CN109062667B - Simulator identification method, simulator identification equipment and computer readable medium - Google Patents

Simulator identification method, simulator identification equipment and computer readable medium Download PDF

Info

Publication number
CN109062667B
CN109062667B CN201810855586.8A CN201810855586A CN109062667B CN 109062667 B CN109062667 B CN 109062667B CN 201810855586 A CN201810855586 A CN 201810855586A CN 109062667 B CN109062667 B CN 109062667B
Authority
CN
China
Prior art keywords
router
preset
target terminal
name
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810855586.8A
Other languages
Chinese (zh)
Other versions
CN109062667A (en
Inventor
李骁
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ping An Technology Shenzhen Co Ltd
Original Assignee
Ping An Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ping An Technology Shenzhen Co Ltd filed Critical Ping An Technology Shenzhen Co Ltd
Priority to CN201810855586.8A priority Critical patent/CN109062667B/en
Priority to PCT/CN2018/107748 priority patent/WO2020019485A1/en
Publication of CN109062667A publication Critical patent/CN109062667A/en
Application granted granted Critical
Publication of CN109062667B publication Critical patent/CN109062667B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45504Abstract machines for programme code execution, e.g. Java virtual machine [JVM], interpreters, emulators
    • G06F9/45508Runtime interpretation or emulation, e g. emulator loops, bytecode interpretation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/70Reducing energy consumption in communication networks in wireless communication networks

Abstract

The embodiment of the invention discloses a simulator identification method, a simulator identification device and a computer readable medium, wherein the method comprises the following steps: acquiring router information of a Wi-Fi hotspot connected with a target terminal, wherein the router information comprises a name and an MAC address of a router; detecting whether the name of the router is the same as the name of the router in a preset first blacklist and whether the MAC address is in a MAC address set in a preset second blacklist; and when the name of the router is the same as the name of any router in the first blacklist and the MAC address is in the MAC address set, determining that the target terminal operates in a simulator environment. By adopting the embodiment of the invention, the accuracy of simulator identification is improved.

Description

Simulator identification method, simulator identification equipment and computer readable medium
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a simulator identification method, a simulator identification device, and a computer readable medium.
Background
The Android simulator can simulate the running environment of the Android system on various platforms such as Windows and Linux, and a user can run the application of the Android system on the Android simulator in a terminal such as a personal computer. When the Android system application is used, for some services, such as a service needing risk monitoring, it is not desirable to be operated on a simulator, and therefore it is necessary to identify whether the terminal is operated in an Android simulator environment. However, the existing risk identification equipment has limited identification capability on the Android simulator, and cannot effectively identify whether the terminal operates in the simulator environment.
Disclosure of Invention
The embodiment of the invention provides a simulator identification method, a simulator identification device and a computer readable medium, which are beneficial to improving the accuracy of simulator identification.
In a first aspect, an embodiment of the present invention provides a simulator identification method, including:
acquiring router information of a wireless fidelity Wi-Fi hotspot connected with a target terminal, wherein the router information comprises a name of a router and a Media Access Control (MAC) address;
detecting whether the name of the router is the same as the name of the router in a preset first blacklist and whether the MAC address is in a MAC address set in a preset second blacklist;
and when the name of the router is the same as the name of any router in the first blacklist and the MAC address is in the MAC address set, determining that the target terminal operates in a simulator environment.
Optionally, before the determining that the target terminal operates in the simulator environment, the method further includes:
obtaining model information of the target terminal, wherein the model information comprises the model and/or the brand of the target terminal;
detecting whether the model information is the same as terminal model information in a preset third blacklist, wherein the third blacklist comprises at least one group of terminal model information;
determining that the target terminal operates in a simulator environment when the name of the router is the same as any router name in the first blacklist and the MAC address is in the set of MAC addresses, including:
and when the name of the router is the same as that of any router in the first blacklist, the MAC address is in the MAC address set, and the model information is the same as that of any group of terminal machines in the third blacklist, determining that the target terminal operates in a simulator environment.
Optionally, before the determining that the target terminal operates in the simulator environment, the method further includes:
acquiring a manufacturer identification of a Central Processing Unit (CPU) of the target terminal;
detecting whether the manufacturer identification of the CPU is the same as the manufacturer identification in a preset white list or not;
determining that the target terminal operates in a simulator environment when the name of the router is the same as any router name in the first blacklist and the MAC address is in the set of MAC addresses, including:
and when the name of the router is the same as that of any router in the first blacklist, the MAC address is in the MAC address set, and the manufacturer identification of the CPU is different from all manufacturer identifications in the whitelist, determining that the target terminal operates in a simulator environment.
Optionally, before the determining that the target terminal operates in the simulator environment, the method further includes:
detecting whether the equipment information of the target terminal meets a preset rule or not, wherein the step of detecting whether the equipment information of the target terminal meets the preset rule comprises the following steps:
a preset module is not configured in the target terminal, and the preset module comprises one or more of a Bluetooth module, a temperature sensor and a light sensor; and/or the presence of a gas in the gas,
the memory space value of the target terminal is smaller than a preset memory threshold value; and/or the presence of a gas in the gas,
the first number of the applications installed by the target terminal is smaller than a preset first number threshold; and/or the presence of a gas in the gas,
the second number of the files stored by the target terminal is smaller than a preset second number threshold; and/or the presence of a gas in the gas,
the network system used by the target terminal is different from all network systems in a preset network system list; and/or the presence of a gas in the gas,
a system file with a preset path and a preset name exists in a system of the target terminal; and/or the presence of a gas in the gas,
the running state of the target terminal is a root state;
determining that the target terminal operates in a simulator environment when the name of the router is the same as any router name in the first blacklist and the MAC address is in the set of MAC addresses, including:
and when the name of the router is the same as that of any router in the first blacklist, the MAC address is in the MAC address set, and the equipment information of the target terminal meets the preset rule, determining that the target terminal operates in a simulator environment.
Optionally, before the detecting whether the name of the router is the same as a router name in a preset first blacklist and whether the MAC address is in a MAC address set in a preset second blacklist, the method further includes:
acquiring a flag value of a target function corresponding to the router information, and determining whether the target function is hook according to the flag value;
when the target function is confirmed to be hook, acquiring a target function pointer corresponding to the target function from a memory of the target function;
determining an original function corresponding to the target function pointer according to the corresponding relation between each function pointer and the function stored in advance, and determining original router information according to the original function;
the detecting whether the name of the router is the same as the name of the router in a preset first blacklist and whether the MAC address is in a MAC address set in a preset second blacklist includes:
and detecting whether the name of the router included in the original router information is the same as the name of the router in a preset first blacklist, and whether the MAC address included in the original router information is in a MAC address set in a preset second blacklist.
Optionally, the determining whether the target function is hook according to the flag value includes:
comparing characters at preset positions in the flag value with preset fixed characters, wherein the number of the characters at the preset positions is the same as that of the fixed characters;
and when the character at the preset position is different from the fixed character obtained by comparison, determining that the target function is hook.
Optionally, the determining whether the target function is hook according to the flag value includes:
performing logical operation on the flag value according to a preset logical algorithm to obtain an operation result value, wherein the logical algorithm is determined according to a preset character string and a jump address when a native function in a system is executed;
and when the operation result value is a positive integer, determining that the target function is hook.
In a second aspect, an embodiment of the present invention provides an identification device, which includes a unit configured to perform the method of the first aspect.
In a third aspect, an embodiment of the present invention provides another identification device, which includes a processor, a user interface, a communication interface, and a memory, where the processor, the user interface, the communication interface, and the memory are connected to each other, where the memory is used to store a computer program that supports the identification device to execute the above method, and the computer program includes program instructions, and the processor is configured to call the program instructions to execute the method of the first aspect.
In a fourth aspect, an embodiment of the present invention provides a computer-readable storage medium, in which a computer program is stored, the computer program comprising program instructions, which, when executed by a processor, cause the processor to perform the method of the first aspect.
The embodiment of the invention can determine that the terminal runs in the simulator environment by acquiring the router information of the Wi-Fi hotspot connected with the terminal, detecting and analyzing the router information such as the name and the MAC address of the router, and when the router name is detected to be the same as the name of any router in the preset blacklist and the MAC address is in the preset MAC address set. The embodiment of the invention can identify the simulator according to the router information of the Wi-Fi hot spot, thereby being beneficial to improving the identification accuracy of the simulator.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the description below are some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on the drawings without creative efforts.
FIG. 1 is a flow chart illustrating a simulator identification method according to an embodiment of the present invention;
FIG. 2 is a schematic flow chart of another simulator identification method according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of an identification device according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of another identification device according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The technical scheme of the application can be applied to an identification device, and the identification device can include various terminals, servers, or risk identification products (devices) connected with the terminals, and the like, and is used for identifying simulator behaviors in the terminals (for short, "simulator identification") so as to identify whether the terminals (or applications in the terminals, such as applications in which SDKs are embedded) run in a simulator environment or identify whether the terminals log in by using the simulators. In the present application, a simulator may refer to an Android simulator or other simulators. The terminal related to the application can be a mobile phone, a computer, a tablet, a personal computer, an intelligent watch and the like, and the application is not limited.
Specifically, the simulator can be identified by acquiring various device information of the terminal, such as one or more of connected Wi-Fi hotspot information, model information, CPU manufacturer information, module configuration information, memory space information, the number of installed applications, the number of stored files, a used network system, system file abnormal information, running state and the like, so that the identification accuracy of the simulator can be improved. The details are described below.
Referring to fig. 1, fig. 1 is a schematic flowchart illustrating a simulator identification method according to an embodiment of the present invention. Specifically, as shown in fig. 1, the simulator identification method may include the following steps:
101. and acquiring the router information of the Wi-Fi hotspot connected with the target terminal, wherein the router information comprises the name and the MAC address of the router.
The target terminal may refer to any terminal that needs to be identified by the simulator, such as a terminal connected to a risk identification product, or a terminal in a specific wind control scene, or a terminal that triggers (for example, through a preset key or a gesture or a preset other triggering manner) the simulator identification, and the like, which is not limited in the present application. The wind control scene may include a login scene, a transaction scene, an APP offer field scene, and the like.
Specifically, when simulator identification needs to be performed on a certain terminal, the identification device may obtain router information of a Wi-Fi hotspot connected to the terminal, such as a name of a router and a MAC address thereof, so as to determine whether the terminal operates in a simulator environment according to the name and the MAC address of the router.
102. And detecting whether the name of the router is the same as the name of the router in a preset first blacklist and whether the MAC address is in a MAC address set in a preset second blacklist.
Wherein the first blacklist includes one or more router names, and the one or more router names may be names of routers of Wi-Fi connected by terminals identified as simulators in the history data (i.e. identified as terminals running in a simulator environment); the second blacklist may include one or more sets of MAC addresses of routers to which the terminals identified in the history as simulators are connected and/or one or more MAC addresses counted from the MAC addresses of routers to which the terminals identified in the history as simulators are connected. Optionally, the first blacklist and the second blacklist may be the same (i.e. each router name and MAC address set may be configured in one blacklist), or may be different (i.e. configured separately). Detecting whether the MAC address is in the MAC address set in the preset second blacklist may also be referred to as detecting whether the MAC address is the same as the MAC address in the MAC address set in the preset second blacklist; accordingly, a MAC address being in a set of MAC addresses may mean that the MAC address is the same as any MAC address in the set of MAC addresses.
Optionally, the first blacklist includes names with a larger statistical number of times among names of routers connected to terminals identified as simulators in the history data, such as top M (M is an integer greater than 0, for example, 10) names with the largest statistical number of times, or names with a statistical number greater than a preset number threshold (first threshold); the second blacklist includes MAC addresses with a larger number of statistics in the MAC addresses of routers connected to terminals identified as simulators in the history data, or a MAC address set composed of the MAC addresses, such as the first N (N is an integer greater than 0, for example, 50) MAC addresses with the largest number of statistics, or MAC addresses with a number of statistics greater than a preset number threshold (a second threshold), or a MAC address set determined by these MAC addresses, and so on, which is not limited in this application. The first threshold and the second threshold may be preset, and the first threshold and the second threshold may be the same, for example, both set to 80; alternatively, the two thresholds may be different, for example, the first threshold is 80 and the second threshold is 60, or vice versa, which is not described herein.
103. And when the name of the router is the same as the name of any router in the first blacklist and the MAC address is in the MAC address set, determining that the target terminal runs in a simulator environment.
Specifically, the identification device may match the name of the router corresponding to the target terminal with the name of the router in the first blacklist, and match the MAC address of the router corresponding to the target terminal with the MAC address or the MAC address set in the second blacklist. When the router name which is the same as the name of the router corresponding to the target terminal is obtained by matching in the first blacklist and the MAC address set where the MAC address of the router corresponding to the target terminal is obtained by matching in the second blacklist (or the MAC address which is the same as the MAC address of the router corresponding to the target terminal is obtained by matching), the target terminal can be identified as being operated in the simulator environment.
In the embodiment of the present invention, the identification device may determine that the target terminal operates in the simulator environment by acquiring the router information of the Wi-Fi hotspot connected to the terminal, and performing detection analysis on the router information, such as the name and the MAC address of the router, and when it is detected that the name of the router is the same as the name of any router in the preset blacklist and the MAC address is in the preset MAC address set. According to the embodiment of the invention, the simulator can be identified according to the router information of the Wi-Fi hotspot connected with the terminal, so that the simulator identification accuracy is improved.
Referring to fig. 2, fig. 2 is a schematic flow chart of another simulator identification method according to an embodiment of the present invention. Specifically, as shown in fig. 2, the simulator identification method may include the following steps:
201. and acquiring the router information of the Wi-Fi hotspot connected with the target terminal, wherein the router information comprises the name and the MAC address of the router.
Specifically, please refer to the description related to step 101 in the embodiment shown in fig. 1 for the description of step 201, which is not repeated herein.
Optionally, when performing simulator identification, the identification device may obtain a plurality of pieces of device information of the device bottom layer of the target terminal, for example, the device information may include one or more of the following items: router information (including router names (or Wi-Fi names) such as Wi-Fi Service Set Identifiers (SSIDs), router MAC addresses (or Wi-Fi MAC addresses) such as Wi-Fi Basic Service Set identifiers (Basic Service Set identifiers), etc.), model (model and/or brand), CPU manufacturer information, bluetooth information, sensor information, user usage trace information such as memory space values, network system used, android state (or referred to as running state, such as root state), system file exception information (such as whether there are system files of preset path and name), number of applications installed, number of files stored, packet name of access App, version number of App SDK, operating system type, operating system version, device Unique (UDID), whether jap has been out of prison (such as 1 representing an out of prison condition, 0 for not out of prison), latitude and longitude information, network type, whether a given App is installed (e.g., 1 for installed, 0 for uninstalled), arry trumpet installed, v8 plug-in installed, current timestamp (e.g., precision in milliseconds), advertisement Identifier, vendor Identifier, device model, hostname, number of CPU cores, CPU type, CPU subtype, screen resolution, total storage space, remaining storage space, time zone, language, charge, battery status, operator name, country ISO, boot time, keyboard list, did erase or tamper, did stored in localfile, did, whether a GPS switch is turned on (e.g., 0 for off, 1 for on), GPS authorization status, APP loaded dynamic link library list, etc., for simulator identification. Specifically, the identification device can perform simulator identification by acquiring a plurality of items of device information, so as to improve the reliability of identification. Moreover, the identification device can use part of the acquired device information items for simulator identification according to a preset simulator identification rule, so that an illegal person cannot determine which information is specifically used for simulator identification, which is helpful for preventing the occurrence of the situation that the simulator cannot be identified in time due to tampering of related device information after the illegal person knows a certain identification rule, namely preventing the identification rule from being cracked, and further improving the reliability of simulator identification.
202. And acquiring a flag value of a target function corresponding to the router information, and determining whether the target function is hook according to the flag value.
Optionally, before identifying whether the simulator is identified according to the device information, the identification device may detect whether the function corresponding to the device information is tampered, and obtain real device information in time when the function corresponding to the device information is detected to identify the simulator based on the real device information, thereby improving accuracy and reliability of simulator identification. In addition, optionally, the Android underlying source API can be adopted to collect the equipment information, so that the equipment information is not easy to tamper.
The flag value may be used to mark a state of the target function, where the state may be a state of whether the target function is tampered with, or may be a read-write state, a blocking and non-blocking state, a state of exiting a process or a program, and/or a state of changing contents of a file, and so on, so that whether the target function is hook can be determined according to the flag value. Specifically, each function has a corresponding flag, and the flag is a variable, and when a certain function is tampered, the flag corresponding to the function is changed. Therefore, the identification device can determine whether the function is hook by detecting whether the flag of the function is changed, namely whether the device information corresponding to the function is tampered. The flag value may be stored in a memory corresponding to the objective function. In the embodiment of the invention, if the name and the MAC address of the router correspond to the same function, the identification device can take the function as a target function to perform hook detection; if the name and the MAC address of the router correspond to different functions, the identification device may perform hook detection on the function corresponding to the name and the function corresponding to the MAC address of the router, respectively, that is, the function corresponding to the name and the function corresponding to the MAC address of the router are used as target functions, respectively, to restore the real device information.
Optionally, when determining whether the target function is hook according to the flag value, the identification device may compare a character at a preset position in the flag value with a preset fixed character; and when the character at the preset position is different from the fixed character through comparison, determining that the target function is hook. The number of characters at the preset position is the same as that of the fixed characters, so that matching and comparison are facilitated. That is, the flag value may be changed by one or more bits, and the one or more bits may be one or more bits at a predetermined position of the flag. Therefore, the identification device can compare one or more bits of the obtained flag value at the preset position with the fixed character when the identification device is not tampered, and if the one or more bits of the flag value are changed, namely the one or more bits of the flag value are different from the fixed character, the identification device indicates that the target function is tampered, namely the device information corresponding to the target function is tampered.
For example, for a system with Android versions above 4.4 and below 5.0, when some Xposed plug-ins hook a function, 1 bit (bit) at the fixed position of the flag value of the function is set to 1; while for a function that is normally not tampered with, this bit of the flag value is 0 (i.e., the fixed character described above). Therefore, it can be known whether the function is hook by the Xposed plug-in by checking whether the fixed bit of the flag value of the function is 0. That is, if the fixed bit of the flag value of the function is not 0, it indicates that the function is hook and the function is tampered with.
Optionally, when determining whether the target function is hook according to the flag value, the identification device may further perform logical operation on the flag value according to a preset logical algorithm to obtain an operation result value; when the operation result value is a positive integer, it is determined that the objective function is hook. Wherein the logical algorithm may be determined according to a preset character string and a jump address when a native function in the system is executed. That is, the flag processed value may be compared with a fixed character such as 0 when the flag is not tampered with according to a preset logic algorithm, and if the processed value is changed, that is, is not 0, for example, a positive integer, the function is hook.
For example, for a system with Android version 5.0 or above, if the result is equal to a positive integer according to a logical algorithm, such as the logical equation EntryPointFromJni & & Access Flags &0x10000000, it can indicate that the function is tampered; if the logical result is equal to 0 (i.e., a fixed character), it may indicate that the function has not been tampered with. The entrypointformi may refer to a jump address when a native function, such as a native function, is executed, and the AccessFlags is the flag.
Further optionally, before determining whether the target function is hook based on the flag value, the identification device may also determine a system version used by the target terminal, and further select a mode of determining whether the target function is hook based on the flag value according to the system version of the target terminal, so as to improve efficiency of hook detection. The corresponding relation between the system version and the hook detection mode can be preset.
203. And when the target function is confirmed to be hook, acquiring a target function pointer corresponding to the target function from the memory of the target function.
The function pointer and the function to be hook are stored in different fields of the same memory, and the mapping relationship exists between different function pointers and the original function, or the mapping relationship exists between different function pointers and the storage address of the original function. The target function hook can mean a function hook corresponding to the name and the MAC address of the router; or the function corresponding to the name of the router is hook and/or the function corresponding to the MAC address is hook.
Optionally, after determining that the target function is hook, the hook-target function may be restored, so as to determine the real device information corresponding to the target function. Specifically, after a function is determined, for example, the target function is hook-marked, a function pointer corresponding to the target function, that is, the target function pointer, may be quickly obtained from an internal memory, so as to determine, according to the target function pointer, an original function corresponding to the target function, that is, a native API, that is, a real function that is not hook-marked.
204. And determining an original function corresponding to the target function pointer according to the pre-stored corresponding relation between each function pointer and the function, and determining original router information according to the original function.
After determining the target function pointer in the memory corresponding to the target function, the original function, i.e. the real Method, corresponding to the target function pointer can be further determined. And the target function can be replaced by the original function, so that the hook function can be restored. Therefore, the identification equipment can determine the real router information corresponding to the target terminal through the original function so as to identify the simulator based on the real router information. Specifically, if the function corresponding to the name and MAC address of the router is hook, the real name and MAC address of the original router can be restored; if the function corresponding to the name of the router is hook, the real name of the original router can be obtained through reduction; if the function corresponding to the MAC address is hook, the real original MAC address can be obtained through restoration.
It should be understood that the original function pointer stored in the memory is not tampered, and according to the working principle of the Xposed plug-in, the original information of the function is backed up and stored in a specific address in the memory, that is, the address pointed by the target function pointer, before the target function is tampered. Once the backup information is also tampered, the Xposed plug-in will not work properly. Therefore, the original function acquired at the specific address pointed by the target function pointer must be the correct function, and the correct function cannot be tampered.
205. And detecting whether the name of the router included in the original router information is the same as the name of the router in a preset first blacklist, and whether the MAC address included in the original router information is in a MAC address set in a preset second blacklist.
206. And when the name of the router is the same as the name of any router in the first blacklist and the MAC address is in the MAC address set, determining that the target terminal runs in a simulator environment.
Specifically, please refer to the above description related to steps 102-103 in the embodiment shown in fig. 1 for the description of steps 205-206, which is not repeated herein.
Optionally, in other embodiments, the identification device may further identify whether the target terminal operates in the simulator environment in combination with other device information. For example, in some embodiments, the identification device may further obtain model information of the target terminal, where the model information includes a model and/or a brand of the target terminal; and detecting whether the model information is the same as the terminal model information in a preset third blacklist, wherein the third blacklist comprises at least one group of terminal model information. Further, when the name of the router is the same as any router name in the first blacklist, the MAC address is in the MAC address set, and the model information is the same as any set of terminal model information in the third blacklist, the identification device may determine that the target terminal operates in a simulator environment. The model information is the same as any group of terminal model information in the third blacklist, and the method comprises the following steps: when the model information is the model, the model is the same as any terminal model in the third blacklist; when the model information is a brand, the brand is the same as any terminal brand in the third blacklist; when the model information includes a model and a brand, the model is the same as any terminal model in the third blacklist, and the brand is the same as any terminal brand in the third blacklist. Optionally, the third blacklist includes one or more sets of terminal model information, where the one or more sets of terminal model information may be model information of a terminal identified as a simulator in historical data, for example, the former L (L is an integer greater than 0, for example, 8) set of model information with the largest statistical frequency, or model information with the statistical frequency greater than a preset number threshold (a third threshold), and so on, which is not described herein again. That is to say, the identification device can perform simulator identification by combining router information of a Wi-Fi hotspot connected with the terminal and model information of the terminal, so that the reliability of simulator identification is further improved.
For another example, in some embodiments, the identification device may further obtain a manufacturer identifier of the CPU of the target terminal, detect whether the manufacturer identifier of the CPU is the same as a manufacturer identifier in a preset white list, and determine that the target terminal operates in the simulator environment when the name of the router is the same as the name of any router in the first black list, the MAC address is in the MAC address set, and the manufacturer identifier of the CPU is different from all manufacturer identifiers in the white list. Wherein the white list may include an identification of one or more legitimate CPU manufacturers. That is, the identification device may perform simulator identification in combination with router information of a Wi-Fi hotspot to which the terminal is connected and CPU manufacturer information of the terminal, so as to improve reliability of simulator identification.
For another example, in some embodiments, the identification device may further perform simulator identification by combining router information of a Wi-Fi hotspot connected to the terminal and model information of the terminal, so as to improve reliability of simulator identification, which is not described herein.
For another example, in some embodiments, the identification device may further detect whether the device information of the target terminal satisfies a preset rule, where the condition that the device information of the target terminal satisfies the preset rule may refer to that any one or more of the following rules are satisfied:
1) The target terminal is not provided with a preset module, and the preset module comprises one or more of a Bluetooth module, a temperature sensor and a light sensor;
the preset module is a module which is identified as a simulator according to historical data statistics and is not configured in the terminal, such as a Bluetooth module, a temperature sensor and a light sensor. Therefore, if the terminal is identified not to be configured with the preset module, the terminal may be a simulator.
2) The memory space value of the target terminal is smaller than a preset memory threshold value;
3) The first number of the applications installed by the target terminal is smaller than a preset first number threshold;
4) The second number of the files stored by the target terminal is smaller than a preset second number threshold;
wherein, the first number threshold and the second number threshold can be preset.
5) The network system used by the target terminal is different from all network systems in a preset network system list;
optionally, the identification device may determine, in combination with a target area where the target terminal is located, which network systems are normal network systems, for example, determine a network system list corresponding to the target area by pre-configuring different areas and network system lists corresponding to the different areas, where a network system in the network system list is a normal network system of the target area. If the network system used by the target terminal is detected not to be the network system in the corresponding network system list, the target terminal may operate in the simulator environment, because the simulator may tamper with the network system information.
6) A system file with a preset path and a preset name exists in a system of a target terminal;
if an abnormal system file exists in the target terminal, the target terminal may be a simulator. For example, the exception system files may include the following path and name system files: the term "dev" refers to the term "/dev/qemu _ pipe,/dev/socket/qemud,/system/lib/libc _ malloc _ debug _ qemu.so,/system/qemu _ trace,/proc/tty/drivers/gold fish, and the like.
7) The target terminal is in a root state, etc. And if the target terminal is detected to be in the Android root state, the target terminal may be a simulator.
In some embodiments, when the name of the router is the same as any router name in the first blacklist, the MAC address is in the MAC address set, and the device information of the target terminal satisfies the predetermined rule, the identifying device may determine that the target terminal operates in a simulator environment. That is to say, the identification device may perform simulator identification by combining router information, module configuration information, memory space information, the number of installed applications, the number of stored files, a used network system, system file exception information, an operating state and other information of a Wi-Fi hotspot connected to the terminal, so as to further improve reliability of simulator identification.
For another example, in some embodiments, the identification device may further perform simulator identification according to any one or more of the router information, the model information, the CPU manufacturer information, the module configuration information, the memory space information, the number of installed applications, the number of stored files, the network system used, the system file exception information, the running state, and other information of the Wi-Fi hotspot connected to the terminal, which is not described herein again.
Optionally, before performing simulator identification according to any one or more of device information of the target terminal, model information of the CPU manufacturer, module configuration information, memory space information, the number of installed applications, the number of stored files, a used network system, system file exception information, an operating state, and the like, it may be further detected whether the device information used for simulator identification is tampered, and if tampered, the real device information may be restored and then simulator identification may be performed based on the real device information. For detecting whether the device information is tampered and the recovery method thereof, reference may be made to the description of detecting whether the router information is tampered and the recovery method thereof in steps 202 to 204, which is not described herein again.
Further optionally, the identification device may generate the alert message if it is determined that the target terminal is operating in a simulator environment. For example, the alarm information may include: one or more of risk level, user information, device malicious behavior. The risk level can be determined according to a target wind control scene of the terminal, and the corresponding relation between different wind control scenes and the risk level can be preset and obtained; or, the risk level may be determined according to an application run by a terminal target, and the corresponding relationship between different applications and the risk level may be preset; or, the risk level can be determined according to the number of functions of the hook of the terminal, and the corresponding relation between different hook numbers and the risk level can be preset; or, the risk level may also be determined according to the priority of the tampered device information of the terminal, and specifically, the priority of different device information, the corresponding relationship between each priority and the risk level, and the like may be preset, and the present application is not limited thereto. For example, the risk level may be classified as high-risk, medium-risk, low-risk, or primary, secondary, tertiary, etc. The User information may include a User Identification (UID), a mobile phone number, an Identification number (if collected when registering an application), and the like. The malicious behavior may include tampering with a MAC address, tampering with a CPU manufacturer, tampering with a model and a brand of a mobile phone, tampering with a mobile phone number, and the like, which may be determined through the above hook detection.
In addition, optionally, the identification device may also issue an instruction to the target terminal according to the alarm information, so as to control an operation on the target terminal (e.g., an APP client running on the terminal). For example, if the identification device determines that the risk level is low risk, the identification device may issue an instruction to instruct the client to output a prompt, and request the user to input authentication information, where the authentication manner includes, but is not limited to, a short message authentication code, a picture authentication code, and the like. If the verification fails, the subsequent operation cannot be performed. As another example, if the identification device determines that the risk level is medium-risk, the identification device may issue an instruction instructing the client to prohibit a user from requesting access operations in a target climate scenario (e.g., login, pick up a red envelope, redeem a coupon, consume, transfer, etc.). For another example, if the identification device determines that the risk level is high risk, the identification device may issue an instruction to instruct the client to prohibit all access operations requested by the user, and so on, which are not listed here.
For example, for some mobile phone games, the simulator can obtain performance (actually belonging to game cheating) higher than that of the mobile phone, whether a game application runs in the simulator environment can be identified through the identification rule, game behaviors running in the simulator can be timely found, the behaviors can be further prevented, and loss of users caused by cheating is prevented.
For another example, a financial institution may offer a small loan with a wind-controlled policy that only allows users in a specific area, such as users in the north, to loan, and an illegal user may modify the GPS location using a simulator to circumvent the wind-controlled policy and cheat the loan. Thus, the application may identify whether the device is operating in a simulator environment by the identification rules described above, and deny the user's request for a loan after determining that the device is operating in a simulator environment. Furthermore, the method can also be used for restoring the GPS positioning in the hook detection mode to obtain the real positioning information of the user.
For another example, the illegal party sets information such as the model, the brand, the manufacturer and the like of the mobile phone in the simulator, so that the aim of simulating a plurality of different android mobile phones by one simulator software is fulfilled, and therefore fake identity cheating preferential activities, registration rewards and the like are created. According to the method and the device, after the information such as the model, the brand and the manufacturer of the mobile phone is falsified according to the hook detection mode, the real information such as the model, the brand and the manufacturer of the mobile phone is restored and is identified by the simulator, whether the equipment operation runs in the simulator environment can be identified in time, the behavior can be stopped in time when the equipment operation is identified to run in the simulator environment, and the loss of a legal user is avoided.
In the embodiment of the invention, the identification device can identify the simulator by collecting a plurality of items of device information, such as device information of Wi-Fi hot spots connected with the terminal, so that the identification accuracy of the simulator is improved, and before identifying whether the terminal operates in the environment of the simulator according to the device information, the identification device can identify whether the device information is tampered or not and restore real device information in time when the tampering is detected, so that the simulator is identified based on the real device information, and the identification accuracy of the simulator is further improved.
The above embodiments of the method are all illustrations of the simulator identification method of the present application, and descriptions of various embodiments have respective emphasis, and reference may be made to relevant descriptions of other embodiments for parts that are not described in detail in a certain embodiment.
Referring to fig. 3, fig. 3 is a schematic structural diagram of an identification device according to an embodiment of the present invention. The recognition apparatus of an embodiment of the present invention includes a unit for performing the simulator recognition method described above. Specifically, the identification device 300 of the present embodiment may include: an acquisition unit 301 and a recognition unit 302. Wherein, the first and the second end of the pipe are connected with each other,
an obtaining unit 301, configured to obtain router information of a Wi-Fi hotspot connected to a target terminal, where the router information includes a name of a router and a media access control MAC address;
an identifying unit 302, configured to detect whether the name of the router is the same as a router name in a preset first blacklist, and whether the MAC address is in a MAC address set in a preset second blacklist;
the identifying unit 302 is further configured to determine that the target terminal operates in a simulator environment when the name of the router is the same as any router name in the first blacklist and the MAC address is in the MAC address set.
Optionally, the obtaining unit 301 is further configured to obtain model information of the target terminal, where the model information includes a model and/or a brand of the target terminal;
the identifying unit 302 is further configured to detect whether the model information is the same as terminal model information in a preset third blacklist, where the third blacklist includes at least one group of terminal model information;
the identifying unit 302 is specifically configured to determine that the target terminal operates in a simulator environment when the name of the router is the same as any router name in the first blacklist, the MAC address is in the MAC address set, and the model information is the same as any set of terminal model information in the third blacklist.
Optionally, the obtaining unit 301 is further configured to obtain a manufacturer identifier of a central processing unit CPU of the target terminal;
the identifying unit 302 is further configured to detect whether the manufacturer identifier of the CPU is the same as a manufacturer identifier in a preset white list;
the identifying unit 302 is specifically configured to determine that the target terminal operates in a simulator environment when the name of the router is the same as any router name in the first blacklist, the MAC address is in the MAC address set, and the manufacturer identifier of the CPU is different from all manufacturer identifiers in the whitelist.
Optionally, the identifying unit 302 is further configured to detect whether the device information of the target terminal meets a preset rule, where the meeting of the device information of the target terminal with the preset rule includes:
a preset module is not configured in the target terminal, and the preset module comprises one or more of a Bluetooth module, a temperature sensor and a light sensor; and/or the presence of a gas in the gas,
the memory space value of the target terminal is smaller than a preset memory threshold value; and/or the presence of a gas in the atmosphere,
the first number of the applications installed by the target terminal is smaller than a preset first number threshold; and/or the presence of a gas in the gas,
the second number of the files stored by the target terminal is smaller than a preset second number threshold; and/or the presence of a gas in the gas,
the network system used by the target terminal is different from all network systems in a preset network system list; and/or the presence of a gas in the gas,
a system file with a preset path and a preset name exists in a system of the target terminal; and/or the presence of a gas in the gas,
the running state of the target terminal is a root state;
the identifying unit 302 is specifically configured to determine that the target terminal operates in a simulator environment when the name of the router is the same as any router name in the first blacklist, the MAC address is in the MAC address set, and the device information of the target terminal meets the preset rule.
Optionally, the identification device further includes: a hook detection unit 303 and a reduction unit 304;
the obtaining unit 301 is further configured to obtain a flag value of a target function corresponding to the router information;
a hook detection unit 303, configured to determine whether the target function is hook based on the flag value;
the obtaining unit 301 is further configured to obtain, when it is determined that the target function is hook, a target function pointer corresponding to the target function from a memory of the target function;
a restoring unit 304, configured to determine, according to a pre-stored correspondence between each function pointer and a function, an original function corresponding to the target function pointer, and determine original router information according to the original function;
the identifying unit 302 is specifically configured to detect whether a name of a router included in the original router information is the same as a router name in a preset first blacklist, and whether a MAC address included in the original router information is in a MAC address set in a preset second blacklist.
Optionally, the hook detecting unit 303 is specifically configured to compare a character at a preset position in the flag value with a preset fixed character, where the number of characters at the preset position is the same as the number of characters of the fixed character; and when the character at the preset position is different from the fixed character obtained by comparison, determining that the target function is hook.
Optionally, the hook detecting unit 303 is specifically configured to perform a logical operation on the flag value according to a preset logical algorithm to obtain an operation result value, where the logical algorithm is determined according to a preset character string and a jump address when a native function in the system is executed; and when the operation result value is a positive integer, determining that the target function is hook.
Specifically, the identification device may implement, through the above-mentioned units, part or all of the steps in the simulator identification method in the embodiment shown in fig. 1 to 2. It should be understood that the embodiments of the present invention are device embodiments corresponding to method embodiments, and the description of the method embodiments also applies to the embodiments of the present invention.
In the embodiment of the present invention, the identification device may determine that the target terminal operates in the simulator environment by acquiring router information of a Wi-Fi hotspot connected to the terminal, and detecting and analyzing the router information, such as a name and a MAC address of a router, and when it is detected that the name of the router is the same as any router name in a preset blacklist and the MAC address is in a preset MAC address set. According to the embodiment of the invention, the simulator can be identified according to the router information of the Wi-Fi hotspot connected with the terminal, so that the simulator identification accuracy is improved.
Referring to fig. 4, fig. 4 is a schematic structural diagram of another identification device according to an embodiment of the present invention. The identification device is adapted to perform the method described above. As shown in fig. 4, the identification device 400 in the present embodiment may include: one or more processors 401 and memory 402. Optionally, the identification device may also include one or more user interfaces 403, and/or one or more communication interfaces 404. The processor 401, user interface 403, communication interface 404, and memory 402 may be connected by a bus 405, which is illustrated in fig. 4, or may be connected in other ways. Wherein the memory 402 is adapted to store a computer program comprising program instructions and the processor 401 is adapted to execute the program instructions stored by the memory 402.
Wherein the processor 401 may be configured to call the program instruction to perform the following steps: the method comprises the steps of obtaining router information of a wireless fidelity Wi-Fi hotspot connected with a target terminal, wherein the router information comprises the name of a router and a Media Access Control (MAC) address; detecting whether the name of the router is the same as the name of the router in a preset first blacklist and whether the MAC address is in a MAC address set in a preset second blacklist; and when the name of the router is the same as the name of any router in the first blacklist and the MAC address is in the MAC address set, determining that the target terminal runs in a simulator environment.
Optionally, before the processor 401 invokes the program instruction to execute the determining that the target terminal operates in the simulator environment, the following steps are further performed: obtaining model information of the target terminal, wherein the model information comprises the model and/or the brand of the target terminal; detecting whether the model information is the same as terminal model information in a preset third blacklist, wherein the third blacklist comprises at least one group of terminal model information;
when the processor 401 invokes the program instruction to execute the step of determining that the target terminal operates in the simulator environment when the name of the router is the same as any router name in the first blacklist and the MAC address is in the MAC address set, the following steps are specifically performed: and when the name of the router is the same as that of any router in the first blacklist, the MAC address is in the MAC address set, and the model information is the same as that of any group of terminal machines in the third blacklist, determining that the target terminal operates in a simulator environment.
Optionally, before invoking the program instructions to perform the determining that the target terminal operates in the simulator environment, the processor 401 is further configured to perform the following steps: acquiring a manufacturer identification of a Central Processing Unit (CPU) of the target terminal; detecting whether the manufacturer identification of the CPU is the same as the manufacturer identification in a preset white list or not;
when the processor 401 invokes the program instruction to execute the step of determining that the target terminal operates in the simulator environment when the name of the router is the same as any router name in the first blacklist and the MAC address is in the MAC address set, the following steps are specifically executed: and when the name of the router is the same as that of any router in the first blacklist, the MAC address is in the MAC address set, and the manufacturer identification of the CPU is different from all manufacturer identifications in the white list, determining that the target terminal operates in a simulator environment.
Optionally, before the processor 401 invokes the program instruction to execute the determining that the target terminal operates in the simulator environment, the following steps are further performed: detecting whether the equipment information of the target terminal meets a preset rule or not, wherein the step of meeting the preset rule by the equipment information of the target terminal comprises the following steps: a preset module is not configured in the target terminal, and the preset module comprises one or more of a Bluetooth module, a temperature sensor and a light sensor; and/or the memory space value of the target terminal is smaller than a preset memory threshold value; and/or the first number of the applications installed by the target terminal is smaller than a preset first number threshold; and/or the second number of the files stored by the target terminal is smaller than a preset second number threshold; and/or the network system used by the target terminal is different from all network systems in a preset network system list; and/or a system file with a preset path and a preset name exists in a system of the target terminal; and/or the running state of the target terminal is a root state;
when the processor 401 invokes the program instruction to execute the step of determining that the target terminal operates in the simulator environment when the name of the router is the same as any router name in the first blacklist and the MAC address is in the MAC address set, the following steps are specifically executed: and when the name of the router is the same as that of any router in the first blacklist, the MAC address is in the MAC address set, and the equipment information of the target terminal meets the preset rule, determining that the target terminal operates in a simulator environment.
Optionally, before invoking the program instruction to perform the detecting whether the name of the router is the same as the name of the router in the preset first blacklist and whether the MAC address is in the MAC address set in the preset second blacklist, the processor 401 is further configured to perform the following steps: acquiring a flag value of a target function corresponding to the router information, and determining whether the target function is hook according to the flag value; when the target function is confirmed to be hook, acquiring a target function pointer corresponding to the target function from a memory of the target function; determining an original function corresponding to the target function pointer according to the corresponding relation between each function pointer and the function stored in advance, and determining original router information according to the original function;
when the processor 401 invokes the program instruction to execute the steps of detecting whether the name of the router is the same as the name of the router in the preset first blacklist and whether the MAC address is in the MAC address set in the preset second blacklist, specifically executing the following steps: and detecting whether the name of the router included in the original router information is the same as the name of the router in a preset first blacklist, and whether the MAC address included in the original router information is in a MAC address set in a preset second blacklist.
Optionally, when calling the program instruction to execute the determination of whether the target function is hook according to the flag value, the processor 401 specifically executes the following steps: comparing characters at preset positions in the flag value with preset fixed characters, wherein the number of the characters at the preset positions is the same as that of the fixed characters; and when the characters at the preset positions are different from the fixed characters through comparison, determining that the target function is hook.
Optionally, when calling the program instruction to execute the determination of whether the target function is hook according to the flag value, the processor 401 specifically executes the following steps: performing logical operation on the flag value according to a preset logical algorithm to obtain an operation result value, wherein the logical algorithm is determined according to a preset character string and a jump address when a native function in a system is executed; and when the operation result value is a positive integer, determining that the target function is hook.
The Processor 401 may be a Central Processing Unit (CPU), or other general-purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf Programmable Gate Array (FPGA) or other Programmable logic device, a discrete Gate or transistor logic device, a discrete hardware component, or the like. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The user interface 403 may include input devices, which may include a touch pad, microphone, etc., and output devices, which may include a display (LCD, etc.), speakers, etc.
The communication interface 404 may include a receiver and a transmitter for communicating with other devices.
Memory 402 may include both read-only memory and random access memory and provides instructions and data to processor 401. A portion of the memory 402 may also include non-volatile random access memory. For example, the memory 402 may also store the above-described correspondence between function pointers and functions, and the like.
In specific implementation, the processor 401 and the like described in the embodiment of the present invention may execute the implementation manners described in the method embodiments shown in fig. 1 to fig. 3, and may also execute the implementation manners of the units described in fig. 4 in the embodiment of the present invention, which are not described herein again.
An embodiment of the present invention further provides a computer-readable storage medium, where a computer program is stored, and when the computer program is executed by a processor, the computer program may implement part or all of the steps in the simulator identification method described in the embodiments corresponding to fig. 1 to fig. 2, and may also implement the functions of the identification device in the embodiments shown in fig. 3 or fig. 4 of the present invention, which are not described herein again.
Embodiments of the present invention also provide a computer program product including instructions, which when executed on a computer, cause the computer to perform some or all of the steps of the above method.
The computer readable storage medium may be an internal storage unit of the identification device according to any of the foregoing embodiments, for example, a hard disk or a memory of the identification device. The computer readable storage medium may also be an external storage device of the identification device, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), etc. provided on the identification device.
In this application, the term "and/or" is only one kind of association relationship describing an associated object, and means that there may be three kinds of relationships, for example, a and/or B, which may mean: a exists alone, A and B exist simultaneously, and B exists alone. In addition, the character "/" herein generally indicates that the former and latter related objects are in an "or" relationship.
In the embodiments of the present application, the sequence numbers of the above-mentioned processes do not mean the execution sequence, and the execution sequence of each process should be determined by its function and inherent logic, and should not constitute any limitation to the implementation process of the embodiments of the present invention.
The above description is only a part of the embodiments of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily conceive various equivalent modifications or substitutions within the technical scope of the present invention, and these modifications or substitutions should be covered within the scope of the present invention.

Claims (9)

1. A simulator identification method, comprising:
the method comprises the steps of obtaining router information of a wireless fidelity Wi-Fi hotspot connected with a target terminal, wherein the router information comprises the name of a router and a Media Access Control (MAC) address;
acquiring a flag value of a target function corresponding to the router information, and determining a system version used by the target terminal;
selecting a mode for determining whether the target function is hook according to the system version of the target terminal, and determining whether the target function is hook according to the flag value in the selected mode;
when the target function is confirmed to be hook, acquiring a target function pointer corresponding to the target function from a memory of the target function;
determining an original function corresponding to the target function pointer according to the corresponding relation between each function pointer and the function stored in advance, and determining original router information according to the original function;
detecting whether the name of a router included in the original router information is the same as the name of a router in a preset first blacklist, and whether the MAC address included in the original router information is in a MAC address set in a preset second blacklist;
detecting whether the equipment information of the target terminal meets a preset rule or not;
when the name of the router is the same as the name of any router in the first blacklist, the MAC address is in the MAC address set, and the equipment information of the target terminal meets the preset rule, determining that the target terminal operates in a simulator environment;
wherein the step of satisfying the preset rule by the device information of the target terminal includes: the first number of the applications installed by the target terminal is smaller than a preset first number threshold; the second number of the files stored by the target terminal is smaller than a preset second number threshold; the network system used by the target terminal is different from all network systems in a preset network system list; a system file with a preset path and a preset name exists in a system of the target terminal; and the running state of the target terminal is a root state.
2. The method of claim 1, wherein prior to the determining that the target terminal is operating in a simulator environment, the method further comprises:
obtaining model information of the target terminal, wherein the model information comprises a model and/or a brand of the target terminal;
detecting whether the model information is the same as terminal model information in a preset third blacklist, wherein the third blacklist comprises at least one group of terminal model information;
determining that the target terminal operates in a simulator environment when the name of the router is the same as any router name in the first blacklist and the MAC address is in the set of MAC addresses, including:
and when the name of the router is the same as that of any router in the first blacklist, the MAC address is in the MAC address set, and the model information is the same as that of any group of terminals in the third blacklist, determining that the target terminal operates in a simulator environment.
3. The method of claim 1, wherein prior to the determining that the target terminal is operating in a simulator environment, the method further comprises:
acquiring a manufacturer identification of a Central Processing Unit (CPU) of the target terminal;
detecting whether the manufacturer identification of the CPU is the same as the manufacturer identification in a preset white list or not;
determining that the target terminal operates in a simulator environment when the name of the router is the same as any router name in the first blacklist and the MAC address is in the set of MAC addresses, including:
and when the name of the router is the same as that of any router in the first blacklist, the MAC address is in the MAC address set, and the manufacturer identification of the CPU is different from all manufacturer identifications in the white list, determining that the target terminal operates in a simulator environment.
4. The method of claim 1, wherein the step of enabling the device information of the target terminal to meet the preset rule further comprises:
a preset module is not configured in the target terminal, and the preset module comprises one or more of a Bluetooth module, a temperature sensor and a light sensor; and/or the presence of a gas in the gas,
and the memory space value of the target terminal is smaller than a preset memory threshold value.
5. The method of claim 1, wherein the determining whether the objective function is hook based on the flag value comprises:
comparing characters at preset positions in the flag value with preset fixed characters, wherein the number of the characters at the preset positions is the same as that of the fixed characters;
and when the character at the preset position is different from the fixed character obtained by comparison, determining that the target function is hook.
6. The method of claim 1, wherein the determining whether the objective function is hook based on the flag value comprises:
performing logical operation on the flag value according to a preset logical algorithm to obtain an operation result value, wherein the logical algorithm is determined according to a preset character string and a jump address when a native function in a system is executed;
and when the operation result value is a positive integer, determining that the target function is hook.
7. An identification device, characterized in that it comprises means for performing the method of any of claims 1-6.
8. An identification device, comprising a processor, a user interface, a communication interface and a memory, the processor, the user interface, the communication interface and the memory being interconnected, wherein the memory is adapted to store a computer program comprising program instructions, the processor being configured to invoke the program instructions to perform the method of any of claims 1-6.
9. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program comprising program instructions that, when executed by a processor, cause the processor to carry out the method according to any one of claims 1-6.
CN201810855586.8A 2018-07-27 2018-07-27 Simulator identification method, simulator identification equipment and computer readable medium Active CN109062667B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201810855586.8A CN109062667B (en) 2018-07-27 2018-07-27 Simulator identification method, simulator identification equipment and computer readable medium
PCT/CN2018/107748 WO2020019485A1 (en) 2018-07-27 2018-09-26 Simulator identification method, identification device, and computer readable medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810855586.8A CN109062667B (en) 2018-07-27 2018-07-27 Simulator identification method, simulator identification equipment and computer readable medium

Publications (2)

Publication Number Publication Date
CN109062667A CN109062667A (en) 2018-12-21
CN109062667B true CN109062667B (en) 2023-04-18

Family

ID=64831519

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810855586.8A Active CN109062667B (en) 2018-07-27 2018-07-27 Simulator identification method, simulator identification equipment and computer readable medium

Country Status (2)

Country Link
CN (1) CN109062667B (en)
WO (1) WO2020019485A1 (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109902500B (en) * 2019-03-11 2021-02-26 北京城市网邻信息技术有限公司 Method and system for realizing service call data security through link library
CN110248372B (en) * 2019-04-25 2023-04-11 深圳壹账通智能科技有限公司 Simulator detection method and device, storage medium and computer equipment
CN110532774A (en) * 2019-07-24 2019-12-03 阿里巴巴集团控股有限公司 Hook inspection method, device, server and readable storage medium storing program for executing
CN110427758B (en) * 2019-08-08 2021-06-01 北京智游网安科技有限公司 Position spoofing detection method, intelligent terminal and storage medium
CN110619210A (en) * 2019-08-27 2019-12-27 苏宁云计算有限公司 Simulator detection method and system
CN112905301A (en) * 2021-03-04 2021-06-04 中国科学院信息工程研究所 Detection method and device for Android simulator
CN113282304B (en) * 2021-05-14 2022-04-29 杭州云深科技有限公司 System for identifying virtual machine based on app installation list

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104134041A (en) * 2014-07-31 2014-11-05 北京奇虎科技有限公司 Anti-detecting method and device of terminal simulator system

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP5698614B2 (en) * 2011-06-22 2015-04-08 インターナショナル・ビジネス・マシーンズ・コーポレーションInternational Business Machines Corporation Context information processing system and method
CN105162768B (en) * 2015-07-31 2018-12-07 腾讯科技(深圳)有限公司 The method and device of detection fishing Wi-Fi Hotspot
CN105162799A (en) * 2015-09-24 2015-12-16 北京奇虎科技有限公司 Method for checking whether client is legal mobile terminal or not and server
CN108156268B (en) * 2016-12-05 2020-05-26 腾讯科技(深圳)有限公司 Method for acquiring device identifier, server and terminal device
CN107633170A (en) * 2017-09-30 2018-01-26 北京梆梆安全科技有限公司 A kind of Android simulator detection method and device of combination ardware feature and sensor
CN107729750A (en) * 2017-09-30 2018-02-23 北京梆梆安全科技有限公司 With reference to configuration information and the Android simulator detection method and device of ardware feature
CN107729121A (en) * 2017-09-30 2018-02-23 北京梆梆安全科技有限公司 Simulator detection method and device
CN107729749A (en) * 2017-09-30 2018-02-23 北京梆梆安全科技有限公司 With reference to system information and the Android simulator detection method and device of ardware feature
CN108021805A (en) * 2017-12-18 2018-05-11 上海众人网络安全技术有限公司 Detect method, apparatus, equipment and the storage medium of Android application program running environment

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104134041A (en) * 2014-07-31 2014-11-05 北京奇虎科技有限公司 Anti-detecting method and device of terminal simulator system

Also Published As

Publication number Publication date
WO2020019485A1 (en) 2020-01-30
CN109062667A (en) 2018-12-21

Similar Documents

Publication Publication Date Title
CN109117250B (en) Simulator identification method, simulator identification equipment and computer readable medium
CN109144665B (en) Simulator identification method, simulator identification equipment and computer readable medium
CN109062667B (en) Simulator identification method, simulator identification equipment and computer readable medium
CN109561085B (en) Identity verification method based on equipment identification code, server and medium
CN109492378A (en) A kind of auth method based on EIC equipment identification code, server and medium
US10073916B2 (en) Method and system for facilitating terminal identifiers
CN110417778B (en) Access request processing method and device
CN109145590B (en) Function hook detection method, detection equipment and computer readable medium
CN103440456B (en) The method and device that a kind of application security is assessed
CN107145782B (en) Abnormal application program identification method, mobile terminal and server
CN105357204B (en) Method and device for generating terminal identification information
CN104809397A (en) Android malicious software detection method and system based on dynamic monitoring
KR20160046640A (en) Apparaus and method for detecting malcious application based on visualization similarity
Hwang et al. Bittersweet adb: Attacks and defenses
CN109815702B (en) Software behavior safety detection method, device and equipment
CN106301975A (en) A kind of data detection method and device thereof
CN114282212A (en) Rogue software identification method and device, electronic equipment and storage medium
CN107948973B (en) Equipment fingerprint generation method applied to IOS (input/output system) for security risk control
CN110943989B (en) Equipment identification method and device, electronic equipment and readable storage medium
CN110688319B (en) Application keep-alive capability test method and related device
CN113596600A (en) Security management method, device, equipment and storage medium for live broadcast embedded program
CN113438225A (en) Vehicle-mounted terminal vulnerability detection method, system, equipment and storage medium
CN110597557A (en) System information acquisition method, terminal and medium
CN112069500A (en) Application software detection method, device and medium
CN108810230B (en) Method, device and equipment for acquiring incoming call prompt information

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant