CN113132421B - File detection method, device, terminal and storage medium - Google Patents

File detection method, device, terminal and storage medium Download PDF

Info

Publication number
CN113132421B
CN113132421B CN201911390031.1A CN201911390031A CN113132421B CN 113132421 B CN113132421 B CN 113132421B CN 201911390031 A CN201911390031 A CN 201911390031A CN 113132421 B CN113132421 B CN 113132421B
Authority
CN
China
Prior art keywords
file
characteristic value
application program
target application
loaded
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201911390031.1A
Other languages
Chinese (zh)
Other versions
CN113132421A (en
Inventor
韩帅
闻迪桉
傅建明
刘畅
邱若男
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan University WHU
Guangdong Oppo Mobile Telecommunications Corp Ltd
Original Assignee
Wuhan University WHU
Guangdong Oppo Mobile Telecommunications Corp Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan University WHU, Guangdong Oppo Mobile Telecommunications Corp Ltd filed Critical Wuhan University WHU
Priority to CN201911390031.1A priority Critical patent/CN113132421B/en
Publication of CN113132421A publication Critical patent/CN113132421A/en
Application granted granted Critical
Publication of CN113132421B publication Critical patent/CN113132421B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/06Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/51Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/60Software deployment
    • G06F8/61Installation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/445Program loading or initiating
    • G06F9/44521Dynamic linking or loading; Link editing at or after load time, e.g. Java class loading
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/445Program loading or initiating
    • G06F9/44568Immediately runnable code
    • G06F9/44578Preparing or optimising for loading
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/50Testing arrangements

Abstract

The embodiment of the application provides a file detection method, a file detection device, a terminal and a storage medium. The method comprises the following steps: acquiring a storage path of a first file through a library file loading function; when a first file is loaded from a storage path of the first file, acquiring a characteristic value of the first file; if the characteristic value of the second file is not the same as the characteristic value of the first file, determining that the first file is a file downloaded from a network in the running process of the target application program; wherein the second file is a file included in an installation package of the target application program. In the embodiment of the application, whether the loaded file is the file downloaded from the network in the running process of the application program can be detected in real time, so that a basis is provided for subsequent security detection, and the application program can be further guaranteed to run efficiently and safely.

Description

File detection method, device, terminal and storage medium
Technical Field
The embodiment of the application relates to the technical field of terminals, in particular to a file detection method, a file detection device, a file detection terminal and a storage medium.
Background
At present, in order to make an application lighter, part of support files required for running the application are not encapsulated in an installation package of the application, but are stored in a cloud (e.g., a background server corresponding to the application).
In the related art, when the support file stored in the cloud is needed to be used in the running process of the application program, the terminal downloads the required support file from the cloud in real time.
Disclosure of Invention
The embodiment of the application provides a file detection method, a file detection device, a terminal and a storage medium. The technical scheme is as follows:
in a first aspect, a file detection method is provided, where the method includes:
acquiring a storage path of the first file through a library file loading function;
when the first file is loaded from the storage path of the first file, acquiring a characteristic value of the first file;
if the characteristic value of the second file is not the same as the characteristic value of the first file, determining that the first file is not a file downloaded from a network in the running process of the target application program; wherein the second file is a file included in an installation package of the target application.
In a second aspect, there is provided a document detection apparatus, the apparatus comprising:
the path acquisition module is used for acquiring a storage path of the first file through a library file loading function;
the characteristic value acquisition module is used for acquiring the characteristic value of the first file when the first file is loaded from the storage path of the first file;
the file detection module is used for determining that the first file is a file downloaded from a network in the running process of the target application program if the characteristic value of the second file is not the same as the characteristic value of the first file; wherein the second file is a file included in an installation package of the target application.
In a third aspect, a terminal is provided, where the terminal includes a processor and a memory, and the memory stores at least one instruction, and the instruction is loaded and executed by the processor to implement the file detection method according to the first aspect.
In a fourth aspect, a computer-readable storage medium is provided, in which at least one instruction is stored, the instruction being loaded and executed by a processor to implement the file detection method according to the first aspect.
The technical scheme provided by the embodiment of the application can bring the beneficial effects of at least comprising:
when the application program loads the file, the characteristic value of the loaded file is compared with the characteristic value of the file included in the installation package of the application program, if all the characteristic values of the file included in the installation package of the application program are different from the characteristic values of the loaded file, the loaded file is determined to be the file downloaded from the network in the running process of the application program, whether the file loaded in the running process of the application program is the file downloaded from the network can be detected in real time, a basis is provided for subsequent security detection, and the efficient and safe running of the application program is further ensured.
Drawings
FIG. 1 is a schematic diagram of a file loading flow shown in an exemplary embodiment of the present application;
FIG. 2 is a flowchart of a file loading method shown in an exemplary embodiment of the present application;
FIG. 3 is a flowchart of a file loading method, shown in another exemplary embodiment of the present application;
FIG. 4 is a block diagram illustrating a file loading apparatus according to an exemplary embodiment of the present application;
fig. 5 is a block diagram of a terminal according to an exemplary embodiment of the present application.
Detailed Description
To make the objects, technical solutions and advantages of the present application more clear, embodiments of the present application will be described in further detail below with reference to the accompanying drawings.
The application program is usually subjected to security verification during installation, so that the file stored locally in the terminal is usually secure, but the file downloaded from the network during the operation of the application program is not subjected to security verification, so that certain risks exist. Whether the file loaded in the running process of the application program is the file downloaded from the network or not is detected, and then targeted security detection is carried out, so that the application program can be guaranteed to run efficiently and safely, and the related technology does not provide the detection scheme.
According to the technical scheme provided by the embodiment of the application, when the application program loads the file, the characteristic value of the loaded file is compared with the characteristic value of the file included in the installation package of the application program, if all the characteristic values of the file included in the installation package of the application program are different from the characteristic values of the loaded file, the loaded file is determined to be the file downloaded from the network in the operation process of the application program, whether the file loaded in the operation process of the application program is the file downloaded from the network can be detected in real time, a basis is provided for subsequent security detection, and the application program is further guaranteed to operate efficiently and safely.
During the running process of an application program, loading a file generally involves an application (Java) layer, a service (Native) layer and a kernel layer. According to the embodiment of the application, file detection is performed on the loaded file at the Java layer, and the file loading process of the Java layer is explained only by combining the calling condition of each function of the Java layer in FIG. 1.
Step 101, a Load function is called.
The Load function is used for acquiring a storage path of a file to be loaded. It should be noted that the storage path obtained by the Load function is an absolute path, that is, a path from the root directory at the top of the tree directory structure to a certain directory or file. Illustratively, the absolute path of the file to be loaded is c:/website/index.
Step 102, a LoadLibrary function is called.
The LoadLibrary function is used for acquiring the file name of the file to be loaded. It should be noted that the file name herein does not include a suffix name of the file to be loaded. Illustratively, the file to be loaded is 123.So, the file name obtained by calling the mapLibraryname function is "123". It should be noted that the LoadLibrary function can only call a file under a specified path, where the specified path is apk/lib.
And calling the VMStack.getCallingClassLoader function by the parameter of the LoadLibrary function to obtain a class loader of the file to be loaded. The file name of the file to be loaded and the class loader are passed to the LoadLibrary0 function.
Step 103, detecting whether the class loader is empty.
If the class loader is empty, steps 104-105 are performed, and if the class loader is not empty, steps 106-107 are performed.
Step 104, call mapLibraryname function.
The mapLibraryname function is used to obtain the file name of the file to be loaded.
Step 105 calls the getLibPaths function.
The getLibPaths function is used to obtain a system native library path.
Step 106, call findLibrary function.
And calling the mapLibraryName function by the findLibrary function to add the suffix name of the file to be loaded, and further obtaining the complete name of the file to be loaded.
Step 107, call findnationlibrary function.
The findnationLibrary function traverses the native LibraryPathElements array to obtain the storage path of the file to be loaded.
It should be noted that the terminal may execute only step 101, may execute steps 102 to 105, and may execute steps 102 to 103 and 106 to 107, which is not limited in this embodiment of the present application.
And step 108, calling a doLoad function.
And the doLoad function is used for loading the file to be loaded.
Step 109 calls the getLibrarypath function.
The getLdLibraryPath function is used for acquiring a storage path of the dynamic library file, the storage path of the dynamic library file is used as a parameter LibrarySearchPath and is transmitted into a Native layer, and then a Native load function is called to enter the Native layer.
Referring to fig. 2, a flowchart of a file detection method according to an exemplary embodiment of the present application is shown. The method can be applied to a target application program in the terminal. The method comprises the following steps:
step 201, a storage path of a first file is obtained through a library file loading function.
The first file refers to a file loaded during the running process of the target application program. Alternatively, the first file may be a preset type of file. Illustratively, the first file is a shared library (so) file. The storage path of the first file is also the local storage location of the first file in the terminal.
The library file loading function is used for acquiring a storage path of the first file. Optionally, the library file loading function is a Load function or a LoadLibrary function in the embodiment of fig. 1, where the Load function and the LoadLibrary function are entries of a file loading process, and when the Load function and the LoadLibrary function are called, the file loading process starts to be started. The specific implementation manner of obtaining the storage path of the first file through the library file loading function may refer to the related explanation of the embodiment shown in fig. 1, which is not described herein again.
Step 202, when the first file is loaded from the storage path of the first file, the characteristic value of the first file is obtained.
And after the target application program acquires the storage path of the first file, loading the first file from the storage path. Alternatively, the target application loads the first file by calling the doLoad function in the embodiment shown in fig. 1. The characteristic value of the first file is used to uniquely identify the first file. Optionally, the characteristic value of the first file refers to a Hash value of the first file, such as a SHA-256-Hash value.
Optionally, the target application acquires the feature value of the first file by:
step 202a, when the first file is loaded, obtaining the running information of the target application program.
The running information of the target application program is used for recording the running process of the target application program. The operation information of the target application generally includes the following contents: stack information, process information, library file information, and the like.
Step 202b, reading the operation parameters from the operation information.
The operating parameters include one or more of the following: stack information, a user identifier of a target process, a file name of a first file, and a storage path of the first file. It should be noted that the library file name here is also a file name of the first file, and the library file path here is also a storage path of the first file. The terminal acquires stack information by executing a getsocktrace function. The terminal obtains the user identification of the process through the getuid function. The library file name can be obtained from the parameter name. And the terminal acquires the library file path through a getlibrarypath function.
Step 202c, obtaining the first file according to the operation parameters.
After the target application program obtains the file parameters, the first file can be uniquely obtained.
Step 202d, calculating a feature value of the first file.
And the terminal reads the text content of the first file and then processes the first file by adopting a preset function to obtain the characteristic value of the first file. The preset function may be a hash function. The hash function compresses the body content of the first file into a digest, which distinguishes the first file from other files, i.e. the hash value of the first file.
Step 203, if the characteristic value of the second file is not the same as the characteristic value of the first file, determining that the first file is a file downloaded from a network in the running process of the target application program.
The second file is a file included in an installation package of the target application. The target application is an application running on the terminal, and may be a system application or a third-party application. Since the system application is generally trusted, in the embodiment of the present application, the target application is only described as a third party application.
And if the characteristic value of the second file is the same as that of the first file, determining that the first file is not a file downloaded from a network in the running process of the target application program but a file included in an installation package of the target application program.
In the embodiment of the application, when a file is loaded in the running process of an application program (the file is loaded through a doload function), monitoring is added to obtain a characteristic value of the file, and the characteristic value of the file is compared with a characteristic value of a file included in an installation package of the application program to detect whether the file is a file downloaded from a network or not so as to perform subsequent security verification.
Optionally, the terminal detects whether the preset feature value list includes the feature value of the first file. If the preset characteristic value list comprises the characteristic value of the first file, determining that the characteristic value of the second file is the same as the characteristic value of the first file; and if the preset characteristic value list does not comprise the characteristic value of the first file, determining that the characteristic value of the second file is the same as the characteristic value of the first file.
The preset feature value list includes feature values of the second file. The preset feature value list may include feature values of files included in an installation package of one application program, or may include feature values of files included in installation packages of a plurality of application programs. When the preset characteristic value list comprises a characteristic value of a file included in an installation package of an application program, the terminal firstly obtains the preset characteristic value list corresponding to the target application program, and then detects whether the preset characteristic value list corresponding to the target application program comprises the characteristic value of the first file or not.
To sum up, according to the technical solution provided in the embodiment of the present application, when the application program loads a file, the feature value of the loaded file is compared with the feature value of the file included in the installation package of the application program, and if all the feature values of the file included in the installation package of the application program are different from the feature value of the loaded file, it is determined that the loaded file is a file downloaded from a network in the running process of the application program, and it is possible to detect in real time whether the file loaded in the running process of the application program is a file downloaded from the network, so as to provide a basis for subsequent security detection, thereby ensuring that the application program runs efficiently and safely.
In the above embodiment, it is mentioned that, by comparing whether the feature value of the first file exists in the preset feature value list, it is determined whether the first file is a file downloaded from the network during the running of the target application program. The following explains the acquisition process of the preset feature value list. In an alternative embodiment provided based on the embodiment shown in fig. 2, before step 203, the file detection method further comprises the following steps.
Step 204, when the target application program is installed, reading the characteristic value of the second file from the specified file included in the installation package of the target application program.
And a specified file exists in the installation package of the target application program, and the specified file is used for recording the characteristic values of the files included in the installation package of the target application program. Mf file is optionally a manual est.
Optionally, when the target application program is installed, the feature value of the second file is read from a specified file included in the installation package of the target application program by calling a preset function. Optionally, the preset function is a getmapackageinfo function.
Step 205, storing the characteristic value of the second file into a preset characteristic value list.
And the terminal adds the read characteristic value of the second file to a preset characteristic value list. Introduced in step 201, the terminal may read the feature value of the second file through the getmapackageinfo function, and the developer may add a code for implementing a write function to the getmapackageinfo function, and store the feature value of the second file into a preset feature value list through the write function, so as to save development cost.
In the embodiment of fig. 2, the preset feature value list may include feature values of files included in an installation package of one application program, or may include feature values of files included in installation packages of a plurality of application programs. When the preset feature value list includes feature values of files included in an installation package of an application program, in this case, a plurality of preset feature value lists are usually present. In this case, there is usually one preset feature value list when the preset feature value list includes feature values of files included in installation packages of a plurality of applications.
The compressed file is a file compressed by a compression software, the compression software searches for repeated bytes in an original file, establishes a dictionary file with the same bytes, and adopts a code to replace the repeated bytes so as to obtain the compressed file. The compressed file may be a file with a suffix jar, an apk suffix, or a zip suffix.
Because the compressed file is different from the original file in text content, the corresponding characteristic values of the compressed file and the original file are different. When a compressed file is included in the installation package of an application, it is specified that the file does not usually record the characteristic value of the compressed file. In order to make the feature values recorded in the preset feature value list more comprehensive, the file detection method may further include the steps of:
step 206, when the target application program is installed, if the installation package of the target application program includes the compressed file, decompressing the compressed file to obtain a third file.
The decompression process is the inverse of the compression process, i.e., the compressed file is restored to the original file. In the embodiment of the application, the terminal decompresses the compressed file in the installation package of the target application program to obtain a third file.
When the compressed file is a file with a suffix name of jar or apk, decompressing the file to obtain a plurality of files, wherein the plurality of files also comprise a specified file (such as a MANIFEST. MF file) for recording the characteristic values of the files included in the compressed file; when the compressed file is a file with a suffix name of zip, the compressed file is decompressed to obtain only one file, and a specified file for recording the characteristic value of the file cannot be obtained.
And step 207, acquiring the characteristic value of the third file, and storing the characteristic value of the third file into a preset characteristic value list.
When the compressed file is a file with a suffix name of jar or apk, the feature value of the third file can be directly read from the specified file mentioned in step 206; when the compressed file is a file with a suffix name zip, the characteristic value of the third file may be calculated with reference to the method in step 202. Step 205 may be referred to for storing the feature value of the third file into the preset feature value list, which is not described herein again.
According to the technical scheme provided by the embodiment of the application program, the characteristic value of the file included in the installation package of the application program is read and recorded when the application program is installed, so that the characteristic value of the loaded file can be compared with the recorded characteristic value when the file is loaded, the loaded file is determined to be the file downloaded from the network in the running process of the application program, and data support is provided for subsequent file detection.
In a specific example, reference is made to fig. 3 in combination, which shows a schematic diagram of a document detection method according to an embodiment of the present application. The file detection method can comprise the following steps:
step 301, install the application.
Step 302, storing the characteristic value of the file included in the installation package of the application program when the application program is installed.
Mf file included in the application is also a feature value of a file included in the installation package of the application.
Step 303, load the first file.
Wherein, loading the first file involves a Java layer, a Native layer and a kernel layer.
Step 304, acquiring a storage path of the first file when the Java layer loads the first file.
Step 305, calculating a characteristic value of the first file.
Step 306, detecting whether the first file is a file downloaded from the network according to the characteristic value of the file included in the installation package of the application program and the characteristic value of the first file.
Since the files downloaded from the network during the operation of the target application are not subjected to security detection, there may be a certain risk. In order to avoid the risk, after the terminal determines that the first file is a file dynamically loaded in the running process of the target application program, the security of the first file can be detected. In an optional embodiment provided based on the embodiment shown in fig. 2, the file detection method may further include the following steps:
step 401, detecting the first file, and determining the security level of the first file.
The security level of the first file is used to measure the security of the first file. The security level and the security have positive correlation. That is, the higher the security level of the first file, the higher the security of the first file; the lower the security level of the first file, the lower the security of the first file.
Optionally, the terminal determines the security score of the first file first, and then determines the security level corresponding to the scoring area where the security score is located as the security level of the first file. The safety score can be calculated in the following way: the terminal detects the first file from at least one dimension, obtains a safety score corresponding to each dimension according to a detection result corresponding to each dimension, and then weights the safety scores corresponding to the dimensions to obtain the safety score of the first file.
The plurality of dimensions may be: detecting whether the first file is shelled, detecting whether the first file carries a sensitive function, detecting whether the first file carries a malicious program, and the like.
The file shell adding refers to compressing the executable binary file, and the file after shell adding can be directly operated without decompression. After some virus files are shelled, the virus files cannot be identified by antivirus software, so that great potential safety hazards exist. If the first file sensitive function is a function capable of having a specified function, the specification may be to view, obtain, use sensitive information, and so forth. The malicious program refers to a program code capable of implementing a malicious function, which may be a function of sending a short message, opening a data network, and the like, and is not limited in this embodiment of the present application.
Step 402, when the security level of the first file meets a preset condition, transmitting the storage path of the first file to an operating system.
Optionally, the preset condition may be that the security level of the first file reaches a preset level, where the preset level may be set by a user or may be set by a terminal in a user-defined manner.
In the embodiment of the application, when the terminal detects that the security level of the first file meets the preset condition, that is, when the first file is identified as a secure file, the subsequent file loading step is executed, so that the situation that the first file is operated when the first file is a malicious file can be avoided, and the security is improved.
To sum up, according to the technical scheme provided by the embodiment of the application, the first file is detected after being determined to be the file dynamically loaded in the running process of the application program, and the subsequent process is executed under the condition that the safety of the first file is determined, so that the condition that the first file is run when the first file is a malicious file is avoided, and the safety is improved.
End users grant different permissions to different applications. Wherein, some application programs have sensitive authority, such as information authority, address list authority, call record authority, etc. For the application programs, the potential safety hazard is large, so that it is more necessary to detect whether the files loaded in the running process of the application programs are files downloaded from the network. In an optional embodiment provided based on the embodiment shown in fig. 2, before obtaining the feature value of the first file, the file detection method further includes:
step 403, when the first file is loaded from the storage path of the first file, detecting whether the target application program has a sensitive permission.
Sensitive rights refer to rights to access sensitive information. The sensitive information includes but is not limited to: location information, address book information, call information, short message content, album content, and the like. Such sensitive rights include, but are not limited to: location information permissions, microphone permissions, address book permissions, information permissions, call record permissions, camera permissions, and the like. The sensitive authority can be preset by a user or can be set by the default of the terminal.
Optionally, the terminal stores a corresponding relationship between the permission and the application program, and the terminal queries the corresponding relationship to obtain an application program list with sensitive permission, and then detects whether the application program list includes the target application program. If the application program list comprises the target application program, determining that the target application program has the sensitive permission; and if the target application program is not included in the application program list, determining that the target application program does not have the sensitive permission.
And if the target application program is detected to have the sensitive authority, acquiring the characteristic value of the first file, and if the target application program is detected not to have the sensitive authority, ending the process.
The application program with the sensitive permission can acquire the sensitive information of the terminal user, and when the application program has potential safety hazards, the sensitive information of the terminal user can be leaked; and the situation that sensitive information is leaked cannot be caused when the potential safety hazard exists in the application program without the sensitive permission. Therefore, in the embodiment of the application, only whether the file loaded in the running process of the application with the sensitive permission is the file downloaded from the network is detected, so that the terminal is prevented from detecting each application, and the processing resource of the terminal can be saved on the premise of ensuring the safety.
In summary, according to the technical scheme provided by the embodiment of the application, whether a file loaded in the running process of an application with a sensitive permission is a file downloaded from a network is detected, so that a terminal is prevented from detecting each application, and processing resources of the terminal can be saved on the premise of ensuring the safety.
In the following, embodiments of the apparatus of the present application are described, and for portions of the embodiments of the apparatus not described in detail, reference may be made to technical details disclosed in the above-mentioned method embodiments.
Referring to fig. 4, a block diagram of a document detection apparatus according to an exemplary embodiment of the present application is shown. The file detection means may be implemented as all or part of the terminal by software, hardware or a combination of both. The file detection device includes:
a path obtaining module 410, configured to obtain a storage path of the first file through a library file loading function.
The eigenvalue obtaining module 420 is configured to obtain an eigenvalue of the first file when the first file is loaded from the storage path of the first file.
The file detection module 430 is configured to determine that the first file is a file downloaded from a network in the running process of the target application program if the feature value of the second file is not the same as the feature value of the first file; wherein the second file is a file included in an installation package of the target application.
To sum up, according to the technical scheme provided in the embodiment of the present application, when the application program loads a file, the characteristic value of the loaded file is compared with the characteristic value of the file included in the installation package of the application program, and if all the characteristic values of the file included in the installation package of the application program are different from the characteristic value of the loaded file, it is determined that the loaded file is the file downloaded from the network in the running process of the application program, and it is possible to detect whether the file loaded in the running process of the application program is the file downloaded from the network in real time, so as to provide a basis for subsequent security detection, thereby ensuring that the application program runs efficiently and safely.
In an alternative embodiment provided based on the embodiment shown in fig. 4, the feature value obtaining module 420 is configured to:
when the first file is loaded, acquiring the running information of the target application program;
reading operating parameters from the operating information, the operating parameters including one or more of the following in combination: stack information, a user identifier of a target process, a file name of the first file and a storage path of the first file;
acquiring the first file according to the operating parameters;
calculating a feature value of the first file.
In an optional embodiment provided based on the embodiment shown in fig. 4, the file detection module 430 is further configured to:
detecting whether a preset characteristic value list comprises a characteristic value of the first file or not, wherein the preset characteristic value list comprises a characteristic value of the second file;
if the preset characteristic value list comprises the characteristic value of the first file, determining that the characteristic value of the second file is the same as the characteristic value of the first file;
if the preset characteristic value list does not comprise the characteristic value of the first file, determining that the characteristic value of the second file is not the same as the characteristic value of the first file.
Optionally, the apparatus further comprises: a feature value storage module (not shown).
The characteristic value storage module is used for:
when the target application program is installed, reading the characteristic value of the second file from a specified file included in an installation package of the target application program;
and storing the characteristic value of the second file to the preset characteristic value list.
Optionally, the feature value storage module is further configured to:
when the target application program is installed, if the installation package of the target application program comprises a compressed file, decompressing the compressed file to obtain a third file;
and calculating the characteristic value of the third file, and storing the characteristic value of the third file into the preset characteristic value list.
In an optional embodiment provided based on the embodiment shown in fig. 4, the apparatus further comprises: a security detection module (not shown).
The security detection module is configured to:
detecting the first file, and determining the security level of the first file;
and when the security level of the first file meets a preset condition, transmitting the storage path of the first file to an operating system.
In an optional embodiment provided based on the embodiment shown in fig. 4, the apparatus further comprises: a rights detection module (not shown).
The permission detection module is configured to:
detecting whether the target application program has a sensitive authority, wherein the sensitive authority refers to the authority for accessing sensitive information;
and if the target application program has the sensitive permission, executing the step of acquiring the characteristic value of the first file.
It should be noted that, when the apparatus provided in the foregoing embodiment implements the functions thereof, only the division of the functional modules is illustrated, and in practical applications, the above functions may be distributed by different functional modules as needed, that is, the internal structure of the device may be divided into different functional modules to implement all or part of the functions described above. In addition, the apparatus and method embodiments provided by the above embodiments belong to the same concept, and specific implementation processes thereof are described in the method embodiments for details, which are not described herein again.
Referring to fig. 5, a block diagram of a terminal according to an exemplary embodiment of the present application is shown. A terminal in the present application may include one or more of the following components: a processor 510 and a memory 520.
Processor 510 may include one or more processing cores. The processor 510 connects various parts within the entire terminal using various interfaces and lines, performs various functions of the terminal and processes data by executing or executing instructions, programs, code sets, or instruction sets stored in the memory 520 and calling data stored in the memory 520. Alternatively, the processor 510 may be implemented in hardware using at least one of Digital Signal Processing (DSP), field-Programmable Gate Array (FPGA), and Programmable Logic Array (PLA). Processor 510 may integrate one or a combination of a Central Processing Unit (CPU) and a modem. Wherein, the CPU mainly processes an operating system, an application program and the like; the modem is used to handle wireless communications. It is understood that the modem may not be integrated into the processor 510, but may be implemented by a single chip.
Alternatively, the processor 510, when executing the program instructions in the memory 520, implements the file detection method provided by the various method embodiments described below.
The Memory 520 may include a Random Access Memory (RAM) or a Read-Only Memory (Read-Only Memory). Optionally, the memory 520 includes a non-transitory computer-readable medium. The memory 520 may be used to store instructions, programs, code, sets of codes, or sets of instructions. The memory 520 may include a program storage area and a data storage area, wherein the program storage area may store instructions for implementing an operating system, instructions for at least one function, instructions for implementing the various method embodiments described above, and the like; the storage data area may store data created according to the use of the terminal, and the like.
The structure of the terminal described above is only illustrative, and in actual implementation, the terminal may include more or less components, such as: a camera, etc., and this embodiment does not limit this.
Those skilled in the art will appreciate that the configuration shown in fig. 5 is not intended to be limiting of terminal 500 and may include more or fewer components than those shown, or some components may be combined, or a different arrangement of components may be used.
In an exemplary embodiment, a computer-readable storage medium is further provided, in which at least one instruction is stored, and the at least one instruction is loaded and executed by a processor of a terminal to implement the file detection method in the above-described method embodiment.
Alternatively, the computer-readable storage medium may be a ROM, a RAM, a CD-ROM, a magnetic tape, a floppy disk, an optical data storage device, and the like.
In an exemplary embodiment, a computer program product is also provided, which, when executed, is adapted to implement the file detection method provided in the above-mentioned method embodiments.
It should be understood that reference to "a plurality" herein means two or more. "and/or" describes the association relationship of the associated objects, meaning that there may be three relationships, e.g., a and/or B, which may mean: a exists alone, A and B exist simultaneously, and B exists alone. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship. As used herein, the terms "first," "second," and the like, do not denote any order, quantity, or importance, but rather are used to distinguish one element from another.
The above-mentioned serial numbers of the embodiments of the present application are merely for description and do not represent the merits of the embodiments.
The above description is only exemplary of the present application and should not be taken as limiting the present application, and any modifications, equivalents, improvements and the like that are made within the spirit and principle of the present application should be included in the protection scope of the present application.

Claims (9)

1. A method for file detection, the method comprising:
acquiring a storage path of a first file through a library file loading function;
when the first file is loaded from the storage path of the first file, acquiring the running information of a target application program, wherein the target application program is an application program which is running at a terminal;
reading an operating parameter from the operating information, the operating parameter including one or a combination of at least two of: stack information, a user identifier of a target process, a file name of the first file and a storage path of the first file;
acquiring the first file according to the operation parameters;
calculating a characteristic value of the first file;
if the characteristic value of the second file is not the same as the characteristic value of the first file, determining that the first file is a file downloaded from a network in the running process of the target application program; wherein the second file is a file included in an installation package of the target application.
2. The method of claim 1, wherein before determining that the first file is a file downloaded from a network during the running of the target application, further comprising:
detecting whether a preset characteristic value list comprises a characteristic value of the first file or not, wherein the preset characteristic value list comprises a characteristic value of the second file;
if the preset characteristic value list comprises the characteristic value of the first file, determining that the characteristic value of the second file is the same as the characteristic value of the first file;
if the preset characteristic value list does not comprise the characteristic value of the first file, determining that the characteristic value of the second file is not the same as the characteristic value of the first file.
3. The method of claim 2, further comprising:
when the target application program is installed, reading the characteristic value of the second file from a specified file included in an installation package of the target application program;
and storing the characteristic value of the second file to the preset characteristic value list.
4. The method of claim 3, further comprising:
when the target application program is installed, if the installation package of the target application program comprises a compressed file, decompressing the compressed file to obtain a third file;
and acquiring the characteristic value of the third file, and storing the characteristic value of the third file to the preset characteristic value list.
5. The method according to any one of claims 1 to 4, wherein after determining that the first file is a file downloaded from a network during the running process of the target application, the method further comprises:
detecting the first file, and determining the security level of the first file;
and when the security level of the first file meets a preset condition, transmitting the storage path of the first file to an operating system.
6. The method according to any one of claims 1 to 4, wherein before acquiring the running information of the target application program when the first file is loaded from the storage path of the first file, the method further comprises:
detecting whether the target application program has a sensitive authority, wherein the sensitive authority refers to the authority for accessing sensitive information;
and if the target application program has the sensitive permission, executing the step of acquiring the running information of the target application program when the first file is loaded from the storage path of the first file.
7. A document sensing apparatus, the apparatus comprising:
the path acquisition module is used for acquiring a storage path of the first file through a library file loading function;
the characteristic value acquisition module is used for acquiring the running information of a target application program when the first file is loaded from the storage path of the first file, wherein the target application program is an application program which is running at a terminal; reading operation parameters from the operation information, wherein the operation parameters comprise one or a combination of at least two of the following items: stack information, a user identifier of a target process, a file name of the first file and a storage path of the first file; acquiring the first file according to the operating parameters; calculating a characteristic value of the first file;
the file detection module is used for determining that the first file is a file downloaded from a network in the running process of the target application program if the characteristic value of the second file is not the same as the characteristic value of the first file; wherein the second file is a file included in an installation package of the target application.
8. A terminal, characterized in that it comprises a processor and a memory, said memory storing at least one instruction which is loaded and executed by said processor to implement the file detection method according to any one of claims 1 to 6.
9. A computer-readable storage medium having stored therein at least one instruction, which is loaded and executed by a processor to implement the file detection method of any one of claims 1 to 6.
CN201911390031.1A 2019-12-30 2019-12-30 File detection method, device, terminal and storage medium Active CN113132421B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911390031.1A CN113132421B (en) 2019-12-30 2019-12-30 File detection method, device, terminal and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911390031.1A CN113132421B (en) 2019-12-30 2019-12-30 File detection method, device, terminal and storage medium

Publications (2)

Publication Number Publication Date
CN113132421A CN113132421A (en) 2021-07-16
CN113132421B true CN113132421B (en) 2022-11-04

Family

ID=76767630

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911390031.1A Active CN113132421B (en) 2019-12-30 2019-12-30 File detection method, device, terminal and storage medium

Country Status (1)

Country Link
CN (1) CN113132421B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115766099B (en) * 2022-10-24 2023-08-08 国家能源蓬莱发电有限公司 Network security processing method and device

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107480519A (en) * 2017-08-04 2017-12-15 深圳市金立通信设备有限公司 A kind of method and server for identifying risk application
CN108363580A (en) * 2018-03-12 2018-08-03 平安普惠企业管理有限公司 Application program installation method, device, computer equipment and storage medium
CN109814524A (en) * 2018-12-17 2019-05-28 深圳市轱辘汽车维修技术有限公司 A kind of Vehicular diagnostic method, apparatus and system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106971098B (en) * 2016-10-11 2020-06-02 阿里巴巴集团控股有限公司 Method and device for preventing repacking

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107480519A (en) * 2017-08-04 2017-12-15 深圳市金立通信设备有限公司 A kind of method and server for identifying risk application
CN108363580A (en) * 2018-03-12 2018-08-03 平安普惠企业管理有限公司 Application program installation method, device, computer equipment and storage medium
CN109814524A (en) * 2018-12-17 2019-05-28 深圳市轱辘汽车维修技术有限公司 A kind of Vehicular diagnostic method, apparatus and system

Also Published As

Publication number Publication date
CN113132421A (en) 2021-07-16

Similar Documents

Publication Publication Date Title
US20230269259A1 (en) Automated malware family signature generation
US9596257B2 (en) Detection and prevention of installation of malicious mobile applications
US10867041B2 (en) Static and dynamic security analysis of apps for mobile devices
CN107038045B (en) Method and device for loading library file
RU2614557C2 (en) System and method for detecting malicious files on mobile devices
US8806641B1 (en) Systems and methods for detecting malware variants
KR101373986B1 (en) Method and apparatus to vet an executable program using a model
US20160070911A1 (en) Rapid malware inspection of mobile applications
US20130122861A1 (en) System and method for verifying apps for smart phone
WO2014071867A1 (en) Program processing method and system, and client and server for program processing
CN103793649A (en) Method and device for cloud-based safety scanning of files
CN110084064B (en) Big data analysis processing method and system based on terminal
CN112084497A (en) Method and device for detecting malicious program of embedded Linux system
CN113360913A (en) Malicious program detection method and device, electronic equipment and storage medium
CN113132421B (en) File detection method, device, terminal and storage medium
US9785775B1 (en) Malware management
KR101503827B1 (en) A detect system against malicious processes by using the full path of access files
US10880316B2 (en) Method and system for determining initial execution of an attack
CN114003907A (en) Malicious file detection method and device, computing equipment and storage medium
CN113127418A (en) File detection method, device, terminal and storage medium
CN113127860B (en) Executable file detection method, device, terminal and storage medium
CN110298146B (en) Application processing and running method and device
CN110413871B (en) Application recommendation method and device and electronic equipment
CN113127859B (en) Method, device, terminal and storage medium for detecting file to be detected
CN111262934A (en) File analysis method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant