged in the specified file among the target Android installation kit APK to comprise virus signature;
And/or,
Constant among substep S46, the localizing objects Android installation kit APK in the executable file constant pool and class name that operand called and/or the function name in the operational order; Class name function name condition code in said class name and/or function name and the virus database is mated; If coupling is then judged in the specified file among the target Android installation kit APK to comprise virus signature.
In concrete the realization, can mate as follows:
Mode one: directly byte-by-byte scanning according to the order of sequence.
Mode two: the virus signature sequence scans according to the order of sequence, only needs the virus characteristic code instruction to occur according to the order of sequence getting final product, and need not continuous appearance.
Mode three: only need exist the instruction of all or part condition code to get final product.
Certainly, above-mentioned detection and matching mode are only as example, and it all is feasible that those skilled in the art adopt the mode of any detection and coupling virus signature according to actual conditions, and the application need not this to limit.
If step 103 is then added up the corresponding weighted value sum of said virus signature;
For example, scanning analysis APK finds that it comprises following virus signature:
/system/bin/su?com.qihoo360.mobilesafe?1066185829
With reference to the table 1 in the above example; Can learn, wherein/weighted value of system/bin/su is 0.2, the weighted value of com.qihoo360.mobilesafe is 0.3; 1066185829 weighted value is 0.5, and then adding up the corresponding weighted value sum of this virus signature is 1.
Step 104, if said weighted value sum more than or equal to certain viral decision threshold, then judge the virus that has respective type among the said target Android installation kit APK.
For example, if pre-configured trojan horse decision threshold is 1, the weighted value sum of virus signature correspondence equals this threshold value in the last example, so judge among this target AP K and have wooden horse.
In concrete the realization, the application embodiment can also comprise the steps:
Generate the information that has the type virus among the said target Android installation kit APK.
Furthermore, in reality, can also call the fail-safe software interface, carry out checking and killing virus to said target Android installation kit APK.
For making those skilled in the art understand the application better, below describe through several concrete examples.
Example one:
1) be positioned to the place that the operational order instruction of classes.dex or JAR among the target AP K begins (hereinafter to be referred as be code segment);
2) extract first instruction according to separator in the virus signature sequence from virus database;
3) from code segment, extract first instruction;
4) both compare, and then from feature code sequence, extract next instruction according to separator as if identical, if difference is then extracted next instruction from code segment;
5) mate by instruction by that analogy,, find virus if mate then report in the matching process fully until the end of arriving at code segment;
6) extract the corresponding weighted value of corresponding virus signature, add up said weighted value sum;
7) if said weighted value sum greater than waiting trojan horse decision threshold, then judges there is trojan horse among the target AP K report user, and call fail-safe software and carry out killing.
Example two:
1) from the virus signature of virus database, extracts corresponding feature string (maybe for one or more).
2) search whether there is corresponding feature string in the character string constant pond;
3) if exist, then virus of A PK is found in report;
4) extract the corresponding weighted value of corresponding virus signature character string, add up said weighted value sum;
5) if said weighted value sum greater than waiting trojan horse decision threshold, then judges there is trojan horse among the target AP K report user, and call fail-safe software and carry out killing.
Example three:
1) from virus signature, extracts corresponding feature string (maybe for one or more), fundamental function name (maybe for one or more);
2) search whether have corresponding feature string, fundamental function name in character string constant pond and the function constant pool.The rest may be inferred for the array sweeping of other string, type, field and meth pool;
3) if exist, then virus of A PK is found in report;
4) extract the corresponding weighted value of corresponding virus signature character string, add up said weighted value sum;
5) if said weighted value sum greater than waiting trojan horse decision threshold, then judges there is trojan horse among the target AP K report user, and call fail-safe software and carry out killing.
Those skilled in the art are understandable to be; The scanning of aforesaid operations instruction, constant pool and header information does not have the restriction of sequencing; The scanning sequency that those skilled in the art set above-mentioned three arbitrarily according to actual conditions all is feasible, and the application need not this to limit.
The application embodiment also is applicable to the situation of nested APK among the APK, promptly when also comprising other APK among the APK, can use the application embodiment equally; Executable file among APK and the nested APK thereof, text etc. are resolved and the virus extraction; For example, in certain 1.APK, embedded a root.apk, used the application embodiment in order to obtain the root authority; Remove from 1.APK and extract virus signature, also can from root.apk, extract virus signature.What those skilled in the art were easy to expect is, for the situation of multinest APK, the application embodiment is also suitable equally, and the application does not limit at this.
With reference to figure 2, show the flow chart of steps of recognition methods embodiment 2 of a kind of virus of A PK of the application, specifically can comprise the steps:
Step 201, preset virus database, comprise virus signature and corresponding weighted value in the said virus database;
In a kind of preferred embodiment of the application, said step 201 can comprise following substep:
Specified file among substep S51, the scan source Android installation kit APK, said specified file comprises executable file and/or text;
Particular data in substep S52, the said executable file of extraction; Judge whether said particular data comprises Virus Info, wherein, said particular data comprises the header information of executable file, the constant in the executable file constant pool; And/or, the operational order in the executable file;
If substep S53 then generates virus signature according to said particular data;
Substep S54, the linux that extracts in the said text order, and judge whether said linux order comprises Virus Info;
If substep S55 then generates virus signature according to said linux order;
Substep S56, for said virus signature value of assigning weight;
Substep S57, said virus signature and corresponding weighted value are saved in the virus database.
In concrete realization, can be through judging whether said linux order meets the malice linux order of presetting and confirm whether said linux order comprises Virus Info, can also the said linux that comprises Virus Info be ordered directly as virus signature.In the present embodiment, said virus signature also comprises linux command characteristics sign indicating number.
For example, extract corresponding linux order in the text from APK as follows:
When judging that above-mentioned linux order meets the malice linux order of presetting, mentioned order is write in the virus database after as the virus signature and the value of assigning weight.
Whether comprise said virus signature in the specified file among step 202, the detection target Android installation kit APK, said specified file comprises executable file and text; If then execution in step 203; If not, execution in step 207 then
In a kind of preferred embodiment of the application, said step 202 can comprise following substep:
Text among the localizing objects Android installation kit APK; Linux command characteristics sign indicating number in linux in said text order and the virus database is mated; If coupling is then judged in the specified file among the target Android installation kit APK to comprise virus signature.
Step 203, the corresponding weighted value sum of the said virus signature of statistics;
Step 204, judge that whether said weighted value sum is more than or equal to certain viral decision threshold, if then execution in step 205; If not, execution in step 206 then;
There is the virus of respective type among step 205, the said target Android installation kit APK of judgement, becomes to exist among the said target Android installation kit APK the viral information of the type;
Step 206, the said target Android installation kit APK of judgement are virus of A PK, and generating said target Android installation kit APK is the information of virus of A PK;
Step 207 judges that said target Android installation kit APK is normal APK.
For example: scanning analysis APK finds that it comprises following virus signature:
/system/bin/su?com.qihoo360.mobilesafe?1066185829
With reference to above-mentioned table 1, calculate the weight of said virus signature and be 1, confirm that it equals trojan horse decision threshold 1, so find wooden horse to user report, it is following to generate information:
Find wooden horse, can obtain the root authority, carry out malicious act thereby can walk around security of system mechanism afterwards.And but whether detecting system exist antivirus software, thereby evade.Can send to number 1066185829 and deduct fees note or dial suction expense phone.
Or as: scanning analysis APK finds that it comprises following virus signature:
/system/bin/su
With reference to above-mentioned table 1, calculating its weighted value is 0.2, confirms it less than trojan horse decision threshold 1, and then to the user report warning, it is following to generate information:
The warning current application can be obtained the root authority, carries out malicious act thereby might walk around security of system mechanism afterwards.
In the application embodiment, said certain viral decision threshold can be provided with according to different Virus Types, can also be according to actual conditions dynamically adjustment beyond the clouds, and the application does not limit this.
The application embodiment also in the process applicable to client software and cloud killing, can accomplish in client by the process of promptly above-mentioned virus of A PK identification, also can accomplish at server end or high in the clouds, and the application does not limit this.
The application scenarios of the application embodiment below is provided:
Scene one: according to user's virus scan start-up operation, check at first whether APK changes and buffer memory overscanning result whether, if APK does not change and buffer memory overscanning result direct output scanning result then; Otherwise then carry out blacklist scanning; Exist if find APK therein, then the output scanning result finds virus of A PK and increases to buffer memory, if do not find then to carry out white list scanning; If finding APK therein exists; Output scanning safety and increase to buffer memory as a result then, if find then to adopt virus database to carry out virus signature scanning, and output scanning result and increase to buffer memory.
Scene two: user's new clothes APK, antivirus applet receive new clothes APK message, begin the APK of user's new clothes is scanned; At first carry out blacklist scanning, exist if find APK therein, then the output scanning result finds virus and increases to buffer memory; If find then to carry out white list scanning, exist if find APK therein, then output scanning safety and increase to buffer memory as a result; If find then to adopt virus database to carry out virus signature scanning, and output scanning result and increase to buffer memory.
Those skilled in the art are understandable to be, uses the application embodiment, also can judge whether current APK is virus of A PK through whether comprising virus signature in the direct detection text, and for practicing thrift length, the application does not give unnecessary details this scheme.
The application, generates corresponding virus signature to the instruction that comprises Virus Info, constant or header information by presetting rule, and is assembled into virus database like executable file, text etc. through the specified file in the APK file of scanning analysis source; In the process of virus of A PK identification afterwards, detect the specified file in the target AP K file, judge the virus signature that whether comprises in this specified file in the said virus database, thereby confirm whether target AP K is virus of A PK.Use the application embodiment; Viral fabricator how through modification obscure mode, increase resource, (changing class name, function name etc.), the modes such as signature, bag name of changing are made the condition code of its virus of A of virus mutation PK and can not be become to revise code; Thereby the application can identify virus of A PK and mutation thereof fast, accurately and efficiently; And changing programmed logic and specific character string (malice number, malice network address) targetedly, to make the viral relatively fabricator of virus mutation be cumbersome, consuming time; Thereby difficulty that the person makes virus mutation that this mode also can effectively improve the viral production improves the security that APK uses.
Need to prove that the application embodiment is not only applicable to various Android terminal, the terminal of promptly using Android platform (operating system) comprises computing machine, PC, notebook computer, mobile phone, panel computer or the like; Be applicable to that also the virus signature that on other computer systems (for example Windows, Linux), uses extracts scheme.
For method embodiment, for simple description, so it all is expressed as a series of combination of actions; But those skilled in the art should know; The application does not receive the restriction of described sequence of movement, because according to the application, some step can adopt other orders or carry out simultaneously.Secondly, those skilled in the art also should know, the embodiment described in the instructions all belongs to preferred embodiment, and related action and module might not be that the application is necessary.
With reference to figure 3, the structured flowchart of recognition device embodiment that it shows a kind of virus of A PK of the application specifically can comprise with lower module:
Virus database generation module 301 is used to preset virus database, comprises virus signature and corresponding weighted value in the said virus database;
Virus detection module 302 is used for detecting in the specified file of target Android installation kit APK whether comprise said virus signature; If then call viral weighted value statistical module 303;
Virus weighted value statistical module 303 is used to add up the corresponding weighted value sum of said virus signature;
Threshold decision module 304 is used to judge that whether said weighted value sum is more than or equal to certain viral decision threshold; If then call viral determination module 305;
Virus determination module 305 is used for judging that there is the virus of respective type in said target Android installation kit APK.
In a kind of preferred embodiment of the application, can also comprise like lower module:
Virus identification module 306 is used for during less than certain viral decision threshold, judging that said target Android installation kit APK is virus of A PK in said weighted value sum.
In concrete the realization, the application embodiment can also comprise like lower module:
The first information generation module 307 is connected with said viral determination module 305, is used for generating the information that there is the type virus in said target Android installation kit APK.
The second information generation module 308 is connected with said viral identification module 306, and being used to generate said target Android installation kit APK is the information of virus of A PK.
More preferably, the application embodiment can also comprise like lower module:
The checking and killing virus module is used to call the fail-safe software interface, carries out checking and killing virus to said target Android installation kit APK.
In a kind of preferred embodiment of the application, said specified file can comprise executable file, and said virus database generation module 301 can comprise following submodule:
Source file scans submodule, is used for the specified file of scan source Android installation kit APK, and said specified file comprises executable file;
Particular data extracts submodule; Be used for extracting the particular data of said executable file; Judge whether said particular data comprises Virus Info, wherein, said particular data comprises the header information of executable file, the constant in the executable file constant pool; And/or, the operational order in the executable file;
First condition code generates submodule, is used for when said particular data comprises Virus Info, generates virus signature according to said particular data;
The weighted value distribution module is used to said virus signature value of assigning weight;
Condition code is preserved submodule, is used for said virus signature and corresponding weighted value are saved to virus database.
As the concrete a kind of example used of the application embodiment, said condition code is preserved submodule and may further include with lower unit:
Subregion is preserved the unit, is used for said header information condition code, constant condition code, operand condition code, instruction condition code, instruction feature code sequence, class name function name condition code and corresponding weighted value are kept at the database different storage regions respectively;
Perhaps,
Label is preserved the unit, is used for said header information condition code, constant condition code, operand condition code, instruction condition code, instruction feature code sequence, class name function name condition code and corresponding weighted value are kept at database, and difference labeled bracketing label.
In concrete the application, said executable file can comprise the Dex file, and said Dex file can comprise the classes.dex file, the file of expansion .jar by name, and, the file of Dex form.
In a kind of preferred embodiment of the application, said virus signature can comprise: header information condition code, constant condition code, operand condition code, instruction condition code, instruction feature code sequence, class name function name condition code; Operational order in the said executable file comprises operational code and operand two parts;
In this case, said viral detection module 302 can comprise following submodule:
First detection sub-module; The header information that is used for localizing objects Android installation kit APK executable file; Header information condition code in said header information and the virus database is mated; If coupling is then judged in the specified file among the target Android installation kit APK to comprise virus signature;
And/or,
Second detection sub-module; Be used for the constant in the localizing objects Android installation kit APK executable file constant pool; Constant condition code in said constant and the virus database is mated, if coupling is then judged in the specified file among the target Android installation kit APK to comprise virus signature;
And/or,
The 3rd detection sub-module; Be used for the operand in the localizing objects Android installation kit APK executable file operational order; Operand condition code in said operand and the virus database is mated; If coupling is then judged in the specified file among the target Android installation kit APK to comprise virus signature;
And/or,
The 4th detection sub-module; Be used for the operational code in the localizing objects Android installation kit APK executable file operational order; Instruction condition code in said operational code and the virus database is mated; If coupling is then judged in the specified file among the target Android installation kit APK to comprise virus signature;
And/or,
The 5th detection sub-module; Be used for the operational code in the localizing objects Android installation kit APK executable file operational order; Instruction feature code sequence in said operational code and the virus database is mated; If coupling is then judged in the specified file among the target Android installation kit APK to comprise virus signature;
And/or,
The 6th detection sub-module; Be used for constant and class name that operand called and/or the function name in the operational order in the localizing objects Android installation kit APK executable file constant pool; Class name function name condition code in said class name and/or function name and the virus database is mated; If coupling is then judged in the specified file among the target Android installation kit APK to comprise virus signature.
In concrete the realization, said header information condition code, constant condition code, operand condition code, class name function name condition code can directly generate according to the header information that comprises Virus Info, constant, operand and class name function name;
Said instruction condition code, instruction feature code sequence can directly generate according to the operational order that comprises Virus Info, perhaps, can generate according to the character string or the asterisk wildcard of operational code that comprises Virus Info and operand.
In a kind of preferred embodiment of the application, said specified file can also comprise text, and in this case, said virus database generation module 301 can also comprise following submodule:
Submodule is extracted in the linux order, is used for extracting the linux order of said text, judges whether said linux order comprises Virus Info;
Second condition code generates submodule, is used for when said linux order comprises Virus Info, generating virus signature according to said linux order.
Accordingly, said virus signature can also comprise linux command characteristics sign indicating number, and said viral detection module 302 can also comprise following submodule:
The 7th detection sub-module; The text that is used for localizing objects Android installation kit APK; Linux command characteristics sign indicating number in linux in said text order and the virus database is mated; If coupling is then judged in the specified file among the target Android installation kit APK to comprise virus signature.
In concrete the application, the constant in the said executable file in the constant pool can comprise the constant among character string strings, type types, territory fields and the method methods; Can comprise summary info checksum and/or signing messages Signature in the header information of said executable file.
Because said device embodiment is basically corresponding to aforementioned method embodiment illustrated in figures 1 and 2, so not detailed part in the description of present embodiment can just not given unnecessary details at this referring to the related description in the previous embodiment.
Those skilled in the art should understand that the application's embodiment can be provided as method, system or computer program.Therefore, the application can adopt the form of the embodiment of complete hardware embodiment, complete software implementation example or combination software and hardware aspect.And the application can be employed in the form that one or more computer-usable storage medium (including but not limited to magnetic disk memory, CD-ROM, optical memory etc.) that wherein include computer usable program code go up the computer program of implementing.
The application is that reference is described according to the process flow diagram and/or the block scheme of method, equipment (system) and the computer program of the application embodiment.Should understand can be by the flow process in each flow process in computer program instructions realization flow figure and/or the block scheme and/or square frame and process flow diagram and/or the block scheme and/or the combination of square frame.Can provide these computer program instructions to the processor of multi-purpose computer, special purpose computer, Embedded Processor or other programmable data processing device to produce a machine, make the instruction of carrying out through the processor of computing machine or other programmable data processing device produce to be used for the device of the function that is implemented in flow process of process flow diagram or a plurality of flow process and/or square frame of block scheme or a plurality of square frame appointments.
These computer program instructions also can be stored in ability vectoring computer or the computer-readable memory of other programmable data processing device with ad hoc fashion work; Make the instruction that is stored in this computer-readable memory produce the manufacture that comprises command device, this command device is implemented in the function of appointment in flow process of process flow diagram or a plurality of flow process and/or square frame of block scheme or a plurality of square frame.
These computer program instructions also can be loaded on computing machine or other programmable data processing device; Make on computing machine or other programmable devices and to carry out the sequence of operations step producing computer implemented processing, thereby the instruction of on computing machine or other programmable devices, carrying out is provided for being implemented in the step of the function of appointment in flow process of process flow diagram or a plurality of flow process and/or square frame of block scheme or a plurality of square frame.
Although described the application's preferred embodiment, in a single day those skilled in the art get the basic inventive concept could of cicada, then can make other change and modification to these embodiment.So accompanying claims is intended to be interpreted as all changes and the modification that comprises preferred embodiment and fall into the application's scope.
At last; Also need to prove; In this article; Relational terms such as first and second grades only is used for an entity or operation are made a distinction with another entity or operation, and not necessarily requires or hint relation or the order that has any this reality between these entities or the operation.And; Term " comprises ", " comprising " or its any other variant are intended to contain comprising of nonexcludability; Thereby make and comprise that process, method, article or the equipment of a series of key elements not only comprise those key elements; But also comprise other key elements of clearly not listing, or also be included as this process, method, article or equipment intrinsic key element.Under the situation that do not having much more more restrictions, the key element that limits by statement " comprising ... ", and be not precluded within process, method, article or the equipment that comprises said key element and also have other identical element.
More than to the recognition methods of a kind of virus of A PK that the application provided; And; The recognition device of a kind of virus of A PK has carried out detailed introduction; Used concrete example among this paper the application's principle and embodiment are set forth, the explanation of above embodiment just is used to help to understand the application's method and core concept thereof; Simultaneously, for one of ordinary skill in the art, according to the application's thought, the part that on embodiment and range of application, all can change, in sum, this description should not be construed as the restriction to the application.