CN112580032B - File shell identification method and device, storage medium and electronic device - Google Patents
File shell identification method and device, storage medium and electronic device Download PDFInfo
- Publication number
- CN112580032B CN112580032B CN201910943706.4A CN201910943706A CN112580032B CN 112580032 B CN112580032 B CN 112580032B CN 201910943706 A CN201910943706 A CN 201910943706A CN 112580032 B CN112580032 B CN 112580032B
- Authority
- CN
- China
- Prior art keywords
- file
- shell
- code
- family
- target file
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/561—Virus type analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/563—Static detection by source code analysis
Abstract
The invention provides a method and a device for identifying a file shell, a storage medium and an electronic device, wherein the method comprises the following steps: detecting a family identification of a file shell of the target file; detecting a shell code of the file shell when the family identifier is detected; and identifying the shell type of the file shell according to the shell code. The invention solves the technical problem that only a single file shell can be identified in the related technology, and improves the identification rate of the files with shells.
Description
Technical Field
The invention relates to the field of network security, in particular to a method and a device for identifying a file shell, a storage medium and an electronic device.
Background
In the related art, the shell is a program section outside the original program of the file, and is generally used for file variety, compression, encryption and the like, because the shell can make viruses smaller and more convenient to spread and can distort codes of the viruses so as to avoid identification of antivirus software.
The shell comprises a plurality of protection shells and the like, the protection shells in the related art are a code protection technology for protecting viruses from being identified by antivirus software, and if the protected viruses are to be checked and killed, the protection shells are generally divided into two steps, namely, 1: identification shell 2: and (5) shelling. The shell checking tool in the related art is generally a relatively targeted identification shell, and can only detect a shell of a fixed type, so that the shells of other families cannot be identified, and the problems of a certain probability of error identification and the like are caused.
In view of the above problems in the related art, no effective solution has been found yet.
Disclosure of Invention
The embodiment of the invention provides a method and a device for identifying a file shell, a storage medium and an electronic device.
According to an embodiment of the present invention, there is provided a method for identifying a file shell, including: detecting a family identification of a file shell of the target file; detecting a shell code of the file shell when the family identifier is detected; and identifying the shell type of the file shell according to the shell code.
Optionally, detecting the family identification of the file shell of the target file includes: identifying the PE structure of the target file; and detecting the family identification of the file shell in the section area of the PE file according to the PE structure.
Optionally, detecting the shell code of the file shell includes: performing disassembly processing on the target file to obtain assembly codes of the target file; dividing the assembly code into a plurality of code segments, wherein each code segment corresponds to a code region; detecting a shell code of the file shell in at least one code segment through a fuzzy matching algorithm; and/or detecting a shell code of the file shell in at least one code segment by a floating-match algorithm.
Optionally, detecting the family identification of the file shell of the target file includes: scanning the feature codes of the target file; judging whether the feature code is matched with a configuration file or not, wherein the configuration file comprises family features of a plurality of file families; determining the feature code as a family identification of the file shell when the feature code matches a family feature of a first family in the configuration file; and when the feature code is not matched with the family features of the first family in the configuration file, sequentially polling the family features matched with the second family in the configuration file until the feature code is determined to be not matched with the family features of all file families in the configuration file.
Optionally, after identifying the shell type of the file shell according to the shell code, the method further comprises at least one of: unshelling the target file according to the shell type; and determining the virus type of the target file according to the shell type.
According to another embodiment of the present invention, there is provided an identification device of a document housing, including: the first detection module is used for detecting family identification of a file shell of the target file; the second detection module is used for detecting the shell code of the file shell when the family identifier is obtained through detection; and the identification module is used for identifying the shell type of the file shell according to the shell code.
Optionally, the first detection module includes: the identification unit is used for identifying the PE structure of the target file; and the detection unit is used for detecting the family identification of the file shell in the section area of the PE file according to the PE structure.
Optionally, the second detection module includes: the processing unit is used for performing disassembly processing on the target file to obtain assembly codes of the target file; the dividing unit is used for dividing the assembly code into a plurality of code segments, wherein each code segment corresponds to one code region; a detection unit for detecting a shell code of the file shell in at least one code segment through a fuzzy matching algorithm; and/or detecting a shell code of the file shell in at least one code segment by a floating-match algorithm.
Optionally, the first detection module includes: the scanning unit is used for scanning the feature codes of the target file; the judging unit is used for judging whether the feature codes are matched with the configuration files or not, wherein the configuration files comprise family features of a plurality of file families; a determining unit configured to determine the feature code as a family identifier of the file shell when the feature code matches a family feature of a first family in the configuration file; and when the feature code is not matched with the family features of the first family in the configuration file, sequentially polling the family features matched with the second family in the configuration file until the feature code is determined to be not matched with the family features of all file families in the configuration file.
Optionally, the apparatus further comprises at least one of: the shelling module is used for shelling the target file according to the shell type after the identification module identifies the shell type of the file shell according to the shell code; and the determining module is used for determining the virus type of the target file according to the shell type after the identifying module identifies the shell type of the file shell according to the shell code.
According to a further embodiment of the invention, there is also provided a storage medium having stored therein a computer program, wherein the computer program is arranged to perform the steps of any of the method embodiments described above when run.
According to a further embodiment of the invention, there is also provided an electronic device comprising a memory having stored therein a computer program and a processor arranged to run the computer program to perform the steps of any of the method embodiments described above.
According to the invention, the family identification of the file shell of the target file is detected, when the family identification is detected, the shell code of the file shell is detected, finally the shell type of the file shell is identified according to the shell code, the family identification of the file shell of the target file is detected first, and then the shell type of the file shell is identified through the shell code, so that various disguised and variant files can be identified, the technical problem that only a single file shell can be identified in the related technology is solved, and the identification rate of the file with the shell is improved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiments of the invention and together with the description serve to explain the invention and do not constitute a limitation on the invention. In the drawings:
FIG. 1 is a block diagram of the hardware architecture of an identification computer of a file shell according to an embodiment of the present invention;
FIG. 2 is a flow chart of a method of identifying a file shell according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of a PE structure according to an embodiment of the invention;
FIG. 4 is a flow chart of identifying a file shell according to an embodiment of the present invention;
fig. 5 is a block diagram of a file shell identification apparatus according to an embodiment of the present invention.
Detailed Description
In order to make the present application solution better understood by those skilled in the art, the following description will be made in detail and with reference to the accompanying drawings in the embodiments of the present application, it is apparent that the described embodiments are only some embodiments of the present application, not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art based on the embodiments herein without making any inventive effort, shall fall within the scope of the present application. It should be noted that, in the case of no conflict, the embodiments and features in the embodiments may be combined with each other.
It should be noted that the terms "first," "second," and the like in the description and claims of the present application and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that embodiments of the present application described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Example 1
The method embodiment provided in the first embodiment of the present application may be executed in a mobile terminal, a processor, a server, a computer, or a similar computing device. Taking a computer as an example, fig. 1 is a block diagram of a hardware structure of a file shell identification computer according to an embodiment of the present invention. As shown in fig. 1, the computer 10 may include one or more (only one is shown in fig. 1) processors 102 (the processor 102 may include, but is not limited to, a microprocessor MCU or a processing device such as a programmable logic device FPGA) and a memory 104 for storing data, and optionally, a transmission device 106 for communication functions and an input-output device 108. It will be appreciated by those of ordinary skill in the art that the configuration shown in FIG. 1 is merely illustrative and is not intended to limit the configuration of the computer described above. For example, computer 10 may also include more or fewer components than shown in FIG. 1, or have a different configuration than shown in FIG. 1.
The memory 104 may be used to store a computer program, for example, a software program of application software and a module, such as a computer program corresponding to a method for identifying a file shell in an embodiment of the present invention, and the processor 102 executes the computer program stored in the memory 104 to perform various functional applications and data processing, that is, implement the method described above. Memory 104 may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, memory 104 may further include memory located remotely from processor 102, which may be connected to computer 10 via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission means 106 is arranged to receive or transmit data via a network. Specific examples of the network described above may include a wireless network provided by a communications provider of computer 10. In one example, the transmission device 106 includes a network adapter (Network Interface Controller, simply referred to as NIC) that can connect to other network devices through a base station to communicate with the internet. In one example, the transmission device 106 may be a Radio Frequency (RF) module, which is used to communicate with the internet wirelessly.
In this embodiment, a method for identifying a file shell is provided, and fig. 2 is a flowchart of a method for identifying a file shell according to an embodiment of the present invention, as shown in fig. 2, where the flowchart includes the following steps:
step S202, detecting family identification of a file shell of a target file;
the object file of this embodiment may be a file to be detected in any format, such as a program, a text, an executable file (. Exe), a command file (. Com), a resource in an unknown format, etc., and the file shell may be a protection shell, a compression shell, an encryption shell, a virtual shell, etc. of the source code, which is a program segment attached to the front of the program.
Step S204, detecting a shell code of a file shell when the family identifier is detected;
the family identifier of the file shell in this embodiment is used to characterize the family to which the shell belongs, and corresponds to the developer, provider, development language, shell adding tool, etc. of the shell, such as JS shell, RAR shell, shell with virus disguised on the original file, etc., and the shell code is the content of the file shell.
Step S206, identifying the shell type of the file shell according to the shell code.
Through the steps, the family identification of the file shell of the target file is detected, when the family identification is detected, the shell code of the file shell is detected, finally the shell type of the file shell is identified according to the shell code, the family identification of the file shell of the target file is detected first, the shell type of the file shell is identified through the shell code, various disguised and variant files can be identified, the technical problem that only a single file shell can be identified in the related technology is solved, and the identification rate of the file with the shell is improved.
The present embodiment may detect the family identification of the file shell in a variety of ways. In one implementation of this embodiment, detecting the family identification of the file shell of the target file includes:
s11, identifying a Portable Executable (PE) structure of the target file;
s12, detecting the family identification of the file shell in the section area of the PE file according to the PE structure.
The target file is or includes a PE file, the PE file is a generic name of executable files under Windows, and is a common file with a suffix format of DLL, EXE, OCX, SYS, etc., and the PE file may be any extension.
FIG. 3 is a schematic diagram of a PE file structure according to an embodiment of the invention, wherein the PE file structure is shown as DOS (disk operating system) header, NT header, section table and specific sections in order from the start position.
Wherein, the liquid crystal display device comprises a liquid crystal display device,
the DOS header is used to be compatible with the MS-DOS operating system in order to hint a piece of text when the file is run on MS-DOS, and also in order to indicate the location of the NT header in the file.
The NT HEADER contains the main information of windows PE FILE, including a signature of 'PE' word, PE HEADER (image_file_header) and PE OPTIONAL HEADER (image_operation_header 32), and the detailed structure of the HEADER and its specific meaning are described in detail in the PE HEADER article.
Section table: is a description of a subsequent section of the PE file, and windows loads each section according to the description of the section table.
Section: each section is actually a container, and may contain code, data, etc., each section may have independent memory rights, for example, the code section defaults to read/execute rights, and the name and number of sections may be customized.
In another implementation of the present embodiment, detecting the family identification of the file shell of the target file includes:
s21, scanning the feature codes of the target file;
s22, judging whether the feature codes are matched with configuration files, wherein the configuration files comprise family features of a plurality of file families;
s23, determining the feature code as a family identifier of the file shell when the feature code is matched with the family feature of the first family in the configuration file; and when the feature code is not matched with the family features of the first family in the configuration file, sequentially polling the family features of the second family in the matched configuration file until the feature code is determined to be not matched with the family features of all file families in the configuration file. If the feature code does not match the family features of all file families in the configuration file, then the family identification of the file shell of the target file is deemed undetected.
In this embodiment, the feature code may be scanned at the mask location or other locations of the target file. The feature code of the scanning target file comprises: scanning the feature codes of the target file through a fuzzy matching algorithm; and/or scanning the feature codes of the target file through a floating matching algorithm.
The fuzzy matching algorithm of this embodiment is different from the precise matching algorithm, and the fuzzy matching automatically splits the keyword into unit concepts, and performs logical AND operation, firstly searches the identical matching item (precise matching), and cannot find the feature code to be approximated (threshold can be set). The floating matching algorithm scans through the floating keywords, the positions of the floating keywords, the sequence and the combination mode of the floating keywords and the floating matching rule so as to realize the wild matching of the feature codes.
In this embodiment, detecting the shell code of the file shell includes: performing disassembly processing on the target file to obtain an assembly code of the target file; dividing assembly codes into a plurality of code segments, wherein each code segment corresponds to one code region; detecting a shell code of the file shell in at least one code segment through a fuzzy matching algorithm; and/or detecting the shell code of the file shell in at least one code segment by a floating-match algorithm. The shell code of this embodiment may also be detected in the section.
The fuzzy matching algorithm of this embodiment is different from the precise matching algorithm, and the fuzzy matching automatically splits the keyword into unit concepts, and performs logical AND operation, first searches for the identical matching term, and then fails to find the approximate (threshold value can be set) value. The floating matching algorithm matches by floating keywords and rules.
In this embodiment, after the shell type of the file shell is identified according to the shell code, further processing may be performed on the target file, for example, labeling the shell type to facilitate sample classification, or determining the attribute of the target file according to the shell type, for example, whether the target file is a compressed package, whether the target file is a virus, etc., which may be, but not limited to: shelling the target file according to the type of the shell; and determining the virus type of the target file according to the shell type.
In the embodiment, the shell identification is performed by heuristic and multiple shell family data schemes, so that the defect of single shell checking can be overcome, and the shell type can be identified as much as possible. FIG. 4 is a flowchart of identifying a file shell according to an embodiment of the present invention, by scanning, first detecting whether a shell family name is included in a section, and in case of whether the shell family name is included in a code, then detecting whether the shell code is included in the code, and finally identifying the type of the shell family.
Heuristic scans were performed for each shell with its own unique family of features. Through two dimension discernment, do not: PE structure shell node name, shell code feature. The heuristic recognition of the embodiment refers to matching by techniques such as fuzzy code matching, floating matching, and the like. And a code region is not selected but is judged jointly by a plurality of code shells. The shell identification checking capability is achieved with the effect of high identification rate, so that the follow-up shelling process is carried out. So as to improve the checking and killing ability of antivirus software to Trojan horse viruses.
From the description of the above embodiments, it will be clear to a person skilled in the art that the method according to the above embodiments may be implemented by means of software plus the necessary general hardware platform, but of course also by means of hardware, but in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art in the form of a software product stored in a storage medium (e.g. ROM/RAM, magnetic disk, optical disk) comprising instructions for causing a terminal device (which may be a mobile phone, a computer, a server, or a network device, etc.) to perform the method according to the embodiments of the present invention.
Example 2
The embodiment also provides an identification device for a file shell, which is used for implementing the above embodiment and the preferred implementation, and is not described in detail. As used below, the term "module" may be a combination of software and/or hardware that implements a predetermined function. While the means described in the following embodiments are preferably implemented in software, implementation in hardware, or a combination of software and hardware, is also possible and contemplated.
Fig. 5 is a block diagram of a file case identification apparatus according to an embodiment of the present invention, as shown in fig. 5, the apparatus includes: a first detection module 50, a second detection module 52, an identification module 54, wherein,
a first detection module 50, configured to detect a family identifier of a file shell of the target file;
a second detecting module 52, configured to detect a shell code of the file shell when the family identifier is detected;
and an identification module 54 for identifying the shell type of the file shell according to the shell code.
Optionally, the first detection module includes: the identification unit is used for identifying the PE structure of the target file; and the detection unit is used for detecting the family identification of the file shell in the section area of the PE file according to the PE structure.
Optionally, the second detection module includes: the processing unit is used for performing disassembly processing on the target file to obtain assembly codes of the target file; the dividing unit is used for dividing the assembly code into a plurality of code segments, wherein each code segment corresponds to one code region; a detection unit for detecting a shell code of the file shell in at least one code segment through a fuzzy matching algorithm; and/or detecting a shell code of the file shell in at least one code segment by a floating-match algorithm.
Optionally, the first detection module includes: the scanning unit is used for scanning the feature codes of the target file; the judging unit is used for judging whether the feature codes are matched with the configuration files or not, wherein the configuration files comprise family features of a plurality of file families; a determining unit configured to determine the feature code as a family identifier of the file shell when the feature code matches a family feature of a first family in the configuration file; and when the feature code is not matched with the family features of the first family in the configuration file, sequentially polling the family features matched with the second family in the configuration file until the feature code is determined to be not matched with the family features of all file families in the configuration file.
Optionally, the apparatus further comprises at least one of: the shelling module is used for shelling the target file according to the shell type after the identification module identifies the shell type of the file shell according to the shell code; and the determining module is used for determining the virus type of the target file according to the shell type after the identifying module identifies the shell type of the file shell according to the shell code.
It should be noted that each of the above modules may be implemented by software or hardware, and for the latter, it may be implemented by, but not limited to: the modules are all located in the same processor; alternatively, the above modules may be located in different processors in any combination.
Example 3
An embodiment of the invention also provides a storage medium having a computer program stored therein, wherein the computer program is arranged to perform the steps of any of the method embodiments described above when run.
Alternatively, in the present embodiment, the above-described storage medium may be configured to store a computer program for performing the steps of:
s1, detecting a family identifier of a file shell of a target file;
s2, detecting a shell code of the file shell when the family identifier is obtained through detection;
s3, identifying the shell type of the file shell according to the shell code.
Alternatively, in the present embodiment, the storage medium may include, but is not limited to: a usb disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a removable hard disk, a magnetic disk, or an optical disk, or other various media capable of storing a computer program.
An embodiment of the invention also provides an electronic device comprising a memory having stored therein a computer program and a processor arranged to run the computer program to perform the steps of any of the method embodiments described above.
Optionally, the electronic apparatus may further include a transmission device and an input/output device, where the transmission device is connected to the processor, and the input/output device is connected to the processor.
Alternatively, in the present embodiment, the above-described processor may be configured to execute the following steps by a computer program:
s1, detecting a family identifier of a file shell of a target file;
s2, detecting a shell code of the file shell when the family identifier is obtained through detection;
s3, identifying the shell type of the file shell according to the shell code.
Alternatively, specific examples in this embodiment may refer to examples described in the foregoing embodiments and optional implementations, and this embodiment is not described herein.
The foregoing embodiment numbers of the present application are merely for describing, and do not represent advantages or disadvantages of the embodiments.
In the foregoing embodiments of the present application, the descriptions of the embodiments are emphasized, and for a portion of this disclosure that is not described in detail in this embodiment, reference is made to the related descriptions of other embodiments.
In the several embodiments provided in the present application, it should be understood that the disclosed technology content may be implemented in other manners. The above-described embodiments of the apparatus are merely exemplary, and the division of the units, such as the division of the units, is merely a logical function division, and may be implemented in another manner, for example, multiple units or components may be combined or may be integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some interfaces, units or modules, or may be in electrical or other forms.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in each embodiment of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be embodied in essence or a part contributing to the prior art or all or part of the technical solution in the form of a software product stored in a storage medium, including several instructions to cause a computer device (which may be a personal computer, a server or a network device, etc.) to perform all or part of the steps of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a removable hard disk, a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The foregoing is merely a preferred embodiment of the present application and it should be noted that modifications and adaptations to those skilled in the art may be made without departing from the principles of the present application and are intended to be comprehended within the scope of the present application.
Claims (6)
1. A method for identifying a file shell, comprising:
detecting a family identification of a file shell of the target file;
detecting a shell code of the file shell when the family identifier is detected;
identifying a shell type of the file shell according to the shell code;
the family identification of the file shell of the detection target file comprises:
scanning the feature codes of the target file;
the feature code for scanning the target file comprises:
scanning at the mask position or other positions of the target file to obtain a feature code;
scanning the feature codes of the target file through a fuzzy matching algorithm and/or scanning the feature codes of the target file through a floating matching algorithm;
the family identification of the file shell of the detection target file comprises:
identifying a portable executable PE structure of the target file;
detecting a family identifier of the file shell in a section area of a PE file according to the PE structure;
the detecting the shell code of the file shell comprises:
performing disassembly processing on the target file in the section area to obtain an assembly code of the target file;
dividing the assembly code into a plurality of code segments, wherein each code segment corresponds to a code region;
detecting a shell code of the file shell in at least one code segment through a fuzzy matching algorithm; and/or detecting a shell code of the file shell in at least one code segment by a floating-match algorithm.
2. The method of claim 1, wherein after the step of scanning the feature code of the target file, the method further comprises:
judging whether the feature code is matched with a configuration file or not, wherein the configuration file comprises family features of a plurality of file families;
determining the feature code as a family identification of the file shell when the feature code matches a family feature of a first family in the configuration file; and when the feature code is not matched with the family features of the first family in the configuration file, sequentially polling the family features matched with the second family in the configuration file until the feature code is determined to be not matched with the family features of all file families in the configuration file.
3. The method of claim 1, wherein after identifying the shell type of the file shell based on the shell code, the method further comprises at least one of:
unshelling the target file according to the shell type;
and determining the virus type of the target file according to the shell type.
4. An identification device for a document housing, comprising:
the first detection module is used for detecting family identification of a file shell of the target file;
the second detection module is used for detecting the shell code of the file shell when the family identifier is obtained through detection;
the identification module is used for identifying the shell type of the file shell according to the shell code;
the first detection module includes: the scanning unit is used for scanning the feature codes of the target file;
the scanning unit is used for scanning at the mask position or other positions of the target file to obtain a feature code; scanning the feature codes of the target file through a fuzzy matching algorithm and/or scanning the feature codes of the target file through a floating matching algorithm;
the first detection module includes:
the identification unit is used for identifying the portable executable PE structure of the target file;
the detection unit is used for detecting the family identification of the file shell in the section area of the PE file according to the PE structure;
the second detection module includes:
the processing unit is used for disassembling the target file in the section area to obtain the assembly code of the target file;
the dividing unit is used for dividing the assembly code into a plurality of code segments, wherein each code segment corresponds to one code region;
a detection unit for detecting a shell code of the file shell in at least one code segment through a fuzzy matching algorithm; and/or detecting a shell code of the file shell in at least one code segment by a floating-match algorithm.
5. A storage medium having a computer program stored therein, wherein the computer program is arranged to perform the method of any of claims 1 to 3 when run.
6. An electronic device comprising a memory and a processor, characterized in that the memory has stored therein a computer program, the processor being arranged to run the computer program to perform the method of any of claims 1 to 3.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910943706.4A CN112580032B (en) | 2019-09-30 | 2019-09-30 | File shell identification method and device, storage medium and electronic device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910943706.4A CN112580032B (en) | 2019-09-30 | 2019-09-30 | File shell identification method and device, storage medium and electronic device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112580032A CN112580032A (en) | 2021-03-30 |
| CN112580032B true CN112580032B (en) | 2023-06-06 |
Family
ID=75116838
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910943706.4A Active CN112580032B (en) | 2019-09-30 | 2019-09-30 | File shell identification method and device, storage medium and electronic device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112580032B (en) |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102867144A (en) * | 2012-09-06 | 2013-01-09 | 北京奇虎科技有限公司 | Method and device for detecting and removing computer viruses |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101441687B (en) * | 2007-11-21 | 2010-07-14 | 珠海金山软件股份有限公司 | Method and apparatus for extracting virus characteristic of virus document |
| CN103902901B (en) * | 2013-09-17 | 2017-10-31 | 北京安天网络安全技术有限公司 | A kind of APT detection methods and system recognized based on compiler |
| CN108073815B (en) * | 2017-12-29 | 2022-02-15 | 安天科技集团股份有限公司 | Family judgment method and system based on code slice and storage medium |
| CN109800574A (en) * | 2018-12-12 | 2019-05-24 | 中国人民公安大学 | Computer Virus Detection Method and system based on cryptographic algorithm analysis |
| CN110222511B (en) * | 2019-06-21 | 2021-04-23 | 杭州安恒信息技术股份有限公司 | Malicious software family identification method and device and electronic equipment |
| CN110263540B (en) * | 2019-06-25 | 2022-04-01 | 北京邮电大学 | Code identification method and device |
-
2019
- 2019-09-30 CN CN201910943706.4A patent/CN112580032B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102867144A (en) * | 2012-09-06 | 2013-01-09 | 北京奇虎科技有限公司 | Method and device for detecting and removing computer viruses |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112580032A (en) | 2021-03-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10803171B2 (en) | Virus detection method, terminal and server | |
| US8732836B2 (en) | System and method for correcting antivirus records to minimize false malware detections | |
| EP2784715B1 (en) | System and method for adaptive modification of antivirus databases | |
| US20170169224A1 (en) | Apparatus and method for detecting malicious mobile app | |
| CN107302586B (en) | Webshell detection method and device, computer device and readable storage medium | |
| EP2998902B1 (en) | Method and apparatus for processing file | |
| CN110149319B (en) | APT organization tracking method and device, storage medium and electronic device | |
| CN110023938B (en) | System and method for determining file similarity by using function length statistics | |
| CN109714346B (en) | Searching and killing method and device for back door files | |
| CN110188538B (en) | Method and device for detecting data by adopting sandbox cluster | |
| US10747879B2 (en) | System, method, and computer program product for identifying a file used to automatically launch content as unwanted | |
| US20180341769A1 (en) | Threat detection method and threat detection device | |
| CN104239795B (en) | The scan method and device of file | |
| CN109145589B (en) | Application program acquisition method and device | |
| CN106682508B (en) | The checking and killing method and device of virus | |
| CN109284590B (en) | Method, equipment, storage medium and device for access behavior security protection | |
| KR20160099159A (en) | Electronic system and method for detecting malicious code | |
| CN108319853B (en) | Virus characteristic code processing method and device | |
| CN112580032B (en) | File shell identification method and device, storage medium and electronic device | |
| CN112580040B (en) | Method and device for unshelling file shell, storage medium and electronic device | |
| Andronio | Heldroid: Fast and efficient linguistic-based ransomware detection | |
| CN112583773B (en) | Unknown sample detection method and device, storage medium and electronic device | |
| CN106934290B (en) | Vulnerability detection method and device | |
| CN112580038A (en) | Anti-virus data processing method, device and equipment | |
| CN111191234A (en) | Method and device for detecting virus information |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |