CN104462969A - Method, device and system for checking and killing malicious application programs - Google Patents

Method, device and system for checking and killing malicious application programs Download PDF

Info

Publication number
CN104462969A
CN104462969A CN201410784826.1A CN201410784826A CN104462969A CN 104462969 A CN104462969 A CN 104462969A CN 201410784826 A CN201410784826 A CN 201410784826A CN 104462969 A CN104462969 A CN 104462969A
Authority
CN
China
Prior art keywords
mobile terminal
terminal
malicious application
file
killing
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201410784826.1A
Other languages
Chinese (zh)
Inventor
董清
李伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Qihoo Technology Co Ltd
Qizhi Software Beijing Co Ltd
Original Assignee
Beijing Qihoo Technology Co Ltd
Qizhi Software Beijing Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Qihoo Technology Co Ltd, Qizhi Software Beijing Co Ltd filed Critical Beijing Qihoo Technology Co Ltd
Priority to CN201410784826.1A priority Critical patent/CN104462969A/en
Publication of CN104462969A publication Critical patent/CN104462969A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/568Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • General Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention provides a method, device and system for checking and killing malicious application programs and relates to the technical field of computers. The method is characterized in that when a mobile terminal is locked, connection between the mobile terminal and a PC terminal is built, the mobile terminal is scanned through the PC terminal to determine whether the malicious application programs exist in the mobile terminal or not, and if so, the PC terminal transmits a control instruction to the mobile terminal to eliminate the malicious application programs. By the method, the problem that the malicious application programs cannot be eliminated due to the fact that the mobile terminal cannot be operated when the mobile terminal is locked is solved.

Description

The methods, devices and systems of killing malicious application
Technical field
The present invention relates to field of computer technology, be specifically related to a kind of methods, devices and systems of killing malicious application.
Background technology
At present, the application of the mobile terminal such as mobile phone, panel computer is more and more wider.Android is a kind of mobile terminal operating system based on open source protocol, and through development for many years, it is quite ripe and can provide various functions.
In the process of Android development, the trojan horse program for Android also gets more and more, and these trojan horse programs can be stolen privacy of user, cause user telephone fee loss etc.At present, in order to carry out killing to trojan horse program, wooden horse killing instrument or software can be used.Wooden horse killing instrument is downloaded to after mobile terminal installs, scanning can be carried out and killing to the trojan horse program be present in mobile terminal.
But recent wooden horse upgrades more obstinate, and mobile terminal, after having suffered some trojan horse programs, cannot carry out killing.Such as, existing trojan horse program " screen locking wooden horse ", the feature of this wooden horse is, after this wooden horse central, can by the screen positive lock of user, user cannot operate mobile terminal, causes removing this wooden horse.
At present, effective checking and killing method of the obstinate wooden horse to the above-mentioned type is not had.
Summary of the invention
In view of the above problems, the present invention is proposed to provide a kind of the overcoming method of the problems referred to above or a kind of killing malicious application of solving the problem at least in part, corresponding device and system.
According to one aspect of the present invention, provide a kind of method of killing malicious application, be applied to PC terminal, comprise:
When mobile terminal is locked, connect described PC terminal and described mobile terminal;
By whether there is malicious application in mobile terminal described in described PC terminal scanning;
When there is malicious application in described mobile terminal, by completing the removing to described malicious application to described mobile terminal sending controling instruction.
Alternatively, described by whether there is malicious application in mobile terminal described in described PC terminal scanning, comprising:
Described PC terminal is utilized to obtain the file characteristic of the file to be scanned in described mobile terminal;
The network capacity of described PC terminal is utilized to be sent to by described file characteristic cloud killing server to carry out the scanning of malicious application feature;
Receive and export the scanning result that described cloud killing server returns, described scanning result is sent to described mobile terminal.
Alternatively, the described removing by completing to described mobile terminal sending controling instruction described malicious application, comprising:
The instruction of file under the specified path in the described mobile terminal of described mobile terminal transmission deletion;
Wherein, described specified path is the store path of described malicious application.
Alternatively, the described removing by completing to described mobile terminal sending controling instruction described malicious application, comprising:
The instruction of injecting killing code in designated program is sent to described mobile terminal;
Wherein, described designated program is have the startup priority higher than described malicious application;
Described killing code is used for being loaded when described designated program starts, and closes the process of described malicious application.
Alternatively, the described removing by completing to described mobile terminal sending controling instruction described malicious application, comprising:
Send the instruction of brush machine to described mobile terminal, complete the removing to described malicious application by brush machine.
Alternatively, the described instruction sending brush machine to described mobile terminal, completes the removing to described malicious application by brush machine, comprising:
Locate the BOOT subregion of described mobile terminal;
Boot.img file is read in described BOOT subregion;
Decompress(ion) is carried out to described boot.img file, and removes malicious application wherein;
Boot.img file after removing described malicious application is compressed, and again covers the BOOT subregion of described mobile terminal.
Alternatively, before completing the removing to described malicious application to described mobile terminal sending controling instruction, described method also comprises:
Obtain the ROOT authority of described mobile terminal.
According to one aspect of the present invention, additionally provide a kind of method of killing malicious application, be applied to mobile terminal, comprise:
Connect described mobile terminal and PC terminal;
Receive the steering order that described PC terminal sends;
Wherein, described steering order is for completing the removing to described malicious application.
Alternatively, before the steering order receiving the transmission of described PC terminal, described method also comprises:
Calculate the file characteristic of local file to be scanned;
Described file characteristic is sent to described PC terminal;
Wherein, described file characteristic is used for described PC terminal and uploads to cloud killing server by the network capacity of self, carries out the scanning of malicious application feature for described cloud killing server.
Alternatively, the steering order that the described PC terminal of described reception sends, comprising:
Receive the instruction of file under the deletion specified path that described PC terminal sends;
Wherein, described specified path is the store path in described mobile terminal of described malicious application.
Alternatively, the steering order that the described PC terminal of described reception sends, comprising:
Receive the instruction of injecting killing code in designated program that described PC terminal sends;
Wherein, described designated program is have the startup priority higher than described malicious application;
Described killing code is used for being loaded when described designated program starts, and closes the process of described malicious application.
Alternatively, the steering order that the described PC terminal of described reception sends, comprising:
Receive the instruction of the brush machine that described PC terminal sends, complete the removing to described malicious application by brush machine.
Alternatively, the instruction of the brush machine that the described PC terminal of described reception sends, comprising:
Receive the instruction of the boot.img file in the reading BOOT subregion of described PC terminal transmission;
Described boot.img file is sent to described PC terminal;
Receive the boot.img file removed after described malicious application that described PC terminal sends, and cover described BOOT subregion.
According to one aspect of the present invention, additionally provide a kind of PC terminal for killing malicious application, comprising:
First connection establishment module, is suitable for connecting described PC terminal and mobile terminal;
Scan module, is suitable for by whether there is malicious application in mobile terminal described in described PC terminal scanning;
Removing module, being suitable for when there is malicious application in described mobile terminal, by completing the removing to described malicious application to described mobile terminal sending controling instruction.
Alternatively, described scan module, comprising:
File characteristic acquiring unit, is suitable for utilizing described PC terminal to obtain the file characteristic of the file to be scanned in described mobile terminal;
File characteristic uploading unit, is suitable for utilizing the network capacity of described PC terminal to be sent to by described file characteristic cloud killing server to carry out the scanning of malicious application feature;
Result output unit, is suitable for receiving and exports the scanning result that described cloud killing server returns, described scanning result is sent to described mobile terminal.
Alternatively, described removing module is suitable in the following manner by completing the removing to described malicious application to described mobile terminal sending controling instruction:
The instruction of file under the specified path in the described mobile terminal of described mobile terminal transmission deletion;
Wherein, described specified path is the store path of described malicious application.
Alternatively, described removing module is suitable in the following manner by completing the removing to described malicious application to described mobile terminal sending controling instruction:
The instruction of injecting killing code in designated program is sent to described mobile terminal;
Wherein, described designated program is have the startup priority higher than described malicious application;
Described killing code is used for being loaded when described designated program starts, and closes the process of described malicious application.
Alternatively, described removing module is suitable in the following manner by completing the removing to described malicious application to described mobile terminal sending controling instruction:
Send the instruction of brush machine to described mobile terminal, complete the removing to described malicious application by brush machine.
Alternatively, described removing module, comprising:
Positioning unit, is suitable for the BOOT subregion of locating described mobile terminal;
Reading unit, is suitable for reading boot.img file in described BOOT subregion;
Clearing cell, is suitable for carrying out decompress(ion) to described boot.img file, and removes malicious application wherein;
Capping unit, is suitable for compressing the boot.img file after removing described malicious application, and again covers the BOOT subregion of described mobile terminal.
Alternatively, described PC terminal also comprises:
Authority acquiring module, is suitable for, by before completing the removing to described malicious application to described mobile terminal sending controling instruction, obtaining the ROOT authority of described mobile terminal.
According to one aspect of the present invention, additionally provide a kind of mobile terminal of killing malicious application, comprising:
Second connection establishment module, is suitable for connecting described mobile terminal and PC terminal;
Command reception module, is suitable for the steering order receiving the transmission of described PC terminal;
Wherein, described steering order is for completing the removing to described malicious application.
Alternatively, described mobile terminal also comprises:
File characteristic computing module, is suitable for, before the steering order receiving the transmission of described PC terminal, calculating the file characteristic of local file to be scanned;
File characteristic sending module, is suitable for described file characteristic to send to described PC terminal;
Wherein, described file characteristic is used for described PC terminal and uploads to cloud killing server by network capacity, carries out the scanning of malicious application feature for described cloud killing server.
Alternatively, described command reception module is suitable for the steering order receiving the transmission of described PC terminal in the following manner:
Receive the instruction of file under the deletion specified path that described PC terminal sends;
Wherein, described specified path is the store path in described mobile terminal of described malicious application.
Alternatively, described command reception module is suitable for the steering order receiving the transmission of described PC terminal in the following manner:
Receive the instruction of injecting killing code in designated program that described PC terminal sends;
Wherein, described designated program is have the startup priority higher than described malicious application;
Described killing code is used for being loaded when described designated program starts, and closes the process of described malicious application.
Alternatively, described command reception module is suitable for the steering order receiving the transmission of described PC terminal in the following manner:
Receive the instruction of the brush machine that described PC terminal sends, complete the removing to described malicious application by brush machine.
Alternatively, described command reception module, comprising:
Instruction reception unit, is suitable for the instruction of the boot.img file received in the reading BOOT subregion of described PC terminal transmission;
File transmitting element, is suitable for sending described boot.img file to described PC terminal;
File capping unit, is suitable for receiving that described PC terminal sends removes the boot.img file after described malicious application, and covers described BOOT subregion.
According to one aspect of the present invention, additionally provide a kind of system of killing malicious application, comprising: above-mentioned PC terminal and above-mentioned mobile terminal.
The invention provides a kind of methods, devices and systems of killing malicious application, by when mobile terminal is locked, set up the connection of mobile terminal and PC terminal, by whether there is malicious application in PC terminal scanning mobile terminal, when there is malicious application in mobile terminal, PC terminal is by completing the removing to malicious application to mobile terminal sending controling instruction, can solve when mobile terminal is locked, due to cannot operating mobile terminal and the problem cannot removed malicious application wherein.
Above-mentioned explanation is only the general introduction of technical solution of the present invention, in order to technological means of the present invention can be better understood, and can be implemented according to the content of instructions, and can become apparent, below especially exemplified by the specific embodiment of the present invention to allow above and other objects of the present invention, feature and advantage.
According to hereafter by reference to the accompanying drawings to the detailed description of the specific embodiment of the invention, those skilled in the art will understand above-mentioned and other objects, advantage and feature of the present invention more.
Accompanying drawing explanation
By reading hereafter detailed description of the preferred embodiment, various other advantage and benefit will become cheer and bright for those of ordinary skill in the art.Accompanying drawing only for illustrating the object of preferred implementation, and does not think limitation of the present invention.And in whole accompanying drawing, represent identical parts by identical reference symbol.In the accompanying drawings:
Fig. 1 is the method flow diagram of a kind of killing malicious application that one embodiment of the invention provides;
Fig. 2 is the method flow diagram of the another kind of killing malicious application that one embodiment of the invention provides;
Fig. 3 is the concrete grammar process flow diagram of a kind of killing malicious application that one embodiment of the invention provides;
Fig. 4 is a kind of effect schematic diagram scanned the file in mobile terminal that one embodiment of the invention provides;
Fig. 5 is that the PC terminal that provides of one embodiment of the invention is to the process flow diagram of the method that the file in mobile terminal scans;
Fig. 6 is that a kind of display of providing of one embodiment of the invention is to the effect schematic diagram of the killing result of the file in mobile terminal;
Fig. 7 is that a kind of that one embodiment of the invention provides carries out the effect schematic diagram after killing to the file in mobile terminal;
Fig. 8 is a kind of mode by brush machine that one embodiment of the invention provides carries out killing method flow diagram to the malicious application in mobile terminal;
Fig. 9 is the design sketch of the prompting mode before a kind of killing flow process of providing of one embodiment of the invention;
Design sketch when Figure 10 is a kind of heavy brush system that one embodiment of the invention provides;
Figure 11 be one embodiment of the invention provide by heavily brush system partitioning complete rogue program remove after design sketch;
Figure 12 is the structured flowchart of the PC terminal of a kind of killing malicious application that one embodiment of the invention provides;
Figure 13 is the structured flowchart of the mobile terminal of a kind of killing malicious application that one embodiment of the invention provides;
Figure 14 is the structured flowchart of the system of a kind of killing malicious application that one embodiment of the invention provides.
Embodiment
Below with reference to accompanying drawings exemplary embodiment of the present disclosure is described in more detail.Although show exemplary embodiment of the present disclosure in accompanying drawing, however should be appreciated that can realize the disclosure in a variety of manners and not should limit by the embodiment set forth here.On the contrary, provide these embodiments to be in order to thoroughly the disclosure can be understood, and complete for the scope of the present disclosure can be conveyed to those skilled in the art.
Embodiment one
Embodiments provide a kind of method of killing malicious application, the method is applied to PC end side, by being connected with mobile terminal, when cannot operate to be locked at mobile terminal, completes the killing to the malicious application on mobile terminal.
Fig. 1 is the process flow diagram of the method for a kind of killing malicious application that the embodiment of the present invention provides, and the method is applied to PC end side, comprises step S102 to step S106:
S102: when mobile terminal is locked, connects PC terminal and mobile terminal.
S104: by whether there is malicious application in PC terminal scanning mobile terminal.
S106: when there is malicious application in mobile terminal, by completing the removing to malicious application to mobile terminal sending controling instruction.
Embodiments provide a kind of method of killing malicious application, be applied to PC end side, by when mobile terminal is locked, set up the connection with mobile terminal, by whether there is malicious application in PC terminal scanning mobile terminal, when there is malicious application in mobile terminal, by completing the removing to malicious application to mobile terminal sending controling instruction, can solve when mobile terminal is locked, due to cannot operating mobile terminal and the problem cannot removed malicious application wherein.
Embodiment two
Embodiments provide a kind of method of killing malicious application, the method is applied to mobile terminal side, by being connected with PC terminal, when cannot operate to be locked at mobile terminal, completes the killing to the malicious application on mobile terminal.
In the present invention, mobile terminal can be the equipment such as mobile phone, panel computer.
Fig. 2 is the process flow diagram of the method for a kind of killing malicious application that the embodiment of the present invention provides, and the method is applied to mobile terminal, comprises step S202 to step S204:
S202: connect mobile terminal and PC terminal.
S204: receive the steering order that PC terminal sends.
Wherein, above-mentioned steering order is for completing the removing to malicious application.
Embodiments provide a kind of method of killing malicious application, be applied to mobile terminal side, by when mobile terminal is locked, set up the connection with PC terminal, by whether there is malicious application in PC terminal scanning mobile terminal, when there is malicious application in mobile terminal, PC terminal is by completing the removing to malicious application to mobile terminal sending controling instruction, can solve when mobile terminal is locked, due to cannot operating mobile terminal and the problem cannot removed malicious application wherein.
Embodiment three
The method of killing malicious application provided by the present invention is realized by the cooperation of PC terminal and mobile terminal, wherein, embodiment one is be described at the checking and killing method of PC end side to malicious application, and embodiment two is be described at the checking and killing method of mobile terminal side to malicious application.
The present embodiment three is a kind of embody rule scene of above-described embodiment one and two, and is described in conjunction with PC terminal and mobile terminal side.By the present embodiment, method provided by the present invention can be set forth clearly, particularly.
Fig. 3 is the concrete grammar process flow diagram of a kind of killing malicious application that the embodiment of the present invention provides, and comprises step S301 to step S304.
In step S301, when mobile terminal is locked, set up the connection of PC terminal and mobile terminal.
Wherein, mobile terminal is locked, and except the locking caused due to screen locking wooden horse, can also be the locking because other obstinate wooden horses cause.Locking not only can limit to the locking with screen, can also be other lockings that cannot operate checking and killing virus software, such as, cannot install checking and killing virus software in the terminal, the checking and killing virus software etc. that cannot start in mobile terminal.
It should be noted that, method provided by the present invention is undertaken performing (such as the checking and killing virus such as first aid box, tool box software) by the scanning sequence in PC terminal, therefore, first needs the connection of setting up PC terminal and mobile terminal.
When setting up the connection of PC terminal and mobile terminal, multiple method can be comprised, such as:
For Android, the mode that mobile terminal is connected with mobile terminal is as follows:
(1) mobile terminal needs to open USB debugging mode, to communicate and control to allow PC terminal to mobile terminal.Android system acquiescence closes USB debugging mode, therefore needs user's manual unlocking.Preferably, can increase a user and guide, prompting user opens the method for USB debugging mode.
Wherein, the mobile terminal of every type is different for the mode of opening USB debugging mode, and therefore the Android mobile terminal can summed up on the market opens the method for USB debugging mode, and the type according to user is pointed out.
(2), after opening USB debugging, usage data bundle of lines PC terminal is connected on mobile terminal.Virus investigation instrument (such as first aid box) in PC can enumerate USB device, and judge whether it is mobile terminal device, if, just attempt ADB (the Android Debug Bridge by socket and interior of mobile phone, debugging bridge) Server process communication, and complete the initialization of the communication work of PC terminal and mobile terminal.
(3) after initialization success, virus investigation instrument sends an ELF or APK file in mobile terminal, and running this ELF or APK file, namely the virus investigation instrument of PC end communicates with mobile terminal by this article part, operates with the killing completed for rogue program.
After the connection completing PC terminal and mobile terminal, the killing flow process for rogue program can be started.
Except above-mentioned wired connected mode, wireless mode can also be adopted to connect, and method is as follows:
Wherein, set up wireless connections to need by being built in the first client in PC terminal and the second client on mobile terminal realizes.First client and the second client can be that same client is applicable to the version of computing equipment respectively and is applicable to the version of mobile device.Such as the first client is the mobile phone HELPER APPLICATION of PC terminal versions, and as the mobile phone HELPER APPLICATION of PC version, the second client is the mobile phone HELPER APPLICATION of mobile device version, as the mobile phone HELPER APPLICATION of Android version; Described wireless connections specifically can comprise the steps:
A) identifier of PC terminal and the identifier of mobile device are sent to server by the first client of PC terminal, judge whether the identifier of mobile device has the connection mapping relations with the identifier of PC terminal by server.
If PC terminal was set up with mobile terminal and was connected before, second client of such as, the first client in PC terminal and mobile terminal was set up by wired connection mode or other connected mode and was connected, the first client then in PC terminal can record the connection mapping relations between PC terminal and mobile terminal, and connection mapping relations is sent in the database of server.Wherein, above-mentioned connection mapping relations specifically can comprise: the identifier of PC terminal and the identifier of mobile terminal; The identifier of PC terminal can be the agreement (IP interconnected between the network of PC terminal, Internet Protocol) address, the identifier of mobile terminal can be the mobile terminal international identity code (IMEI of mobile terminal, International MobileEquipment Identity) etc., certain embodiment of the present invention is not limited the concrete identifier of PC terminal and the identifier of mobile terminal.
B) when the identifier of mobile terminal has the connection mapping relations with the identifier of PC terminal, the first client in PC terminal sets up the wireless connections between the second client of mobile terminal by WIFI network.
Particularly, the first client in second client of mobile terminal and PC terminal can connect with server respectively, if the identifier of mobile terminal has with the identifier of PC terminal be connected mapping relations, then the first client in the second client of mobile terminal and PC terminal is made to set up wireless connections by server, wherein, first client can use WIFI network, and the second client can use WIFI network or mobile network.
In actual applications, when the first client in second client and PC terminal of mobile terminal establishes the connection with server, successful connection message can be shown respectively on respective interface.
Upon establishment of a connection, can perform step S302, PC terminal scans the file in mobile terminal, judges whether to there is malicious application, when there is malicious application, performs step S303, when there is not malicious application, and end operation.
Wherein, a kind of effect schematic diagram that file in mobile terminal is scanned is illustrated in figure 4.
It should be noted that, PC terminal can comprise multiple to the mode that the file in mobile terminal scans, such as:
(1) extract the file characteristic of the file to be scanned in mobile terminal, and utilize the killing engine of PC this locality to scan.
(2) extract the file characteristic of the file to be scanned in mobile terminal, and utilize the killing engine of PC this locality to scan, if there is the file characteristic of None-identified, then uploads cloud killing server and carry out rescan.
(3) extract the file characteristic of the file to be scanned in mobile terminal, and utilize the killing engine of PC this locality to scan, regardless of result, all carry out rescan to cloud killing server up transfer file feature.
Further, the present embodiment is planted scan mode with (3) and is described, and is illustrated in figure 5 the process flow diagram of PC terminal to the method that the file in mobile terminal scans, comprises as follows:
In step S302-1, mobile terminal is treated scanning document and is calculated, and obtains the file characteristic of file to be scanned.
It should be noted that, each virus or wooden horse, all can calculate its file characteristic value, and put into the virus base of cloud killing server.When carrying out rogue program scanning, by identical mode, calculating the file characteristic value of file to be scanned, and mating with the file characteristic value in the virus base of cloud killing server.If there is the file characteristic value of coupling, then think that file to be scanned is virus document.
Particularly, the eigenwert of extraction document can adopt multiple method, such as mate ELF (Executableand Linking Format, can chained file be performed) machine instruction of executable code in file, specifically when the eigenwert of extraction document, can the data (instruction of executable code or wherein a part) of one section of designated length in an extraction document.
Such as, can the eigenwert of extraction document in the following way:
For Android operation system, most of Android application is all mainly write by Java language, generates the bytecode (byte code) of Dalvik virtual machine, be packaged into classes.dex file after compiling.Resolve classes.dex file, its bytecode of decompiling, just can the program of the being applied instruction that will perform.
Can select can represent characteristic of malware in instruction instruction as condition code, when finding to comprise such condition code in classes.dex file, just as a feature.Such as, Android.Geinimi wooden horse is in order to hide oneself, and write in code after some critical datas (as wooden horse server info) being encrypted, these encrypted data become the feature detecting and identify it on the contrary.Can see in output with dexdump tool analysis classes.dex file and comprise following fragment:
00d00c:0003010010000000553502348664...|02d4:array-data(12units)
00d024:00030100100000001bea c301eadf...|02e0:array-data(12units)
Above-mentioned fragment just can be extracted as detecting the feature identified.
Certainly, dexdump instrument is one of means showing these characteristics just, also can realize voluntarily by other means resolving, the function of decompiling and identification classes.dex file.
In sum, sample one does not comprise ELF file, so do not extract ELF feature.
Be extracted above-mentioned feature from sample one after, suppose to there is following characteristics record in the virus base of cloud killing server:
Feature one: packageName=com.wbs
Feature two: nothing
Feature three: MD5 (signature [0])=294f08ae04307a649322524713318543
Feature one+feature three: level of security is " wooden horse "
When testing process goes to " finding the wooden horse comprising feature one, feature three ", find record, return results as " wooden horse ".
In step S302-2, mobile terminal sends above-mentioned file characteristic to PC terminal.
After PC terminal receives file characteristic, namely perform step S302-3, PC terminal and utilize local killing engine to scan first;
After the scanning first of local library completing PC terminal, perform step S302-4, PC terminal and utilize the network capacity of self file characteristic to be sent to cloud killing server.
In step S302-5, cloud killing server carries out second time scanning according to above-mentioned file characteristic.
Wherein, in the rogue program identification storehouse of local or cloud killing server, be prefixed many feature records (i.e. eigenwert), wherein, single characteristic information can form a feature record, and the combination of multiple characteristic information also can form a feature record.Such as, a safety identifies in storehouse and is prefixed tens feature records, wherein, Article 1, the Android listing certain virus in feature record installs handbag name, the Android installation kit version number of certain normal use and the MD5 value of digital signature thereof is listed in Article 2 feature record, the Android listing certain normal use in Article 3 feature record installs handbag name and receiver feature thereof, the specific character string in the Android installation handbag name of certain wooden horse, version number and ELF file thereof is listed in Article 4 feature record, etc.
Further, in the mode scanned by eigenwert, can classify to the file of scanning, such as, can be divided into: safe, dangerous, careful and wooden horse four level of securitys.Wherein, various level of security is defined as follows:
Safety: this application is an application normally, without any the behavior threatening user mobile phone safety;
Dangerous: this application exists security risk, likely this application inherently Malware; Also likely this application was the normal software that regular company issues originally, but because there are security breaches, caused the privacy of user, mobile phone safe is on the hazard;
Careful: this application is an application normally, but there are some problems, such as, user can be allowed to be deducted fees because of carelessness, or have disagreeableness advertisement to be complained; After this kind of application of discovery, the careful use of user can be pointed out and inform the behavior that this application is possible, but deciding whether remove this application in its sole discretion by user;
Wooden horse: this application is virus, wooden horse or other Malwares, herein in order to simply be referred to as wooden horse, but does not represent that this application is only wooden horse.
Wherein, cloud killing server preserves huge virus base, includes the file characteristic value of numerous rogue programs, except scanning multiple malicious application.
Wherein, killing outcome record is the behavior description information of program, such as can in the following way:
Behavior description information with 32 (0 ~ 31) integer representations, can indicate the software action description of each level of security.Wherein, can choose a bit representation zone bit, zone bit is that 0 expression does not have malicious act, if there is malicious act, then can define: the 1st representative " backstage is stealthily downloaded ", the 2nd representative " privately sending note ", 3rd representative " comprising advertisement ", etc.That is, each can represent separately a kind of behavior description of software.
Such as, for the Android application program being detected as " wooden horse rank ", if malicious act=3, translating into scale-of-two is exactly 11, and the 1st=the 1,2nd=1, the malicious act of expression is: have the behavior that backstage is stealthily downloaded and privately sent note simultaneously.
Again such as, for the Android application program being detected as " careful rank ", if behavior description=4, translating into scale-of-two is exactly 100, and the 1st=the 0,2nd=the 0,2nd=1, the behavior of expression is: comprise advertisement.Because this advertisement may be that user allows, also may be that user is unallowed, so user can be pointed out careful use, be decided in its sole discretion by user and whether remove.
After scanning completes, perform step S302-6, return killing result to PC terminal.
In step S302-7, PC terminal merges above-mentioned twice killing result as final scanning results.
Wherein, the effect schematic diagram of a kind of display to the killing result of the file in mobile terminal is illustrated in figure 6.
Further, after PC terminal obtains killing result, can also comprise:
Killing result is returned to mobile terminal by PC terminal.
When confirming, in mobile terminal, there is malicious application, the killing flow process to malicious application can be opened.
When determining to there is malicious application in mobile terminal, performing step S303, sending the steering order being used for killing malicious application to mobile terminal.
In step s 304, mobile terminal performs the steering order received, to complete the removing to malicious application.
Wherein, above-mentioned steering order can comprise multiple, such as:
The first: killing instruction, completes the removing to the malicious application in mobile terminal by killing instruction;
The second: the instruction of brush machine, completes the removing to the malicious application in mobile terminal by the mode of brush machine;
The third: inject instruction, complete the removing to the malicious application in mobile terminal by the mode of immunity.
Below the implementation of above-mentioned three kinds of instructions is described in detail.
In the implementation of the first instruction:
Killing instruction can comprise following any one:
Delete the instruction of file under the specified path in described mobile terminal, the instruction of enumerating bag, the instruction of extraction document feature, the instruction of file reading.
Wherein, be illustrated in figure 7 and a kind of effect schematic diagram after killing carried out to the file in mobile terminal, have selected in this schematic diagram and the malicious application in mobile terminal is unloaded.
In the implementation of the second instruction:
By the mode of brush machine, killing is carried out to the malicious application in mobile terminal.
As shown in Figure 8, for a kind of mode by brush machine to carry out the method flow diagram of killing to the malicious application in mobile terminal, specifically comprise as follows:
Step S304-1, obtains the model information of mobile terminal.
Further, before this step of execution S304-1, also comprise:
Prompting user does not extract data line in order to avoid cause damage in brush machine process.
Wherein, the design sketch of the prompting mode before a kind of killing flow process is illustrated in figure 9.
It should be noted that, be provided with BOOT subregion in the storage space of mobile terminal, its operating system file is kept in BOOT subregion, and operating system file is kept in BOOT subregion with the form of compressed package.
In the present embodiment, for Android operation system, then system file compressed package is boot.img.
Such as, dead-wood horse is not written in boot.img exactly.General when os starting, first boot.img can be decompressed, and be discharged in internal memory, then carry out the startup of operating system, therefore, existing virus killing mode can not remove not dead-wood horse, after operating system is restarted, dead-wood horse can not be released in the internal memory of mobile terminal again.
In boot.img, include two parts: kernel kernel and root directory (initramdisk); Wherein, under described root directory, include service catalogue and boot configuration file inti.rc, under described service catalogue, include service document.Wherein, described service catalogue can include sbin catalogue.
The start-up course of general Android operation system is as follows:
First, receive start or after restarting triggering command, with the described boot.img in read-only mode bootload subregion.Then, read the configuration information in the inti.rc under described root directory by the kernel of described boot.img, in order to when os starting, the program in instruction operating system performs any operation, such as instruction screen display boot animation etc.
Wherein, for different mobile terminals, operating system that is different due to manufacturer, that use is different, the memory location of its BOOT subregion compressed format that is different, system file compressed package boot.img is also different, therefore, carry out again brush machine and first must obtain its model information to know the memory location of BOOT subregion.
When obtaining the position of BOOT subregion, the position of its BOOT subregion can also be obtained according to the partition table in mobile terminal.
Wherein, generally, partition table is positioned at one or several sectors of disk (storage space) section start of mobile terminal, as long as read these sectors, then resolves according to specific format, just can obtain partition table.The disk of different-format needs adaptive work, a lot of manufacturer takes self-defining mode for the disc format of its mobile terminal, Ye You fraction manufacturer uses MBR (Main Boot Record in addition, Main Boot Record) and the disk of GPT (GUIDPartition Table, GUID magnetic disc contingency table) form.
Be described for the startup of Android operation system, after mobile terminal powers up, first it can load the program code Bootloader in CPU, by this code, BOOT subregion is found in guiding, and the system file boot.img in BOOT subregion is read in internal memory, and kernel and ramdisk is wherein decompressed, first kernel file is wherein run, load linux kernel (Android operation system adopts linux kernel), after the kernel of operating system starts, run the program in ramdisk, and then complete the startup of whole operating system.
It should be noted that, the memory location of partition table and the storage format of disk are all can be self-defining, so the position of the partition table of different mobile phone and operating system is different, need to have been come by adaptation.
In a general case, may there is multiple subregion in mobile terminal, then can search by subregion one by one, determine the position of BOOT subregion.
The model information of mobile terminal, can include the model, kernel version number etc. of the brand of mobile terminal, operating system, such as, can be:
Huawei P6, operating system Emotion UI, kernel version Android 4.2.2;
Meizu MX4, operating system Flyme 4.0, kernel version Android 4.4.1.
Step S304-2, locates the memory location of the BOOT subregion of this mobile terminal according to the model information of this mobile terminal, and the compressed format of boot.img.
Wherein, the manufacturer of mobile terminal is different to the definition of the position of its BOOT subregion, mainly in order to protect its operating system can not by malicious modification.In embodiments of the present invention, the position of BOOT subregion, the compressed format of boot.img of the mobile terminal of different model information can be obtained by adaptive method, and be saved in database.
When needing the compressed format of the position of the BOOT subregion learning mobile terminal and boot.img, only need to be inquired about in a database by model information.
For the position finding BOOT subregion, be described for the Android phone Nexus of Google, the mobile phone of Nexus system can enumerate equipment when system starts, find the equipment that BOOT subregion is corresponding, and proc memory file system /Symbolic Links of dev/blocks directory creating one by name " BOOT ", as long as to enumerate/dev/blocks catalogue just can obtain equipment corresponding to boot subregion.
And for obtaining the form of boot.img, still for the Android phone Nexus of Google, the form of its boot.img file can find in Android source code, as long as just passable according to this format analysis, some other manufacturer meeting user-defined format, needs adaptation.
Step S304-3, is read by the position of the BOOT subregion obtained in step S304-2 and obtains boot.img, and decompress according to its compressed format, obtain system file.
Obtain system file, also namely need to obtain kernel and initramdisk.Determine the form of boot.img in step S304-2 after, just can read initramdisk by decompress(ion).
This step S304-3 is still for the Android phone Nexus mobile phone of Google, its initramdisk first packs in order to cpio form, and then use gzip format compression, as long as in a program first according to gzip format, and then to unpack according to cpio form and just can obtain all file in the inside, the killing that then just can enter step below operates.
Wherein, other mobile phones may there is the compressed formats such as XZ, LZMA, LZO, need first to judge to be which kind of compressed format, and then use carry out decompress(ion) according to corresponding form.
Step S304-4, deletes malicious application in the operating system file of mobile terminal.
Step S304-5, brushes back described mobile terminal again by the operating system file deleting malicious application.
Wherein, the operating system file deleting malicious application is brushed back described mobile terminal again, also namely brush is got back in the BOOT subregion of mobile terminal again,
It should be noted that, be modified to prevent the system file in BOOT subregion, general manufacturer also can preserve the proof test value for boot.img in BOOT subregion, when os starting, first proof test value can be calculated to boot.img, and compare with the proof test value preserved in advance, if not identical, then can not start the operating system.
Therefore, the method that the present embodiment provides also comprises following operation:
The checking algorithm of its boot.img is obtained according to the model information of mobile terminal, and the proof test value of new boot.img is recalculated according to checking algorithm, replace the front proof test value preserved of heavily brush, and new proof test value and boot.img are written in BOOT subregion together.
Wherein, checking algorithm can be MD5 (Message Digest Algorithm 5, Message Digest Algorithm 5), SHA (Secure Hash Algorithm, Secure Hash Algorithm), RSA Algorithm etc.
Wherein, be design sketch during a kind of heavy brush system as shown in Figure 10, as shown in figure 11 for completing the design sketch after rogue program removing by heavily brushing system partitioning.
Except BOOT subregion is heavily brushed, killing can also be carried out to rogue program in the following way:
By by have rogue program feature file generated can be set to a readable state by operating file.
Particularly, when carrying out brush machine, for the mobile phone supporting Fastboot, the BOOT subregion of brush machine instrument to mobile phone of Fastboot can be used heavily to brush.
Wherein, a kind of brush machine pattern of bottom that provides for Android mobile phone of Fastboot.
And some mobile phone does not support that Fastboot carries out brush machine, need to call brush machine instrument and complete brush machine, the specific works mode calling brush machine instrument is as follows:
The boot.img file compressed is sent in phone memory, is written in BOOT subregion by the function being responsible for writing system file in the operating system of mobile phone, the file in former BOOT subregion is covered.
For mode boot.img file being re-write BOOT subregion, be described as follows:
(1) for the mobile phone supporting Fastboot, have a Fastboot server in bootloader program (boot before operating system nucleus runs) in mobile phone, Fastboot operates by completing brush machine with this server communication.Fastboot sends a bar brush machine instruction, indicate the subregion (such as BOOT) that will brush, and complete disk images one of corresponding subregion, be passed in mobile terminal, Fastboot server takes this disk images (such as boot.img), just covers the data of corresponding subregion completely with this image.
(2) for the mobile phone not supporting Fastboot, then need oneself to complete brush machine instrument, disk images being write with a brush dipped in Chinese ink target disk subregion (first finds boot subregion to correspond to disk unit, then by the data in disk images, and the copy of data one piece a piece is pass by, the data in coverage goal disk.
In the implementation of the third instruction:
By the mode of immunity, killing is carried out to malicious application.
Wherein, this kind of mode specifically comprises:
Send for being injected into the killing code in the designated program of mobile terminal to mobile terminal;
Wherein, designated program is have the startup priority higher than malicious application;
Killing code is used for being loaded when designated program starts, and closes the process of malicious application.
Embodiments provide a kind of method of killing malicious application, by when mobile terminal is locked, set up the connection of mobile terminal and PC terminal, by whether there is malicious application in PC terminal scanning mobile terminal, when there is malicious application in mobile terminal, PC terminal is by completing the removing to malicious application to mobile terminal sending controling instruction, can solve when mobile terminal is locked, due to cannot operating mobile terminal and the problem cannot removed malicious application wherein.
Embodiment four
Figure 12 is the structured flowchart of a kind of PC terminal for killing malicious application that one embodiment of the invention provides, and this PC terminal 1200 comprises:
First connection establishment module 1210, is suitable for connecting PC terminal 1200 and mobile terminal;
Scan module 1220, is suitable for scanning in mobile terminal whether there is malicious application by PC terminal 1200;
Removing module 1230, being suitable for when there is malicious application in mobile terminal, by completing the removing to malicious application to mobile terminal sending controling instruction.
Alternatively, above-mentioned scan module 1220, comprising:
File characteristic acquiring unit 1221, is suitable for utilizing PC terminal 1200 to obtain the file characteristic of the file to be scanned in mobile terminal;
File characteristic uploading unit 1222, is suitable for utilizing the network capacity of PC terminal 1200 to be sent to by file characteristic cloud killing server to carry out the scanning of malicious application feature;
Result output unit 1223, is suitable for receiving and exports the scanning result that cloud killing server returns, scanning result is sent to mobile terminal.
Alternatively, above-mentioned removing module 1230 is suitable in the following manner by completing the removing to malicious application to mobile terminal sending controling instruction:
The instruction of file under the specified path in mobile terminal transmission deletion mobile terminal;
Wherein, specified path is the store path of malicious application.
Alternatively, above-mentioned removing module 1230 is suitable in the following manner by completing the removing to malicious application to mobile terminal sending controling instruction:
The instruction of injecting killing code in designated program is sent to mobile terminal;
Wherein, designated program is have the startup priority higher than malicious application;
Killing code is used for being loaded when designated program starts, and closes the process of malicious application.
Alternatively, above-mentioned removing module 1230 is suitable in the following manner by completing the removing to malicious application to mobile terminal sending controling instruction:
Send the instruction of brush machine to mobile terminal, complete the removing to malicious application by brush machine.
Alternatively, above-mentioned removing module 1230, comprising:
Positioning unit 1231, is suitable for the BOOT subregion of localisation of mobile terminals;
Reading unit 1232, is suitable for reading boot.img file in BOOT subregion;
Clearing cell 1233, is suitable for carrying out decompress(ion) to boot.img file, and removes malicious application wherein;
Capping unit 1234, is suitable for compressing removing the boot.img file after malicious application, and again covers the BOOT subregion of mobile terminal.
Alternatively, this PC terminal 1200 also comprises:
Authority acquiring module 1240, is suitable for, by before completing the removing to malicious application to mobile terminal sending controling instruction, obtaining the ROOT authority of mobile terminal.
Embodiments provide a kind of PC terminal of killing malicious application, by when mobile terminal is locked, set up the connection with mobile terminal, by whether there is malicious application in PC terminal scanning mobile terminal, when there is malicious application in mobile terminal, by completing the removing to malicious application to mobile terminal sending controling instruction, can solve when mobile terminal is locked, due to cannot operating mobile terminal and the problem cannot removed malicious application wherein.
Embodiment five
Figure 13 is the structured flowchart of the mobile terminal of a kind of killing malicious application that one embodiment of the invention provides, and this mobile terminal 1300 comprises:
Second connection establishment module 1310, is suitable for connecting mobile terminal 1300 and PC terminal;
Command reception module 1320, is suitable for the steering order receiving the transmission of PC terminal;
Wherein, above-mentioned steering order is for completing the removing to malicious application.
Alternatively, this mobile terminal 1300 also comprises:
File characteristic computing module 1330, is suitable for, before the steering order receiving the transmission of PC terminal, calculating the file characteristic of local file to be scanned;
File characteristic sending module 1340, is suitable for file characteristic to send to PC terminal;
Wherein, above-mentioned file characteristic is used for PC terminal and uploads to cloud killing server by network capacity, carries out the scanning of malicious application feature for cloud killing server.
Alternatively, above-mentioned command reception module 1320 is suitable for the steering order receiving the transmission of PC terminal in the following manner:
The instruction of file under the deletion specified path that reception PC terminal sends;
Wherein, above-mentioned specified path is the store path in mobile terminal 1300 of malicious application.
Alternatively, above-mentioned command reception module 1320 is suitable for the steering order receiving the transmission of PC terminal in the following manner:
Receive the instruction of injecting killing code in designated program that PC terminal sends;
Wherein, above-mentioned designated program is have the startup priority higher than malicious application;
Above-mentioned killing code is used for being loaded when designated program starts, and closes the process of malicious application.
Alternatively, above-mentioned command reception module 1320 is suitable for the steering order receiving the transmission of PC terminal in the following manner:
Receive the instruction of the brush machine that PC terminal sends, complete the removing to malicious application by brush machine.
Alternatively, above-mentioned command reception module 1320, comprising:
Instruction reception unit 1321, is suitable for the instruction of the boot.img file received in the reading BOOT subregion of PC terminal transmission;
File transmitting element 1322, is suitable for sending boot.img file to PC terminal;
File capping unit 1323, is suitable for receiving that PC terminal sends removes the boot.img file after malicious application, and covers BOOT subregion.
Embodiments provide a kind of mobile terminal of killing malicious application, by when mobile terminal is locked, set up the connection with PC terminal, by whether there is malicious application in PC terminal scanning mobile terminal, when there is malicious application in mobile terminal, PC terminal is by completing the removing to malicious application to mobile terminal sending controling instruction, can solve when mobile terminal is locked, due to cannot operating mobile terminal and the problem cannot removed malicious application wherein.
Embodiment six
As shown in figure 14, embodiments provide a kind of system of killing malicious application, this system comprises:
PC terminal 1200 as described in embodiment four and the mobile terminal 1300 as described in embodiment five.
Inventive embodiments provides a kind of system of killing malicious application, by when mobile terminal is locked, set up the connection of mobile terminal and PC terminal, by whether there is malicious application in PC terminal scanning mobile terminal, when there is malicious application in mobile terminal, PC terminal is by completing the removing to malicious application to mobile terminal sending controling instruction, can solve when mobile terminal is locked, due to cannot operating mobile terminal and the problem cannot removed malicious application wherein.
In instructions provided herein, describe a large amount of detail.But can understand, embodiments of the invention can be put into practice when not having these details.In some instances, be not shown specifically known method, structure and technology, so that not fuzzy understanding of this description.
Similarly, be to be understood that, in order to simplify the disclosure and to help to understand in each inventive aspect one or more, in the description above to exemplary embodiment of the present invention, each feature of the present invention is grouped together in single embodiment, figure or the description to it sometimes.But, the method for the disclosure should be construed to the following intention of reflection: namely the present invention for required protection requires feature more more than the feature clearly recorded in each claim.Or rather, as claims below reflect, all features of disclosed single embodiment before inventive aspect is to be less than.Therefore, the claims following embodiment are incorporated to this embodiment thus clearly, and wherein each claim itself is as independent embodiment of the present invention.
Those skilled in the art are appreciated that and adaptively can change the module in the equipment in embodiment and they are arranged in one or more equipment different from this embodiment.Module in embodiment or unit or assembly can be combined into a module or unit or assembly, and multiple submodule or subelement or sub-component can be put them in addition.Except at least some in such feature and/or process or unit be mutually repel except, any combination can be adopted to combine all processes of all features disclosed in this instructions (comprising adjoint claim, summary and accompanying drawing) and so disclosed any method or equipment or unit.Unless expressly stated otherwise, each feature disclosed in this instructions (comprising adjoint claim, summary and accompanying drawing) can by providing identical, alternative features that is equivalent or similar object replaces.
In addition, those skilled in the art can understand, although embodiments more described herein to comprise in other embodiment some included feature instead of further feature, the combination of the feature of different embodiment means and to be within scope of the present invention and to form different embodiments.Such as, in detail in the claims, the one of any of embodiment required for protection can use with arbitrary array mode.
All parts embodiment of the present invention with hardware implementing, or can realize with the software module run on one or more processor, or realizes with their combination.It will be understood by those of skill in the art that the some or all functions that microprocessor or digital signal processor (DSP) can be used in practice to realize according to the some or all parts in the device of the killing malicious application of the embodiment of the present invention.The present invention can also be embodied as part or all equipment for performing method as described herein or device program (such as, computer program and computer program).Realizing program of the present invention and can store on a computer-readable medium like this, or the form of one or more signal can be had.Such signal can be downloaded from internet website and obtain, or provides on carrier signal, or provides with any other form.
The present invention will be described instead of limit the invention to it should be noted above-described embodiment, and those skilled in the art can design alternative embodiment when not departing from the scope of claims.In the claims, any reference symbol between bracket should be configured to limitations on claims.Word " comprises " not to be got rid of existence and does not arrange element in the claims or step.Word "a" or "an" before being positioned at element is not got rid of and be there is multiple such element.The present invention can by means of including the hardware of some different elements and realizing by means of the computing machine of suitably programming.In the unit claim listing some devices, several in these devices can be carry out imbody by same hardware branch.Word first, second and third-class use do not represent any order.Can be title by these word explanations.
So far, those skilled in the art will recognize that, although multiple exemplary embodiment of the present invention is illustrate and described herein detailed, but, without departing from the spirit and scope of the present invention, still can directly determine or derive other modification many or amendment of meeting the principle of the invention according to content disclosed by the invention.Therefore, scope of the present invention should be understood and regard as and cover all these other modification or amendments.
Embodiments provide the method for an A1. killing malicious application, be applied to PC terminal, comprise: when mobile terminal is locked, connect described PC terminal and described mobile terminal; By whether there is malicious application in mobile terminal described in described PC terminal scanning; When there is malicious application in described mobile terminal, by completing the removing to described malicious application to described mobile terminal sending controling instruction.A2. the method according to A1, wherein, described by whether there is malicious application in mobile terminal described in described PC terminal scanning, comprising: utilize described PC terminal to obtain the file characteristic of the file to be scanned in described mobile terminal; The network capacity of described PC terminal is utilized to be sent to by described file characteristic cloud killing server to carry out the scanning of malicious application feature; Receive and export the scanning result that described cloud killing server returns, described scanning result is sent to described mobile terminal.A3. the method according to A1, wherein, the described removing by completing to described mobile terminal sending controling instruction described malicious application, comprising: the instruction of file under the specified path in the described mobile terminal of described mobile terminal transmission deletion; Wherein, described specified path is the store path of described malicious application.A4. the method according to A1, wherein, the described removing by completing to described mobile terminal sending controling instruction described malicious application, comprising: send the instruction of injecting killing code in designated program to described mobile terminal; Wherein, described designated program is have the startup priority higher than described malicious application; Described killing code is used for being loaded when described designated program starts, and closes the process of described malicious application.A5. the method according to A1, wherein, the described removing by completing to described mobile terminal sending controling instruction described malicious application, comprising: the instruction sending brush machine to described mobile terminal, completes the removing to described malicious application by brush machine.A6. the method according to A5, wherein, the described instruction sending brush machine to described mobile terminal, completes the removing to described malicious application by brush machine, comprising: the BOOT subregion of locating described mobile terminal; Boot.img file is read in described BOOT subregion; Decompress(ion) is carried out to described boot.img file, and removes malicious application wherein; Boot.img file after removing described malicious application is compressed, and again covers the BOOT subregion of described mobile terminal.A7. the method according to any one of A1 to A6, wherein, before completing the removing to described malicious application to described mobile terminal sending controling instruction, described method also comprises: the ROOT authority obtaining described mobile terminal.
Embodiments provide the method for a B8. killing malicious application, be applied to mobile terminal, comprising: connect described mobile terminal and PC terminal; Receive the steering order that described PC terminal sends; Wherein, described steering order is for completing the removing to described malicious application.B9. the method according to B8, wherein, before the steering order receiving the transmission of described PC terminal, described method also comprises: the file characteristic calculating local file to be scanned; Described file characteristic is sent to described PC terminal; Wherein, described file characteristic is used for described PC terminal and uploads to cloud killing server by the network capacity of self, carries out the scanning of malicious application feature for described cloud killing server.B10. the method according to B8, wherein, the steering order that the described PC terminal of described reception sends, comprising: the instruction receiving file under the deletion specified path that described PC terminal sends; Wherein, described specified path is the store path in described mobile terminal of described malicious application.B11. the method according to B8, wherein, the steering order that the described PC terminal of described reception sends, comprising: receive the instruction of injecting killing code in designated program that described PC terminal sends; Wherein, described designated program is have the startup priority higher than described malicious application; Described killing code is used for being loaded when described designated program starts, and closes the process of described malicious application.B12. the method according to B8, wherein, the steering order that the described PC terminal of described reception sends, comprising: the instruction receiving the brush machine that described PC terminal sends, completes the removing to described malicious application by brush machine.B13. the method according to B12, wherein, the instruction of the brush machine that the described PC terminal of described reception sends, comprising: the instruction receiving the boot.img file in the reading BOOT subregion of described PC terminal transmission; Described boot.img file is sent to described PC terminal; Receive the boot.img file removed after described malicious application that described PC terminal sends, and cover described BOOT subregion.
Embodiments provide the PC terminal of C14. mono-kind for killing malicious application, comprising: the first connection establishment module, be suitable for connecting described PC terminal and mobile terminal; Scan module, is suitable for by whether there is malicious application in mobile terminal described in described PC terminal scanning; Removing module, being suitable for when there is malicious application in described mobile terminal, by completing the removing to described malicious application to described mobile terminal sending controling instruction.C15. the PC terminal according to C14, wherein, described scan module, comprising: file characteristic acquiring unit, is suitable for utilizing described PC terminal to obtain the file characteristic of the file to be scanned in described mobile terminal; File characteristic uploading unit, is suitable for utilizing the network capacity of described PC terminal to be sent to by described file characteristic cloud killing server to carry out the scanning of malicious application feature; Result output unit, is suitable for receiving and exports the scanning result that described cloud killing server returns, described scanning result is sent to described mobile terminal.C16. the PC terminal according to C14, wherein, described removing module is suitable in the following manner by completing the removing to described malicious application to described mobile terminal sending controling instruction: the instruction of file under the specified path in the described mobile terminal of described mobile terminal transmission deletion; Wherein, described specified path is the store path of described malicious application.C17. the PC terminal according to C14, wherein, described removing module is suitable in the following manner by completing the removing to described malicious application to described mobile terminal sending controling instruction: send the instruction of injecting killing code in designated program to described mobile terminal; Wherein, described designated program is have the startup priority higher than described malicious application; Described killing code is used for being loaded when described designated program starts, and closes the process of described malicious application.C18. the PC terminal according to C14, wherein, described removing module is suitable in the following manner by completing the removing to described malicious application to described mobile terminal sending controling instruction: the instruction sending brush machine to described mobile terminal, completes the removing to described malicious application by brush machine.C19. the PC terminal according to C18, wherein, described removing module, comprising: positioning unit, is suitable for the BOOT subregion of locating described mobile terminal; Reading unit, is suitable for reading boot.img file in described BOOT subregion; Clearing cell, is suitable for carrying out decompress(ion) to described boot.img file, and removes malicious application wherein; Capping unit, is suitable for compressing the boot.img file after removing described malicious application, and again covers the BOOT subregion of described mobile terminal.C20. the PC terminal according to any one of C14 to C19, wherein, described PC terminal also comprises: authority acquiring module, is suitable for, by before completing the removing to described malicious application to described mobile terminal sending controling instruction, obtaining the ROOT authority of described mobile terminal.
Embodiments provide the mobile terminal of a D21. killing malicious application, comprising: the second connection establishment module, be suitable for connecting described mobile terminal and PC terminal; Command reception module, is suitable for the steering order receiving the transmission of described PC terminal; Wherein, described steering order is for completing the removing to described malicious application.D22. the mobile terminal according to D21, wherein, described mobile terminal also comprises: file characteristic computing module, is suitable for, before the steering order receiving the transmission of described PC terminal, calculating the file characteristic of local file to be scanned; File characteristic sending module, is suitable for described file characteristic to send to described PC terminal; Wherein, described file characteristic is used for described PC terminal and uploads to cloud killing server by network capacity, carries out the scanning of malicious application feature for described cloud killing server.D23. the mobile terminal according to D21, wherein, described command reception module is suitable for receiving in the following manner the steering order that described PC terminal sends: the instruction receiving file under the deletion specified path that described PC terminal sends; Wherein, described specified path is the store path in described mobile terminal of described malicious application.D24. the mobile terminal according to D21, wherein, described command reception module is suitable for the steering order receiving the transmission of described PC terminal in the following manner: receive the instruction of injecting killing code in designated program that described PC terminal sends; Wherein, described designated program is have the startup priority higher than described malicious application; Described killing code is used for being loaded when described designated program starts, and closes the process of described malicious application.D25. the mobile terminal according to D21, wherein, described command reception module is suitable for the steering order receiving the transmission of described PC terminal in the following manner: the instruction receiving the brush machine that described PC terminal sends, completes the removing to described malicious application by brush machine.D26. the mobile terminal according to D25, wherein, described command reception module, comprising: instruction reception unit, is suitable for the instruction of the boot.img file received in the reading BOOT subregion of described PC terminal transmission; File transmitting element, is suitable for sending described boot.img file to described PC terminal; File capping unit, is suitable for receiving that described PC terminal sends removes the boot.img file after described malicious application, and covers described BOOT subregion.
Embodiments provide the system of an E27. killing malicious application, comprising: the PC terminal as described in any one of C14 to C20 and the mobile terminal as described in any one of D21 to D26.

Claims (10)

1. a method for killing malicious application, is applied to PC terminal, comprises:
When mobile terminal is locked, connect described PC terminal and described mobile terminal;
By whether there is malicious application in mobile terminal described in described PC terminal scanning;
When there is malicious application in described mobile terminal, by completing the removing to described malicious application to described mobile terminal sending controling instruction.
2. method according to claim 1, wherein, described by whether there is malicious application in mobile terminal described in described PC terminal scanning, comprising:
Described PC terminal is utilized to obtain the file characteristic of the file to be scanned in described mobile terminal;
The network capacity of described PC terminal is utilized to be sent to by described file characteristic cloud killing server to carry out the scanning of malicious application feature;
Receive and export the scanning result that described cloud killing server returns, described scanning result is sent to described mobile terminal.
3. method according to claim 1, wherein, the described removing by completing to described mobile terminal sending controling instruction described malicious application, comprising:
The instruction of file under the specified path in the described mobile terminal of described mobile terminal transmission deletion;
Wherein, described specified path is the store path of described malicious application.
4. a method for killing malicious application, is applied to mobile terminal, comprising:
Connect described mobile terminal and PC terminal;
Receive the steering order that described PC terminal sends;
Wherein, described steering order is for completing the removing to described malicious application.
5. method according to claim 4, wherein, before the steering order receiving the transmission of described PC terminal, described method also comprises:
Calculate the file characteristic of local file to be scanned;
Described file characteristic is sent to described PC terminal;
Wherein, described file characteristic is used for described PC terminal and uploads to cloud killing server by the network capacity of self, carries out the scanning of malicious application feature for described cloud killing server.
6. method according to claim 4, wherein, the steering order that the described PC terminal of described reception sends, comprising:
Receive the instruction of file under the deletion specified path that described PC terminal sends;
Wherein, described specified path is the store path in described mobile terminal of described malicious application.
7., for a PC terminal for killing malicious application, comprising:
First connection establishment module, is suitable for connecting described PC terminal and mobile terminal;
Scan module, is suitable for by whether there is malicious application in mobile terminal described in described PC terminal scanning;
Removing module, being suitable for when there is malicious application in described mobile terminal, by completing the removing to described malicious application to described mobile terminal sending controling instruction.
8. PC terminal according to claim 7, wherein, described scan module, comprising:
File characteristic acquiring unit, is suitable for utilizing described PC terminal to obtain the file characteristic of the file to be scanned in described mobile terminal;
File characteristic uploading unit, is suitable for utilizing the network capacity of described PC terminal to be sent to by described file characteristic cloud killing server to carry out the scanning of malicious application feature;
Result output unit, is suitable for receiving and exports the scanning result that described cloud killing server returns, described scanning result is sent to described mobile terminal.
9. a mobile terminal for killing malicious application, comprising:
Second connection establishment module, is suitable for connecting described mobile terminal and PC terminal;
Command reception module, is suitable for the steering order receiving the transmission of described PC terminal;
Wherein, described steering order is for completing the removing to described malicious application.
10. a system for killing malicious application, comprising: the PC terminal as described in any one of claim 7 to 8 and mobile terminal as claimed in claim 9.
CN201410784826.1A 2014-12-16 2014-12-16 Method, device and system for checking and killing malicious application programs Pending CN104462969A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410784826.1A CN104462969A (en) 2014-12-16 2014-12-16 Method, device and system for checking and killing malicious application programs

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410784826.1A CN104462969A (en) 2014-12-16 2014-12-16 Method, device and system for checking and killing malicious application programs

Publications (1)

Publication Number Publication Date
CN104462969A true CN104462969A (en) 2015-03-25

Family

ID=52908994

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410784826.1A Pending CN104462969A (en) 2014-12-16 2014-12-16 Method, device and system for checking and killing malicious application programs

Country Status (1)

Country Link
CN (1) CN104462969A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105095758A (en) * 2015-07-15 2015-11-25 北京奇虎科技有限公司 Processing method and device for lock-screen application program and mobile terminal
CN105095757A (en) * 2015-07-14 2015-11-25 北京奇虎科技有限公司 Method for searching and killing malicious programs, antivirus client and mobile terminal
WO2018201808A1 (en) * 2017-05-03 2018-11-08 腾讯科技(深圳)有限公司 Virus program removal method, storage medium and electronic terminal
CN113722705A (en) * 2021-11-02 2021-11-30 北京微步在线科技有限公司 Malicious program clearing method and device

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102081714A (en) * 2011-01-25 2011-06-01 潘燕辉 Cloud antivirus method based on server feedback
WO2013037261A1 (en) * 2011-09-14 2013-03-21 北京奇虎科技有限公司 Method, apparatus and virtual machine for detecting malicious program
CN104008340A (en) * 2014-06-09 2014-08-27 北京奇虎科技有限公司 Virus scanning and killing method and device

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102081714A (en) * 2011-01-25 2011-06-01 潘燕辉 Cloud antivirus method based on server feedback
WO2013037261A1 (en) * 2011-09-14 2013-03-21 北京奇虎科技有限公司 Method, apparatus and virtual machine for detecting malicious program
CN104008340A (en) * 2014-06-09 2014-08-27 北京奇虎科技有限公司 Virus scanning and killing method and device

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
《信息技术》: "智能手机恶意代码防范技术综述", 《信息技术》 *

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105095757A (en) * 2015-07-14 2015-11-25 北京奇虎科技有限公司 Method for searching and killing malicious programs, antivirus client and mobile terminal
CN105095757B (en) * 2015-07-14 2018-07-10 北京奇虎科技有限公司 Method, antivirus client and the mobile terminal of killing rogue program
CN105095758A (en) * 2015-07-15 2015-11-25 北京奇虎科技有限公司 Processing method and device for lock-screen application program and mobile terminal
CN105095758B (en) * 2015-07-15 2018-01-19 北京奇虎科技有限公司 Screen locking applied program processing method, device and mobile terminal
WO2018201808A1 (en) * 2017-05-03 2018-11-08 腾讯科技(深圳)有限公司 Virus program removal method, storage medium and electronic terminal
CN108804915A (en) * 2017-05-03 2018-11-13 腾讯科技(深圳)有限公司 Virus method for cleaning, storage device and electric terminal
CN108804915B (en) * 2017-05-03 2021-03-26 腾讯科技(深圳)有限公司 Virus program cleaning method, storage device and electronic terminal
US11205001B2 (en) 2017-05-03 2021-12-21 Tencent Technology (Shenzhen) Company Ltd Virus program cleanup method, storage medium and electronic terminal
CN113722705A (en) * 2021-11-02 2021-11-30 北京微步在线科技有限公司 Malicious program clearing method and device
CN113722705B (en) * 2021-11-02 2022-02-08 北京微步在线科技有限公司 Malicious program clearing method and device

Similar Documents

Publication Publication Date Title
CN104462968B (en) Scan method, the device and system of malicious application
CN104318160B (en) The method and apparatus of killing rogue program
CN106778103B (en) Reinforcement method, system and decryption method for preventing reverse cracking of android application program
US11599348B2 (en) Container image building using shared resources
CN106133741B (en) For scanning the system and method for being packaged program in response to detection suspicious actions
CN102831338B (en) A kind of safety detection method of Android application program and system
CN106295348B (en) Vulnerability detection method and device for application program
CN107451474B (en) Software bug fixing method and device for terminal
CN104317599B (en) Whether detection installation kit is by the method and apparatus of secondary packing
CN103679029A (en) Method and device for repairing cheap-copy application programs
CN104008060A (en) Method for detecting compatibility of plug-in and host, and detection server
CN104008340A (en) Virus scanning and killing method and device
CN104462969A (en) Method, device and system for checking and killing malicious application programs
CN104318161A (en) Virus detection method and device for Android samples
CN104462971A (en) Malicious application program recognition method and device according to application program declaration characteristics
CN104517054A (en) Method, device, client and server for detecting malicious APK
CN104021018A (en) Terminal, upgrade patch generation method and upgrade patch recognition method
CN105631335A (en) Dynamic decompression method, device and apparatus
CN103679027A (en) Searching and killing method and device for kernel level malware
CN111782511B (en) Firmware file analysis method, equipment and storage medium
CN106933642B (en) Application program processing method and processing device
CN111382447B (en) Encryption method for installation package, storage medium and computer equipment
CN114721688A (en) SDK upgrading method and device and computer equipment
CN115062309A (en) Vulnerability mining method based on equipment firmware simulation under novel power system and storage medium
CN104915594A (en) Application running method and device

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20150325

RJ01 Rejection of invention patent application after publication