CN109214179A - A kind of program module safety detection method and device - Google Patents
A kind of program module safety detection method and device Download PDFInfo
- Publication number
- CN109214179A CN109214179A CN201710524905.2A CN201710524905A CN109214179A CN 109214179 A CN109214179 A CN 109214179A CN 201710524905 A CN201710524905 A CN 201710524905A CN 109214179 A CN109214179 A CN 109214179A
- Authority
- CN
- China
- Prior art keywords
- function
- character string
- importing
- judging result
- list
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/563—Static detection by source code analysis
Abstract
The invention discloses a kind of program module safety detection method and device, is parsed from object program module and import function name list and character string list;Judgement, which imports, whether there is importing function relevant to log output in function name list, if it does, generating the first judging result, otherwise generate the second judging result;Judgement, which imports, whether there is predetermined core function in function name list, if it does, generating third judging result, otherwise generate the 4th judging result;Judge whether comprising predetermined character string in character string list, if comprising generating the 5th judging result, otherwise generating the 6th judging result;If generating at least one of the first judging result, third judging result, the 5th judging result judging result, it is determined that object program module is dangerous.The present invention solves the technical problem that the prior art causes the component detection reliability to application program not high.
Description
Technical field
The present invention relates to the safety testing field of application component more particularly to a kind of program module safety detection methods.
Background technique
Currently, will do it Module Development Method for application program, the component of each application program is an independence
Program module, use modularization can make component be easier to test and update.It simultaneously also can be some functions relative to only
Vertical either basic function is independent to use a program module, other modules then can be by calling the function of the basic module
It can complete increasingly complex function.It and is then that the code developed to it is needed to carry out for some important program modules
Final security functional testing.Whether check it has that there are some unsafe loopholes etc..Such as login module, to
The protection of the encrypted message at family be it is important, its account and encrypted message easily cannot be stolen by virus.It checks and compares
Important security module whether there is security breaches.
Currently, being detected from source code rank to component, still, due to using other staff to develop sometimes
Module, then obtain less than source code, cause the component detection reliability to application program not high.
Summary of the invention
By providing a kind of program module safety detection method and device, solve the prior art causes the embodiment of the present invention
The not high technical problem of component detection reliability to application program.
In a first aspect, a kind of program module safety detection method provided in an embodiment of the present invention, comprising:
It is parsed from object program module and imports function name list and character string list, wherein the importing function
Name list includes the title for the system function being directed into the object program module, includes described in the character string list
All character strings in object program module;
Judge with the presence or absence of importing function relevant to log output in the importing function name list, if it is judged that
There is importing function relevant to log output in the importing function name list, generates the first judging result, otherwise
Generate the second judging result;
Judge with the presence or absence of predetermined core function in the importing function name list, if it is judged that the importing function
There are the predetermined core functions in name list, generate third judging result, otherwise generate the 4th judging result;
Judge whether comprising predetermined character string in the character string list, if it is judged that including in the character string list
The predetermined character string generates the 5th judging result, otherwise generates the 6th judging result;
If at least one in generation first judging result, the third judging result, the 5th judging result
Kind judging result, it is determined that the object program module is dangerous.
Optionally, described parse from object program module imports function name list and character string list, comprising:
The module header information of the object program module is loaded onto memory, wherein in the module header information
Including the index to each segment information in the presence of the object program module;
According to the index, each segment information is loaded onto the memory;
From each segment information, the data content of each segment information is extracted;
From the data content of each segment information, the importing function name list and the character tandem are extracted
Table.
Optionally, if it is the lattice for Formatting Output character string to terminal that the log, which exports relevant importing function,
Formula output function, it is described to judge to whether there is importing function relevant to log output in the importing function name list,
Include:
The title of first importing function is read from the importing function name list;
Judge the title of importing function currently read whether be the Formatting Output function title;
If so, generating first judging result, otherwise, continuation is read next from the importing function name list
A title for importing function, and return to whether the title for judging the importing function currently read is the Formatting Output
The step of title of function;
If the last one title for importing function read from the importing function name list is not the format
The title for changing output function, then generate second judging result.
Optionally, the predetermined core function includes multiple, described to judge whether deposit in the importing function name list
In predetermined core function, to generate the second judging result, comprising:
The title of first importing function is read from the importing function name list;
Judge whether the title of the importing function currently read belongs to the predetermined core function;
If so, generating the third judging result, otherwise, continuation is read next from the importing function name list
A title for importing function, and return to whether the title for judging the importing function currently read belongs to the predetermined core
The step of function;
If the last one title for importing function read from the importing function name list is not belonging to described pre-
Determine core function, then generates the 4th judging result.
Optionally, the predetermined core function, comprising: for Formatting Output character string to buffer area function, be used for
One of function of return character string length is a variety of.
It is optionally, described whether to judge in the character string list comprising predetermined character string, comprising:
First character string is read from the predetermined character string;
Judge whether the character string currently read belongs to the predetermined character string;
If so, generating the 5th judging result, otherwise, continuation reads character late from the character string list
String, and the step of whether character string that the judgement is currently read belongs to the predetermined character string returned;
If the last character string read from the character string list is not belonging to the predetermined character string, give birth to
At the 6th judging result.
Optionally, the predetermined character string, comprising: the character string for indicating password, the character string for indicating key, mark encryption
The character string of operation, the character string for indicating decryption oprerations, the character string for indicating encryption standard, the character for indicating encryption algorithm type
One of string is a variety of.
Second aspect, the embodiment of the invention provides a kind of program module safety detection devices, comprising:
Resolution unit imports function name list and character string list for parsing from object program module, wherein
It is described to import the title that function name list includes the system function being directed into the object program module, the character tandem
Include all character strings in the object program module in table;
Log exports judging unit, for judging in the importing function name list with the presence or absence of related to log output
Importing function, if it is judged that in the importing function name list exist importing function relevant to log output,
The first judging result is then generated, the second judging result is otherwise generated;
Core function judging unit whether there is predetermined core function for judging in the importing function name list,
If it is judged that then generating third judging result, otherwise there are the predetermined core function in the importing function name list
Generate the 4th judging result;
Character string judging unit, for judging whether comprising predetermined character string in the character string list, if it is judged that
Include the predetermined character string in the character string list, then generate the 5th judging result, otherwise generates the 6th judging result;
Safety determination unit, if for generating first judging result, the third judging result, the described 5th
At least one of judging result judging result, it is determined that the object program module is dangerous.
Optionally, the resolution unit, is specifically used for:
The module header information of the object program module is loaded onto memory, wherein in the module header information
Including the index to each segment information in the presence of the object program module;
According to the index, each segment information is loaded onto the memory;
From each segment information, the data content of each segment information is extracted;
From the data content of each segment information, the importing function name list and the character tandem are extracted
Table.
Optionally, if it is the lattice for Formatting Output character string to terminal that the log, which exports relevant importing function,
Formula output function, the log export judging unit, are specifically used for:
The title of first importing function is read from the importing function name list;
Judge the title of importing function currently read whether be the Formatting Output function title;
If so, generating first judging result;Otherwise, continue to read from the importing function name list next
A title for importing function, and return to whether the title for judging the importing function currently read is the Formatting Output
The step of title of function;
If the last one title for importing function read from the importing function name list is not the format
The title for changing output function, then generate second judging result.
Optionally, the predetermined core function includes multiple, and the core function judging unit is specifically used for:
The title of first importing function is read from the importing function name list;
Judge whether the title of the importing function currently read belongs to the predetermined core function;
If so, generating the third judging result;Otherwise, continue to read from the importing function name list next
A title for importing function, and return to whether the title for judging the importing function currently read belongs to the predetermined core
The step of function;
If the last one title for importing function read from the importing function name list is not belonging to described pre-
Determine core function, then generates the 4th judging result.
Optionally, the predetermined core function, comprising: for Formatting Output character string to buffer area function, be used for
One of function of return character string length is a variety of.
Optionally, the character string judging unit, comprising:
First character string is read from the predetermined character string;
Judge whether the character string currently read belongs to the predetermined character string;
If so, generating the 5th judging result;Otherwise, continue to read character late from the character string list
String, and the step of whether character string that the judgement is currently read belongs to the predetermined character string returned;
If the last character string read from the character string list is not belonging to the predetermined character string, give birth to
At the 6th judging result.
Optionally, the predetermined character string, comprising: the character string for indicating password, the character string for indicating key, mark encryption
The character string of operation, the character string for indicating decryption oprerations, the character string for indicating encryption standard, the character for indicating encryption algorithm type
One of string is a variety of.
The third aspect, the embodiment of the invention provides a kind of computer readable storage mediums, are stored thereon with computer journey
Sequence realizes step described in first aspect any embodiment when the program is executed by processor.
Fourth aspect the embodiment of the invention provides a kind of computer equipment, including memory, processor and is stored in
On reservoir and the computer program that can run on a processor, the processor is realized in first aspect when executing described program appoints
Step described in one embodiment.
The one or more technical solutions provided in the embodiment of the present invention, have at least the following technical effects or advantages:
Function name list and character string list are imported due to parsing from object program module;Judgement imports function name
Claim whether there is log to export relevant importing function and predetermined core function in list, and judges whether wrap in character string list
String containing predetermined character, with judging result judge object program module whether safety, be it is compiled, even finally issue
Object program module is detected, for developer and transparent, while can also be in the source generation without the program module
It is detected in the case where code, does not need to obtain source code, compiled, publication program module is carried out to realize
Detection is more convenient, more reliable.
Detailed description of the invention
To describe the technical solutions in the embodiments of the present invention more clearly, make required in being described below to embodiment
Attached drawing is briefly described, it should be apparent that, drawings in the following description are some embodiments of the invention, for this
For the those of ordinary skill of field, without creative efforts, it can also be obtained according to these attached drawings others
Attached drawing.
Fig. 1 is the flow chart of program module safety detection method provided in an embodiment of the present invention;
Fig. 2 is the structural schematic diagram of program module safety detection device provided in an embodiment of the present invention;
Fig. 3 is the structural schematic diagram of computer readable storage medium provided in an embodiment of the present invention;
Fig. 4 is the structural schematic diagram of computer equipment provided in an embodiment of the present invention.
Specific embodiment
By providing a kind of program module safety detection method and device, solve the prior art causes the embodiment of the present invention
The not high technical problem of component detection reliability to application program.
The technical solution of the embodiment of the present invention is in order to solve the above technical problems, general thought is as follows:
It is parsed from object program module and imports function name list and character string list;Judgement imports function name column
Whether there is log to export relevant importing function and predetermined core function in table, and whether judges in character string list comprising pre-
Determine character string, determines whether object program module is safe with judging result.
Through the above technical solutions, detected in object program module that is compiled, even finally issuing, it is right
It in developer and transparent, while can also be detected, be not required to without the source code of the program module
Source code is obtained, is more convenient to realize and detect to compiled, publication program module, is more reliable.
In order to better understand the above technical scheme, in conjunction with appended figures and specific embodiments to upper
Technical solution is stated to be described in detail.
Refering to what is shown in Fig. 1, a kind of program module safety detection method provided in an embodiment of the present invention, comprising:
S101, importing function name list and character string list are parsed from object program module, wherein import function
Name list includes the title for the system function being directed into object program module, includes object program module in character string list
In all character strings.
It should be noted that, if it is Windows operating system, object program module is DLL text for pc client
Part, if it is linux operating system, object program module is SO file.It should be noted that code level involved in hereinafter is lifted
It is the dll file based on Windows operating system to illustrate and illustrate that example, which is with object program module, but the present invention is not
It is limited to realize based on the dll file of Windows operating system.
The index that be in module header information first include to each segment information, so as to get module header information
Each segment information later.Since a module file has header information and multiple segment informations to combine, and it is each
It is to have interval and gap size is different between section, is needed into memory so loading object program module according to its file format
Successively to read in each segment information after module header information and module header information.
In one embodiment, S101 specifically includes following multiple sub-steps, to obtain importing function name list and character
Tandem table:
Firstly, executing S1011, the module header information of object program module being loaded onto memory, wherein module head
It include the index to each segment information in the presence of object program module in information.
For example, in step S1011: calling system function CreateFile first opens target program to be loaded
Module, wherein parameter Name is then the title of object program module, and other parameters are omitted herein.It is implemented as follows:
HANDLE hFile=CreateFile (Name, GENERIC_READ);
Then, calling system function ReadFile, to read the module header information of object program module to variable
In dosHeader.Specific implementation can be as follows
IMAGE_DOS_HEADER dosHeader;
ReadFile(hFile,&dosHeader);
S1012, according to index, each segment information is loaded onto memory.
Specifically: available to number of segment mesh, the head of the size of data on the module head, section by module header information
Portion's information.
S1013, from each segment information, extract the data content of each segment information.
There is each segment information, then available to each section of title, size etc., so as to read each section of number
According to content into memory, it is implemented as follows:
S1014, from the data content of each segment information, extract and import function name list and character string list.
It should be noted that each section includes introduction segment, the table of introduction segment is obtained from the data content of each segment information
Lattice information has the initial address of introduction segment in the deviant of the object program module, in module header information so as to obtain
Get the form data of introduction segment.The form data of the introduction segment is traversed, again to get all importing functions in the introduction segment
Information.
Specific implementation can be such that
DWORD dwIat=pNtHeader- > OptionalHeader.DataDirectory
[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress;
Wherein, dwIat is deviant of the introduction segment in the object program module.
More specifically, true in the deviant of the object program module and the initial value of object program module by introduction segment
Make the form data of introduction segment.Then by the format of introduction segment can then enumerate it includes all importing functions name
The importing function name list of title, specific implementation can be such that
PIMAGE_IMPORT_DESCRIPTOR pImport=Start+dwIat;
The form data of introduction segment is obtained by the initial value of deviant and object program module.Then pass through the introduction segment
Format, enumerate the importing function name list of the title for all importing functions that the introduction segment includes.
Include deviant of the initial address in the object program module of data segment according to module header information, gets number
According to the information of section, go to traverse the constant in all data segments, with obtain include all constants in the object program module word
Accord with tandem table.
In S101 and then execute step S102, S103, S104.In the specific implementation process, may be performed simultaneously,
It can successively execute.
S102, judgement, which import, whether there is importing function relevant to log output in function name list, if it is determined that
It imports out and there is importing function relevant to log output in function name list, otherwise the first judging result of generation generates the
Two judging results.
Specifically, sentencing if called for Formatting Output character string to the Formatting Output function print log of terminal
It is disconnected that the title for whether having the Formatting Output function for Formatting Output character string to terminal in function name list imported.
For example, Formatting Output function can be printf function, in other operating systems, Formatting Output letter
Number is other specific functions.
In one embodiment, whether judge to import in function name list has for Formatting Output character string to terminal
The specific implementation process of the title of Formatting Output function, includes the following steps S1021~S1024:
S1021, the title that first importing function is read from importing function name list;
The title of importing function that S1022, judgement are currently read whether be Formatting Output function title.
It should be noted that the title of the importing function currently read is different in not homogeneous, it is followed successively by importing letter
The title of first importing function of the sequence in number name list imports the title of function to the last one.
S1023, if so, generating the first judging result, and terminate to read;Otherwise, continue from importing function name list
It is middle to read next title for importing function, and return step S1022;
If the title of S1024, the last one the importing function read from importing function name list are not to format
The title of output function then generates the second judging result.
In one embodiment, if generating the first judging result, the present embodiment further includes deleting Formatting Output function
Step, to prevent print log and output Debugging message, thus to improve the safety of the program module.
For object program module, if meeting print log information or Debugging message, hacker passes through log information or tune
Examination information can analyze the function of object program module and position the key code of object program module.For example, in application program
When one file of middle reading, if read less than this document if can print log illustrate that this document is not present, pass through this
Log hacker is then known that the module can remove the file read, for example, carrying out HASH or encryption to specific data can beat
Start information is printed, such as start information of printing is that MD5 is called to calculate HASH, then quickly navigating to the application program by log
MD5 calculating logic.Safety detection is carried out by executing S102, is capable of detecting when relevant loophole.
S103, judgement, which import, whether there is predetermined core function in function name list, if it is judged that importing function name
Claim there are predetermined core function in list, otherwise generation third judging result generates the 4th judging result.
It should be noted that predetermined core function can be for one or including multiple.
In one embodiment, S103 includes the following steps S1031~S1034:
S1031, the title that first importing function is read from importing function name list;
Whether the title for the importing function that S1032, judgement are currently read belongs to predetermined core function.
It should be noted that the title of the signified importing function currently read is different in not homogeneous in S1032, according to
The title of secondary first importing function for the sequence imported in function name list imports the title of function to the last one.
S1033, if so, generating third judging result and terminates to read;Otherwise, continue from importing function name list
Read next title for importing function, and return step S1033;
If S1034, being not belonging to make a reservation for from the title for importing the last one importing function that function name list is read
Core function then generates the 4th judging result.
In the present embodiment, predetermined core function include: for Formatting Output character string to buffer area function and
One of function for return character string length is a variety of.The function of Formatting Output character string to buffer area includes
Snprintf function, sprintf function;The function of return character string length is Strlen function.
More specifically, for the core function in object program module, such as: for calculating the KEY of video flowing authentication
Value, with the function encrypted to data, if the function call encrypted to data system function, it will be able to pass through
HOOK tool links up with system function, so as to get the calling data of system function from hook.It illustrates
It is as follows:
Assuming that pre-existing a function is the KEY value for calculating the authentication of video flowing address.
Its composition is the SKEY by client private key, and the user Token of the IP of client, client calculate MD5 value together
Result.The information finally wanted in this algorithm is exactly the protection to the SKEY of client private key, various encryptions may be used to solve
Close algorithm is protected.If finally its it is final calculate authentication KEY value when have invoked system function, can easily by
Hacker is obtained by HOOK tool, is failed so as to cause the defencive function of early period, so dangerous.
Concrete methods of realizing is then that the importing function list got from step (1) is searched wherein with the presence or absence of these
Character string function, and if so, being considered unsafe.Other unsafe functions can also be added wherein simultaneously to make
For test object, the unsafe function identified oneself can also be added.Its specific implementation is all from the importing function of module
It searches, illustrates that the module has if finding and use the function.
In a preferred embodiment, more uneasy total functions can also be added in predetermined core function.Corresponding addition
Uneasy total function, from import function name list in search, if it is present illustrating that object program module has uses the uneasiness
Total function.
In a preferred embodiment, it is currently read from importing function name list, determines in object program module and exist
Belong to the function of predetermined core function, then from writing the core for matching corresponding never call system function in core function library in advance
Function replaces it.
In a preferred embodiment, if generating third judging result, prompting message is exported, there are predetermined cores to remind
Heart function.
S104, judge whether comprising predetermined character string in character string list, if it is judged that comprising pre- in character string list
Determine character string, generate the 5th judging result, otherwise generates the 6th judging result.
Specifically, predetermined character string can be single string, or the set of multiple character strings.In an embodiment
In, S104 includes the following steps S1041~S1044:
S1041, first character string is read from character string list;
Whether the character string that S1042, judgement are currently read belongs to predetermined character string;
S1043, if so, generate the 5th judging result;Otherwise, continue to read character late from character string list
String, and the step of whether character string that judgement is currently read belongs to predetermined character string returned;
If S1044, the last character string read from character string list are not belonging to predetermined character string, generate
6th judging result.
In one embodiment, predetermined character string includes following one or more:
The character string " password " for indicating password, the character string " key " for indicating key, the character string for indicating cryptographic operation
" encrypt ", the character string " decrypt " for indicating decryption oprerations, character string such as " MD5 ", mark encryption for indicating encryption standard
The character string of algorithm types, such as " DES ".
Occur in character string such as: " password ", " key ", " encrypt ", " decrypt ", " MD5 ", " DES ",
" AES " these information then will include password, the KEY value of encryption and decryption, the title of encryption function, the title of decryption function, specific
The title of HASH algorithm, title of specific enciphering and deciphering algorithm etc..Its safety can be reduced.Such as: Encryption Algorithm title
" AES " is indicated in object program module and is encrypted using AES encryption algorithm.
Further, it can inform that there are the risks of some characters for the module if detecting these information, thus into
Row further modification ensures the safety of final module.
After S102~S104 has been performed both by, S105 is then executed: if generating the first judging result, third judgement knot
At least one of fruit, the 5th judging result judging result, it is determined that object program module is dangerous.
Based on the same inventive concept, the embodiment of the invention provides a kind of program module safety detection devices, with reference to Fig. 2 institute
Show, which includes:
Resolution unit 201 imports function name list and character string list for parsing from object program module,
In, it is described to import the title that function name list includes the system function being directed into the object program module, the character
Include all character strings in the object program module in tandem table;
Log exports judging unit 202, exports in the importing function name list with the presence or absence of with log for judging
Relevant importing function, if it is judged that there is importing letter relevant to log output in the importing function name list
Number generates the first judging result, otherwise generates the second judging result;
Core function judging unit 203, for judging in the importing function name list with the presence or absence of predetermined core letter
Number generates third judging result, otherwise if it is judged that there are the predetermined core functions in the importing function name list
Generate the 4th judging result;
Character string judging unit 204, for judging whether comprising predetermined character string in the character string list, if it is determined that
Out include the predetermined character string in the character string list, generate the 5th judging result, otherwise generates the 6th judging result;
Safety determination unit 205, if for generating first judging result, the third judging result, described
At least one of 5th judging result judging result, it is determined that the object program module is dangerous.
Optionally, the resolution unit 201, is specifically used for:
The module header information of the object program module is loaded onto memory, wherein in the module header information
Including the index to each segment information in the presence of the object program module;
According to the index, each segment information is loaded onto the memory;
From each segment information, the data content of each segment information is extracted;
From the data content of each segment information, the importing function name list and the character tandem are extracted
Table.
Optionally, if it is the lattice for Formatting Output character string to terminal that the log, which exports relevant importing function,
Formula output function, the log export judging unit 202, are specifically used for:
The title of first importing function is read from the importing function name list;
Judge the title of importing function currently read whether be the Formatting Output function title;
If so, generating first judging result;Otherwise, continue to read from the importing function name list next
A title for importing function, and return to whether the title for judging the importing function currently read is the Formatting Output
The step of title of function;
If the last one title for importing function read from the importing function name list is not the format
The title for changing output function, then generate second judging result.
Optionally, the predetermined core function includes multiple, and the core function judging unit 203 is specifically used for:
The title of first importing function is read from the importing function name list;
Judge whether the title of the importing function currently read belongs to the predetermined core function;
If so, generating the third judging result;Otherwise, continue to read from the importing function name list next
A title for importing function, and return to whether the title for judging the importing function currently read belongs to the predetermined core
The step of function;
If the last one title for importing function read from the importing function name list is not belonging to described pre-
Determine core function, then generates the 4th judging result.
Optionally, the predetermined core function, comprising: for Formatting Output character string to buffer area function, be used for
One of function of return character string length is a variety of.
Optionally, the character string judging unit 204, is specifically used for:
First character string is read from the predetermined character string;
Judge whether the character string currently read belongs to the predetermined character string;
If so, generating the 5th judging result;Otherwise, continue to read character late from the character string list
String, and the step of whether character string that the judgement is currently read belongs to the predetermined character string returned;
If the last character string read from the character string list is not belonging to the predetermined character string, give birth to
At the 6th judging result.
Optionally, the predetermined character string, comprising: the character string for indicating password, the character string for indicating key, mark encryption
The character string of operation, the character string for indicating decryption oprerations, the character string for indicating encryption standard, the character for indicating encryption algorithm type
One of string is a variety of.
Based on the same inventive concept, the embodiment of the invention provides a kind of computer readable storage mediums 301, with reference to Fig. 3
It is shown, it is stored thereon with computer program 302, the detection of foregoing routine module safety is realized when which is executed by processor
Step in method in any embodiment.
Based on the same inventive concept, the embodiment of the invention provides a kind of computer equipments 400, refering to what is shown in Fig. 4, including
Memory 410, processor 430 and it is stored in the computer program 420 that can be run on memory 410 and on processor 430, institute
State the step realized in foregoing routine module safety detection method in any embodiment when processor 430 executes described program 420
Suddenly.
The device introduced by the present embodiment, storage medium, computer equipment is implement program in the embodiment of the present invention
Equipment used by module safety detection method, so based on aforementioned introduced program module safety detection method, this field
Those of skill in the art can understand the device of the present embodiment, storage medium, computer equipment specific embodiment and it is each
Kind version, so how to realize foregoing routine module safety detection side for device, storage medium, computer equipment herein
Method is no longer discussed in detail.As long as those skilled in the art implement program module safety detection method institute in the embodiment of the present invention
The electronic equipment of use belongs to the range of the invention to be protected.
Technical solution in the embodiments of the present invention, at least have the following technical effects or advantages:
Function name list and character string list are imported due to parsing from object program module;Judgement imports function name
Claim whether there is log to export relevant importing function and predetermined core function in list, and judges whether wrap in character string list
String containing predetermined character, with judging result judge object program module whether safety, be it is compiled, even finally issue
Object program module is detected, for developer and transparent, while can also be in the source generation without the program module
It is detected in the case where code, does not need to obtain source code, compiled, publication program module is carried out to realize
Detection is more convenient, more reliable.
It should be understood by those skilled in the art that, the embodiment of the present invention can provide as method, system or computer program
Product.Therefore, complete hardware embodiment, complete software embodiment or reality combining software and hardware aspects can be used in the present invention
Apply the form of example.Moreover, it wherein includes the computer of computer usable program code that the present invention, which can be used in one or more,
The computer program implemented in usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) produces
The form of product.
The present invention be referring to according to the method for the embodiment of the present invention, the process of equipment (system) and computer program product
Figure and/or block diagram describe.It should be understood that every one stream in flowchart and/or the block diagram can be realized by computer program instructions
The combination of process and/or box in journey and/or box and flowchart and/or the block diagram.It can provide these computer programs
Instruct the processor of general purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices to produce
A raw machine, so that being generated by the instruction that computer or the processor of other programmable data processing devices execute for real
The device for the function of being specified in present one or more flows of the flowchart and/or one or more blocks of the block diagram.
These computer program instructions, which may also be stored in, is able to guide computer or other programmable data processing devices with spy
Determine in the computer-readable memory that mode works, so that it includes referring to that instruction stored in the computer readable memory, which generates,
Enable the manufacture of device, the command device realize in one box of one or more flows of the flowchart and/or block diagram or
The function of being specified in multiple boxes.
These computer program instructions also can be loaded onto a computer or other programmable data processing device, so that counting
Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, thus in computer or
The instruction executed on other programmable devices is provided for realizing in one or more flows of the flowchart and/or block diagram one
The step of function of being specified in a box or multiple boxes.
Although preferred embodiments of the present invention have been described, it is created once a person skilled in the art knows basic
Property concept, then additional changes and modifications may be made to these embodiments.So it includes excellent that the following claims are intended to be interpreted as
It selects embodiment and falls into all change and modification of the scope of the invention.
Obviously, various changes and modifications can be made to the invention without departing from essence of the invention by those skilled in the art
Mind and range.In this way, if these modifications and changes of the present invention belongs to the range of the claims in the present invention and its equivalent technologies
Within, then the present invention is also intended to include these modifications and variations.
Claims (10)
1. a kind of program module safety detection method characterized by comprising
It is parsed from object program module and imports function name list and character string list, wherein the importing function name
List includes the title for the system function being directed into the object program module, includes the target in the character string list
All character strings in program module;
Judge with the presence or absence of importing function relevant to log output in the importing function name list, if it is judged that described
It imports and there is importing function relevant to log output in function name list, generate the first judging result, otherwise generate
Second judging result;
Judge with the presence or absence of predetermined core function in the importing function name list, if it is judged that the importing function name
There are the predetermined core functions in list, generate third judging result, otherwise generate the 4th judging result;
Judge whether comprising predetermined character string in the character string list, if it is judged that comprising described in the character string list
Predetermined character string generates the 5th judging result, otherwise generates the 6th judging result;
If generating at least one of first judging result, the third judging result, described 5th judging result to sentence
Disconnected result, it is determined that the object program module is dangerous.
2. program module safety detection method as described in claim 1, which is characterized in that described to be solved from object program module
It is precipitated and imports function name list and character string list, comprising:
The module header information of the object program module is loaded onto memory, wherein include in the module header information
To the index of each segment information in the presence of the object program module;
According to the index, each segment information is loaded onto the memory;
From each segment information, the data content of each segment information is extracted;
From the data content of each segment information, the importing function name list and the character string list are extracted.
3. program module safety detection method as described in claim 1, which is characterized in that if log output is relevant
Importing function is the Formatting Output function for Formatting Output character string to terminal, the judgement importing function name
It whether there is importing function relevant to log output in list, comprising:
The title of first importing function is read from the importing function name list;
Judge the title of importing function currently read whether be the Formatting Output function title;
If so, generating first judging result, otherwise, continuation reads next lead from the importing function name list
Enter the title of function, and returns to whether the title for judging the importing function currently read is the Formatting Output function
Title the step of;
If the last one title for importing function read from the importing function name list is not that the formatting is defeated
The title of function out then generates second judging result.
4. program module safety detection method as described in claim 1, which is characterized in that the predetermined core function includes more
It is a, it whether there is predetermined core function in the judgement importing function name list, comprising:
The title of first importing function is read from the importing function name list;
Judge whether the title of the importing function currently read belongs to the predetermined core function;
If so, generating the third judging result, otherwise, continuation reads next lead from the importing function name list
Enter the title of function, and returns to whether the title for judging the importing function currently read belongs to the predetermined core function
The step of;
If the last one title for importing function read from the importing function name list is not belonging to the predetermined core
Heart function then generates the 4th judging result.
5. program module safety detection method as claimed in claim 4, which is characterized in that the predetermined core function, comprising:
For the function of Formatting Output character string to buffer area, for one of function of return character string length or a variety of.
6. program module safety detection method as described in claim 1, which is characterized in that the judgement character string list
In whether include predetermined character string, comprising:
First character string is read from the predetermined character string;
Judge whether the character string currently read belongs to the predetermined character string;
If so, generating the 5th judging result, otherwise, continue to read character late string from the character string list,
And the step of whether character string that the judgement is currently read belongs to the predetermined character string returned to;
If the last character string read from the character string list is not belonging to the predetermined character string, institute is generated
State the 6th judging result.
7. program module safety detection method as described in claim 1, which is characterized in that the predetermined character string, comprising: mark
The character string for showing password, the character string for indicating key, the character string for indicating cryptographic operation, the character string for indicating decryption oprerations, mark
One of the character string for showing encryption standard, the character string for indicating encryption algorithm type are a variety of.
8. a kind of program module safety detection device characterized by comprising
Resolution unit imports function name list and character string list for parsing from object program module, wherein described
Importing function name list includes the title of system function being directed into the object program module, in the character string list
Include all character strings in the object program module;
Log exports judging unit, leads in the importing function name list with the presence or absence of relevant to log output for judging
Enter function, if it is judged that there is importing function relevant to log output in the importing function name list, generates
Otherwise first judging result generates the second judging result;
Core function judging unit, for judging with the presence or absence of predetermined core function in the importing function name list, if
Judge in the importing function name list to generate third judging result there are the predetermined core function, otherwise generates the
Four judging results;
Character string judging unit, for judging whether comprising predetermined character string in the character string list, if it is judged that described
Include the predetermined character string in character string list, generate the 5th judging result, otherwise generates the 6th judging result;
Safety determination unit, if for generating first judging result, the third judging result, the 5th judgement
At least one of as a result judging result, it is determined that the object program module is dangerous.
9. a kind of computer readable storage medium, is stored thereon with computer program, which is characterized in that the program is held by processor
Step of any of claims 1-7 is realized when row.
10. a kind of computer equipment including memory, processor and stores the meter that can be run on a memory and on a processor
Calculation machine program, which is characterized in that the processor realizes step of any of claims 1-7 when executing described program
Suddenly.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710524905.2A CN109214179B (en) | 2017-06-30 | 2017-06-30 | Program module security detection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710524905.2A CN109214179B (en) | 2017-06-30 | 2017-06-30 | Program module security detection method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109214179A true CN109214179A (en) | 2019-01-15 |
| CN109214179B CN109214179B (en) | 2021-04-27 |
Family
ID=64977164
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710524905.2A Active CN109214179B (en) | 2017-06-30 | 2017-06-30 | Program module security detection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109214179B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110675256A (en) * | 2019-08-30 | 2020-01-10 | 阿里巴巴集团控股有限公司 | Method and device for deploying and executing intelligent contracts |
| US10783082B2 (en) | 2019-08-30 | 2020-09-22 | Alibaba Group Holding Limited | Deploying a smart contract |
| CN112632550A (en) * | 2021-03-05 | 2021-04-09 | 北京邮电大学 | Method for detecting application security of password and secret key and electronic equipment thereof |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1607533A (en) * | 2003-07-31 | 2005-04-20 | 索尼株式会社 | Content distributing system, content distributing method, content distributing server, and terminal unit |
| US20080028101A1 (en) * | 1999-07-13 | 2008-01-31 | Sony Corporation | Distribution contents forming method, contents distributing method and apparatus, and code converting method |
| CN102663286A (en) * | 2012-03-21 | 2012-09-12 | 奇智软件(北京)有限公司 | Method and device for identifying virus APK (android package) |
| CN102938040A (en) * | 2012-09-29 | 2013-02-20 | 中兴通讯股份有限公司 | Malicious Android application program detection method, system and device |
| CN102945347A (en) * | 2012-09-29 | 2013-02-27 | 中兴通讯股份有限公司 | Method, system and device for detecting Android malicious software |
| CN104715199A (en) * | 2012-03-21 | 2015-06-17 | 北京奇虎科技有限公司 | Method and device for identifying viral APK (Android application package file) |
| CN106203120A (en) * | 2016-07-15 | 2016-12-07 | 北京邮电大学 | A kind of multiple spot Hook reverse method for Android reinforcement application |
-
2017
- 2017-06-30 CN CN201710524905.2A patent/CN109214179B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080028101A1 (en) * | 1999-07-13 | 2008-01-31 | Sony Corporation | Distribution contents forming method, contents distributing method and apparatus, and code converting method |
| CN1607533A (en) * | 2003-07-31 | 2005-04-20 | 索尼株式会社 | Content distributing system, content distributing method, content distributing server, and terminal unit |
| CN102663286A (en) * | 2012-03-21 | 2012-09-12 | 奇智软件(北京)有限公司 | Method and device for identifying virus APK (android package) |
| CN104715199A (en) * | 2012-03-21 | 2015-06-17 | 北京奇虎科技有限公司 | Method and device for identifying viral APK (Android application package file) |
| CN102938040A (en) * | 2012-09-29 | 2013-02-20 | 中兴通讯股份有限公司 | Malicious Android application program detection method, system and device |
| CN102945347A (en) * | 2012-09-29 | 2013-02-27 | 中兴通讯股份有限公司 | Method, system and device for detecting Android malicious software |
| CN106203120A (en) * | 2016-07-15 | 2016-12-07 | 北京邮电大学 | A kind of multiple spot Hook reverse method for Android reinforcement application |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110675256A (en) * | 2019-08-30 | 2020-01-10 | 阿里巴巴集团控股有限公司 | Method and device for deploying and executing intelligent contracts |
| US10783082B2 (en) | 2019-08-30 | 2020-09-22 | Alibaba Group Holding Limited | Deploying a smart contract |
| US11010303B2 (en) | 2019-08-30 | 2021-05-18 | Advanced New Technologies Co., Ltd. | Deploying a smart contract |
| US11307990B2 (en) | 2019-08-30 | 2022-04-19 | Advanced New Technologies Co., Ltd. | Deploying a smart contract |
| CN112632550A (en) * | 2021-03-05 | 2021-04-09 | 北京邮电大学 | Method for detecting application security of password and secret key and electronic equipment thereof |
| CN112632550B (en) * | 2021-03-05 | 2021-06-29 | 北京邮电大学 | Method for detecting application security of password and secret key and electronic equipment thereof |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109214179B (en) | 2021-04-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9602289B2 (en) | Steganographic embedding of executable code | |
| US8495358B2 (en) | Software based multi-channel polymorphic data obfuscation | |
| CN106687980B (en) | Management program and virtual machine protection | |
| US9892661B2 (en) | Steganographic embedding of hidden payload | |
| Li et al. | A survey on web application security | |
| US8635602B2 (en) | Verification of information-flow downgraders | |
| CN109670312A (en) | Method of controlling security and computer system | |
| CN113704781B (en) | File secure transmission method and device, electronic equipment and computer storage medium | |
| CN109214179A (en) | A kind of program module safety detection method and device | |
| CN103577323A (en) | Dynamic key command sequence birthmark-based software plagiarism detecting method | |
| Gupta et al. | Cross-site scripting attacks: classification, attack, and countermeasures | |
| CN109743161A (en) | Information ciphering method, electronic equipment and computer-readable medium | |
| CN109376021A (en) | The response method and server that interface calls | |
| WO2023053101A1 (en) | Systems and methods for malicious code neutralization in execution environments | |
| Gupta et al. | Evaluation and monitoring of XSS defensive solutions: a survey, open research issues and future directions | |
| Jaeger et al. | Normalizing security events with a hierarchical knowledge base | |
| Lee et al. | Classification and analysis of security techniques for the user terminal area in the internet banking service | |
| CN109889342A (en) | Interface testing method for authenticating, device, electronic equipment and storage medium | |
| CN112632550B (en) | Method for detecting application security of password and secret key and electronic equipment thereof | |
| US20160210474A1 (en) | Data processing apparatus, data processing method, and program | |
| CN109165509A (en) | The software method of credible measurement, equipment, system and storage medium in real time | |
| Rietz et al. | Firewalls for the Web 2.0 | |
| CN110740112B (en) | Authentication method, apparatus and computer readable storage medium | |
| CN114760078B (en) | Method and system for preventing malicious tampering of page request parameters | |
| Keighren | Restricting information flow in security APIs via typing |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |