CN102789506B - Method and device for extracting characteristic information of application program installation package as well as client equipment - Google Patents

Method and device for extracting characteristic information of application program installation package as well as client equipment Download PDF

Info

Publication number
CN102789506B
CN102789506B CN201210250545.9A CN201210250545A CN102789506B CN 102789506 B CN102789506 B CN 102789506B CN 201210250545 A CN201210250545 A CN 201210250545A CN 102789506 B CN102789506 B CN 102789506B
Authority
CN
China
Prior art keywords
application program
installation kit
program installation
characteristic information
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201210250545.9A
Other languages
Chinese (zh)
Other versions
CN102789506A (en
Inventor
李伟
韩景维
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN201210250545.9A priority Critical patent/CN102789506B/en
Publication of CN102789506A publication Critical patent/CN102789506A/en
Priority to KR1020147023000A priority patent/KR101691948B1/en
Priority to PCT/CN2013/079222 priority patent/WO2014012459A1/en
Application granted granted Critical
Publication of CN102789506B publication Critical patent/CN102789506B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F40/00Handling natural language data
    • G06F40/20Natural language analysis
    • G06F40/258Heading extraction; Automatic titling; Numbering
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/564Static detection by virus signature recognition

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Health & Medical Sciences (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Virology (AREA)
  • General Health & Medical Sciences (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Computational Linguistics (AREA)
  • Audiology, Speech & Language Pathology (AREA)
  • Artificial Intelligence (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Stored Programmes (AREA)

Abstract

The invention discloses a method and a device for extracting characteristic information of an application program installation package as well as client equipment and belongs to the technical field of safety. The method comprises the following steps of: uncompressing data not greater than a threshold value in the application program installation package; analyzing uncompressed data obtained through uncompressing, and acquiring key data containing the characteristic information of the application program installation package; repeating the previous two steps until the application program installation package is completely uncompressed, and acquiring all the key data in the application program installation package; and analyzing all the key data and extracting the characteristic information of the application program installation package from the key data. By virtue of the technical scheme adopted by the invention, the occupied space of a memory can be effectively reduced, the time for extracting the characteristic information of the application program installation package can be shortened, and the efficiency of acquiring the characteristic information from the application program installation package can be improved.

Description

Characteristics information extraction method, device and the client device of application program installation kit
Technical field
The present invention relates to safety technique field, particularly a kind of characteristics information extraction method of application program installation kit, device and client device.
Background technology
Application program installation kit is generally a compressed file, conventionally can comprise resource file, configuration file and executable file etc. in this compressed file.For example, the application program installation kit of Android system can be called apk file, for example, in the apk file of this compressed format, can comprise executable file dex file and alternative document etc.
In prior art, for whether the installation kit that detects application program is rogue software or virus, need the installation kit of application programs to decompress, get complete executable file.Then in internal memory, complete executable file is resolved, extract characteristic information; And the characteristic information that the Virus Sample in the characteristic information extracting and default virus characteristic storehouse is comprised compares, whether be rogue's program or virus document thereby detect this application program installation kit.For example, for the apk file of Android system, can decompress to apk file, therefrom obtain dex file, again dex file is resolved, therefrom extract the characteristic informations such as class name, method name and constant character string, when the characteristic information that comprises with certain Virus Sample in default virus characteristic storehouse when the characteristic information extracting is identical, this apk file is rogue's program or virus document.
Realizing in process of the present invention, inventor finds that prior art at least exists following problem: in prior art, in the time that needs application programs installation kit detects, after needing application programs installation kit to decompress, obtain complete executable file, then in internal memory, the complete executable file obtaining is resolved to characteristic information extraction, when executable file larger, complete executable file is placed in internal memory, can take a large amount of internal memories, cause low memory, extend the time of characteristic information extraction, have a strong impact on the efficiency of obtaining characteristic information from application program installation kit.
Summary of the invention
In order to solve the problem of prior art, the embodiment of the present invention provides a kind of characteristics information extraction method, device and client device of application program installation kit.Described technical scheme is as follows:
On the one hand, provide a kind of characteristics information extraction method of application program installation kit, described method comprises:
The data that are not more than a threshold value in application programs installation kit decompress;
The decompressed data that obtains of decompressing is analyzed, abandoned resource file in described decompressed data or the data of configuration file, the executable file that retains described application program installation kit comprises the critical data of characteristic information;
Repeat above-mentioned two steps, until it is complete that described application program installation kit is decompressed, get all critical datas in described application program installation kit; Described all critical datas are resolved, from described all critical datas, extract the characteristic information of described application program installation kit.
Alternatively, in method, threshold value is a preset value or determines according to the size of described application program installation kit as mentioned above.
Alternatively, in method, the characteristic information of described application program installation kit comprises at least one in class name, method name and constant character string as mentioned above.
On the other hand, provide a kind of feature information extraction device of application program installation kit, described device comprises:
Decompression module, the data that are not more than a threshold value for application programs installation kit decompress;
Acquisition module, analyze for the decompressed data obtaining that described decompression module is decompressed, abandon resource file in described decompressed data or the data of configuration file, the executable file that retains described application program installation kit comprises the critical data of characteristic information;
Control module, for controlling described decompression module and described acquisition module repeats corresponding operating, until it is complete that described application program installation kit is decompressed, described acquisition module gets all critical datas in described application program installation kit; Extraction module, for described all critical datas are resolved, extracts the characteristic information of described application program installation kit from described acquisition module the described all critical datas that get.
Alternatively, in device, also comprise threshold determination module as mentioned above:
Described threshold determination module, for presetting described threshold value or determining described threshold value according to the size of described application program installation kit.
Alternatively, in device, the characteristic information of described application program installation kit comprises at least one in class name, method name and constant character string as mentioned above.
On the one hand, provide characteristics information extraction method in a kind of apk file again, it adopts as above arbitrary described method.
Another aspect, provides a kind of client device, comprises the as above feature information extraction device of arbitrary described application program installation kit on described client device.
Alternatively, in client device as above, described client device comprises mobile terminal.Alternatively, in client device as above, described client device comprises the mobile terminal that Android system is installed.
Characteristics information extraction method, device and the client device of the application program installation kit of the embodiment of the present invention, decompress by the data that are not more than a threshold value in application programs installation kit; And the decompressed data obtaining that decompresses is analyzed, obtain the critical data that comprises characteristic information; Repeat above-mentioned two steps, until decompress complete to described application program installation kit, get all critical datas in application program installation kit, and all critical datas are resolved, from all critical datas, extract the characteristic information of application program installation kit.Adopt the technical scheme of the embodiment of the present invention, the data that can be in internal memory respectively size be equaled to threshold value decompress, and after decompressing, decompressed data analysis is obtained to the critical data comprising characteristic information, in decompression procedure, can not take larger internal memory, and in technical scheme due to the embodiment of the present invention, after each decompression, only obtain the critical data in decompressed data, therefore in technical solution of the present invention, only need to from all critical datas of obtaining, extract the characteristic information of application program installation kit, with of the prior art compared with obtaining the characteristic information of application program installation kit whole executable file, the technical scheme of the embodiment of the present invention is in the time implementing, can effectively reduce EMS memory occupation space, shorten the time of the characteristic information that extracts application program installation kit, improve the efficiency of obtaining characteristic information from application program installation kit.
Brief description of the drawings
In order to be illustrated more clearly in the technical scheme in the embodiment of the present invention, below the accompanying drawing of required use during embodiment is described is briefly described, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skill in the art, do not paying under the prerequisite of creative work, can also obtain according to these accompanying drawings other accompanying drawing.
The process flow diagram of the characteristics information extraction method of the application program installation kit that Fig. 1 provides for the embodiment of the present invention one;
The process flow diagram of the characteristics information extraction method of the application program installation kit that Fig. 2 provides for the embodiment of the present invention two;
The structural representation of the feature information extraction device of the application program installation kit that Fig. 3 provides for the embodiment of the present invention three;
The feature information extraction device of the application program installation kit that Fig. 4 provides for the embodiment of the present invention four;
The structural representation of the client device that Fig. 5 provides for the embodiment of the present invention five.
Embodiment
For making the object, technical solutions and advantages of the present invention clearer, below in conjunction with accompanying drawing, embodiment of the present invention is described further in detail.
Embodiment mono-
The process flow diagram of the characteristics information extraction method of the application program installation kit that Fig. 1 provides for the embodiment of the present invention one.The executive agent of the characteristics information extraction method of the application program installation kit of the present embodiment is the feature information extraction device of an application program installation kit, and the feature information extraction device of this application program installation kit specifically can be arranged on a client device.As shown in Figure 1, the characteristics information extraction method of the application program installation kit of the present embodiment, specifically can comprise the steps:
100, the data that are not more than a threshold value in application programs installation kit decompress;
101, the decompressed data obtaining that decompresses is analyzed, obtained the critical data of the characteristic information that comprises application program installation kit;
For example, critical data is wherein the data of the characteristic information that comprises application program installation kit.
102, repeat above-mentioned 100 and 101 two steps, until the decompression of application programs installation kit is complete, get all critical datas in application program installation kit;
Critical data in the present embodiment is the data that the executable file of application program installation kit comprises characteristic information.It should be noted that, in executable file, except comprising this critical data, also include other data, in these other data, do not comprise the characteristic information of application program installation kit.The big or small sum of the complete all critical datas obtained that therefore decompress is less than the size of the executable file in application program installation kit.
103, all critical datas are resolved, from all critical datas, extract the characteristic information of application program installation kit.
The application program installation kit of the present embodiment can be the application program installation kit under various systems, for example, can be the application program installation kit of windows system, can also be the application program installation kit of Android system.The application program installation kit that is for example specifically as follows Android system can be called apk file.When application program installation kit is apk file, corresponding executable file is dex file, and now, in the present embodiment, the big or small sum of all critical datas is less than the size of dex file.It can also be the application program installation kit under ios system.
For example in the present embodiment, threshold value can be a preset value, maybe can also be for to determine according to the size of application program installation kit, and the memory headroom for example taking when reducing embodiment, it is tens very little K that threshold value can be set.In the technical scheme of the present embodiment, the data that in each only application programs installation kit, size equals threshold value decompress, and in the decompressed data directly obtaining from decompressing, obtain can characteristic information extraction critical data.Because application program installation kit comprises resource file, configuration file and executable file etc., after the data of threshold size are decompressed, the data that can obtain decompressing with reference to prior art are the data in which file in application program installation kit, owing to only can extract the characteristic information of application program installation kit from executable file, so, can abandon resource file in decompressed data or the data of configuration file, retain the data of executable file; Further, in executable file, also include the data of the characteristic information that can extract application program installation kit and can not extract the data of characteristic information of application program installation kit, the data that wherein can extract the characteristic information of application program installation kit are valid data; Can only retain like this and in decompressed data, belong to the critical data that can extract the data of the characteristic information of application program installation kit in executable file.
Therefore, after each decompression, can obtain a part of critical data, repeat application programs installation kit and carry out decompression operation, whole application program installation kit is decompressed and can obtain all critical datas; The last characteristic information that extracts application program installation kit from all critical datas; For example specifically can from all critical datas, extract with reference to the method that adopts analytic methods to obtain the characteristic information of application program installation kit in prior art the characteristic information of application program installation kit from executable file.
The characteristics information extraction method of the application program installation kit of the present embodiment, decompresses by the data that are not more than threshold size in application programs installation kit; The decompressed data obtaining that decompresses is analyzed, obtained the critical data that comprises characteristic information; Repeat above-mentioned two steps, until the decompression of application programs installation kit is complete, gets all critical datas in application program installation kit, and all critical datas are resolved, from all critical datas, extract the characteristic information of application program installation kit.Adopt the technical scheme of the present embodiment, can be in internal memory respectively the data to threshold size decompress, and after decompressing, decompressed data analysis is obtained to the critical data comprising characteristic information, in decompression procedure, can not take larger internal memory, and in technical scheme due to the present embodiment, after each decompression, only obtain the critical data in decompressed data, therefore in the technical scheme of the present embodiment, only need to from all critical datas of obtaining, extract the characteristic information of application program installation kit, with of the prior art compared with obtaining the characteristic information of application program installation kit whole executable file, the technical scheme of the present embodiment is in the time implementing, can effectively reduce EMS memory occupation space, shorten the time of the characteristic information that extracts application program installation kit, improve the efficiency of obtaining characteristic information from application program installation kit.
For example, alternatively, on the basis of above-mentioned technical scheme embodiment illustrated in fig. 1, wherein before, the characteristics information extraction method of the application program installation kit of above-described embodiment also comprises the steps: step 100 " data that are not more than threshold size in application programs installation kit decompress "
(1) judge in application program installation kit whether the size of decompressed data is not more than or equal to threshold value; If the size of the not decompressed data in application program installation kit is more than or equal to threshold value, execution step (2); Further alternatively, if the size of the not decompressed data in application program installation kit is less than threshold value, execution step (3);
(2) in the not decompressed data from application program installation kit, read size and equal the data of threshold value; Further alternatively, execution step (4);
(3) read the not decompressed data in application program installation kit; Further alternatively, execution step (5);
(4) in application programs installation kit, the big or small data that equal threshold value decompress.
This step (4) can be regarded as a kind of specific implementation of the step 100 " data that are not more than threshold value in application programs installation kit decompress " in above-described embodiment.
(5) in application programs installation kit, the big or small not decompressed data that is less than threshold value decompresses.
This step (5) also can be regarded as the another kind of specific implementation of the step 100 " data that are not more than threshold value in application programs installation kit decompress " in above-described embodiment.
Alternatively, all critical datas of obtaining in above-described embodiment can be stored in internal memory or in buffer memory according to actual treatment demand.Or can also first be stored in disk, in the time that demand is extracted the characteristic information of application program installation kit from all critical datas, more all critical datas be read in buffer memory or internal memory.Need to analyze whole executable file with prior art, therefrom obtaining the characteristic information of application program installation kit compares, in the present embodiment, the object of extraction process is all critical datas, the big or small sum of all critical datas is less than the size of executable file, thereby can effectively save the space of EMS memory occupation, shorten the time of the characteristic information that extracts application program installation kit, improve the efficiency of the characteristic information that extracts application program installation kit.
Alternatively, the characteristic information of the application program installation kit in above-described embodiment comprises at least one that extract in class name, method name and constant character string.Whether the characteristic information that the characteristic information of these application program installation kits is used for comprising with the Virus Sample in default virus characteristic storehouse is compared, be rogue's program or virus document thereby judge this application program installation kit.In default virus characteristic storehouse, can comprise multiple Virus Samples, each Virus Sample can comprise at least one characteristic information; In the time that the characteristic information the extracting characteristic information included with certain Virus Sample in virus characteristic storehouse is all identical, can think that this application program installation kit is rogue's program or virus document; Otherwise this application program installation kit is normal file.Can, with reference to related art, not repeat them here in detail.
By adopting the characteristics information extraction method of application program installation kit of above-described embodiment, with of the prior art compared with obtaining the characteristic information of application program installation kit whole executable file, the technical scheme of the present embodiment is in the time implementing, can effectively reduce EMS memory occupation space, shorten the time of the characteristic information that extracts application program installation kit, improve the efficiency of obtaining characteristic information from application program installation kit.
From above-described embodiment, the characteristics information extraction method of the application program installation kit of above-described embodiment specifically can be applied in checking and killing virus process, the feature information extraction of application programs installation kit, then can adopt related art according to the characteristic information of the application program installation kit extracting and default virus characteristic storehouse, judge whether this application program installation kit is rogue's program or virus document.Can, with reference to related art, not repeat them here in detail.
Embodiment bis-
The process flow diagram of the characteristics information extraction method of the application program installation kit that Fig. 2 provides for the embodiment of the present invention two.As shown in Figure 2, the characteristics information extraction method of the application program installation kit of the present embodiment is on the basis of above-described embodiment, in conjunction with its application scenarios, introduce in further detail technical scheme of the present invention, in like manner, the executive agent of the characteristics information extraction method of the application program installation kit of the present embodiment is still the feature information extraction device of an application program installation kit.As shown in Figure 2, the characteristics information extraction method of the application program installation kit of the present embodiment, specifically can comprise the steps:
200, judge in application program installation kit whether the size of decompressed data is not more than or equal to a threshold value; If be more than or equal to, execution step 201, if otherwise be less than execution step 203;
Wherein threshold value is for default size, in order to reduce EMS memory occupation, under threshold value with can arrange less, application program installation kit should be greater than this threshold value under normal circumstances like this.Now can not carry out this step 200, can directly perform step 201.But in order to prevent also having less application program installation kit to miss detection, preferably from step 200.
201, from the not decompressed data of application program installation kit, read data that size equals threshold value to internal memory; Execution step 202;
202, in internal memory, in application programs installation kit, the big or small data that equal threshold value decompress.Execution step 205;
203, read not decompressed data in application program installation kit to internal memory; Execution step 204;
204, in internal memory, in application programs installation kit, the big or small not decompressed data that is less than threshold value decompresses; Execution step 205;
205, from the decompressed data obtaining that decompresses, obtain the critical data of the characteristic information that comprises application program installation kit; Execution step 206;
206, judge whether application program installation kit decompresses complete, complete when decompressing, execution step 207; Otherwise it is complete not decompress, execution step 200;
207, the complete all critical datas that obtain that decompress are resolved, from all critical datas, extract the characteristic information of application program installation kit.
The for example characteristic information of application program installation kit comprises at least one that extract in class name, method name and constant character string.
The characteristics information extraction method of the application program installation kit of the present embodiment, by adopting technique scheme, after each decompression, only obtain the critical data in decompressed data, , in decompression procedure, can not take larger internal memory, and the big or small sum of all critical datas that in the present embodiment, final decompression obtains is less than the size of the executable file in application program installation kit, and only need to from all critical datas of obtaining, extract the characteristic information of application program installation kit, with of the prior art compared with obtaining the characteristic information of application program installation kit whole executable file, the technical scheme of the present embodiment is in the time implementing, can effectively reduce EMS memory occupation space, shorten the time of the characteristic information that extracts application program installation kit, improve the efficiency of obtaining characteristic information from application program installation kit.
With reference to above-described embodiment one and two, the embodiment of the present invention can also provide the extracting method of sign information in a kind of apk file, wherein specifically can adopt the characteristics information extraction method of the application program installation kit of above-described embodiment to realize, now application program installation kit is apk file, can, with reference to the record of above-mentioned correlation technique embodiment, not repeat them here in detail.
Embodiment tri-
The structural representation of the feature information extraction device of the application program installation kit that Fig. 3 provides for the embodiment of the present invention three.As shown in Figure 3, the feature information extraction device of the application program installation kit of the present embodiment comprises: decompression module 10, acquisition module 11, control module 12 and extraction module 13.
The data that wherein decompression module 10 is not more than a threshold value for application programs installation kit decompress; Acquisition module 11 is connected with decompression module 10, and acquisition module 11 is analyzed for the decompressed data obtaining that decompression module 10 is decompressed, and obtains the critical data that comprises characteristic information; Control module 12 is connected with decompression module 10 and acquisition module 11 respectively, control module 12 is for controlling decompression module 10 and acquisition module 11 repeats corresponding operating, until the decompression of application programs installation kit is complete, acquisition module 11 gets all critical datas in application program installation kit; Wherein the big or small sum of all useful datas is less than the size of the executable file in application program installation kit; Extraction module 13 is connected with acquisition module 11, extraction module 13 is for controlling after processing decompression module 10 and acquisition module 11 in control module 12, all critical datas that acquisition module 11 is got are resolved, and extract the characteristic information of application program installation kit from acquisition module 11 all critical datas that get.
The feature information extraction device of the application program installation kit of the present embodiment, by adopting above-mentioned module to realize the feature information extraction of application program installation kit, identical with the realization mechanism of above-mentioned correlation technique embodiment, can, with reference to the record of above-mentioned correlation technique embodiment, not repeat them here in detail.
The feature information extraction device of the application program installation kit of the present embodiment, the data that are not more than a threshold value by adopting above-mentioned module to realize in application programs installation kit decompress; And pile the decompressed data obtaining that decompresses and resolve, obtain the critical data that comprises characteristic information; Repeat above-mentioned two steps, until the decompression of application programs installation kit is complete, gets all critical datas in application program installation kit, and all critical datas are resolved, from all critical datas, extract the characteristic information of application program installation kit.Adopt the technical scheme of the embodiment of the present invention, can be in internal memory respectively the data to threshold size decompress, and after decompressing, decompressed data analysis is obtained to the critical data comprising characteristic information, in decompression procedure, can not take larger internal memory, and in technical scheme due to the present embodiment, after each decompression, only obtain the critical data in decompressed data, and all useful datas are less than the size of the executable file in application program installation kit, therefore in the technical scheme of the present embodiment, only need to from all critical datas of obtaining, extract the characteristic information of application program installation kit, with of the prior art compared with obtaining the characteristic information of application program installation kit whole executable file, the technical scheme of the present embodiment is in the time implementing, can effectively reduce EMS memory occupation space, shorten the time of the characteristic information that extracts application program installation kit, improve the efficiency of obtaining characteristic information from application program installation kit.
Embodiment tetra-
The feature information extraction device of the application program installation kit that Fig. 4 provides for the embodiment of the present invention four.As shown in Figure 4, the feature information extraction device of the application program installation kit of the present embodiment, on above-mentioned basis embodiment illustrated in fig. 3, can also comprise following technical scheme.
As shown in Figure 4, the feature information extraction device of the application program installation kit of the present embodiment, also comprises judge module 14 and read module 15.
Judge module 14 is for being not more than at decompression module 10 application programs installation kits before the data of threshold size decompress, and judges in application program installation kit whether the size of decompressed data is not more than or equal to threshold value; Read module 15 is connected with judge module 14, if read module 15 determines that for judge module 14 size of the not decompressed data of application program installation kits is more than or equal to threshold value, in the not decompressed data from application program installation kit, read size and equal the data of threshold value; Decompression module 10 is connected with read module 15, and the data that decompression module 10 equals threshold value specifically for size in the application program installation kit that read module 15 is read decompress.
Further alternatively, if the read module 15 in the feature information extraction device of the application program installation kit of the present embodiment also determines that for judge module 14 size of the not decompressed data of application program installation kit is less than threshold value, reads the not decompressed data in application program installation kit; The not decompressed data that decompression module 10 is less than threshold value specifically for size in the application program installation kit that read module 15 is read decompresses.
Further alternatively, the application program installation kit in the feature information extraction device of the application program installation kit of the present embodiment is apk file.
Further alternatively, the characteristic information of the application program installation kit in the feature information extraction device of the application program installation kit of the present embodiment comprises at least one that extract in class name, method name and constant character string.
Alternatively, in the feature information extraction device of the application program installation kit of the present embodiment, also comprise threshold determination module, threshold determination module, determines described threshold value for predetermined threshold value or according to the size of application program installation kit.
The feature information extraction device of application program installation kit embodiment illustrated in fig. 4, technical scheme of the present invention is described to comprise above-mentioned all optional technical schemes as example, in practical application, above-mentioned all optional technical schemes can adopt any combinative mode to form the optional technical scheme of the embodiment of the present invention, give an example no longer one by one at this.
The feature information extraction device of the application program installation kit of the present embodiment, by adopting above-mentioned module to realize the feature information extraction of application program installation kit, identical with the realization mechanism of above-mentioned correlation technique embodiment, can, with reference to the record of above-mentioned correlation technique embodiment, not repeat them here in detail.
The feature information extraction device of the application program installation kit of the present embodiment, by adopting technique scheme, with of the prior art compared with obtaining the characteristic information of application program installation kit whole executable file, the technical scheme of the present embodiment is in the time implementing, can effectively reduce EMS memory occupation space, shorten the time of the characteristic information that extracts application program installation kit, improve the efficiency of obtaining characteristic information from application program installation kit.
Embodiment five
The structural representation of the client device that Fig. 5 provides for the embodiment of the present invention five.As shown in Figure 5, on the client device 20 of the present embodiment, comprise the feature information extraction device 30 of application program installation kit.
Particularly, the feature information extraction device 30 of the application program installation kit in the client device of the present embodiment specifically can adopt the feature information extraction device of the application program installation kit shown in above-mentioned Fig. 3 or Fig. 4, specifically can adopt above-mentioned Fig. 1 or method embodiment illustrated in fig. 2 to realize.
Alternatively, in the client device 20 of the present embodiment, can also be provided with default virus characteristic storehouse.After the feature information extraction device 30 of application program installation kit extracts the characteristic information of application program installation kit, whether the characteristic information that client device 20 comprises the Virus Sample in the characteristic information of application program installation kit and virus characteristic storehouse is compared, be rogue's program or virus document thereby judge this application program installation kit.In default virus characteristic storehouse, can comprise multiple Virus Samples, each Virus Sample can comprise at least one characteristic information; In the time that the characteristic information the extracting characteristic information included with certain Virus Sample in virus characteristic storehouse is all identical, can think that this application program installation kit is rogue's program or virus document; Otherwise this application program installation kit is normal file.Can, with reference to related art, not repeat them here in detail.
Alternatively, the client device of the present embodiment comprises mobile terminal, or can also comprise fixed terminal.Further alternatively, the client device of the present embodiment comprises the mobile terminal that Android system is installed.
The client device of the present embodiment, by adopting the feature information extraction device of above-mentioned application program installation kit, decompresses by the data that are not more than a threshold value in application programs installation kit; And the decompressed data obtaining that decompresses is resolved, obtain the critical data that comprises characteristic information; Repeat above-mentioned two steps, until the decompression of application programs installation kit is complete, gets all critical datas in application program installation kit, and all critical datas are resolved, from all critical datas, extract the characteristic information of application program installation kit.Adopt the technical scheme of the embodiment of the present invention, can be in internal memory respectively the data to threshold value decompress, and after decompressing, decompressed data analysis is obtained to the critical data comprising characteristic information, in decompression procedure, can not take larger internal memory, and in technical scheme due to the present embodiment, after each decompression, only obtain the critical data in decompressed data, and the big or small sum of all critical datas is less than the size of the executable file in application program installation kit, therefore in the technical scheme of the present embodiment, only need to from all critical datas of obtaining, extract the characteristic information of application program installation kit.With of the prior art compared with obtaining the characteristic information of application program installation kit whole executable file, the technical scheme of the present embodiment is in the time implementing, can effectively reduce EMS memory occupation space, shorten the time of the characteristic information that extracts application program installation kit, improve the efficiency of obtaining characteristic information from application program installation kit.
It should be noted that: the feature information extraction device of the application program installation kit that above-described embodiment provides is in the time extracting the characteristic information of application program installation kit, only be illustrated with the division of above-mentioned each functional module, in practical application, can above-mentioned functions be distributed and completed by different functional modules as required, be divided into different functional modules by the inner structure of device, to complete all or part of function described above.In addition, the embodiment of the method for the feature information extraction device of the application program installation kit that above-described embodiment provides and the feature information extraction of application program installation kit belongs to same design, and its specific implementation process refers to embodiment of the method, repeats no more here.
The invention described above embodiment sequence number, just to describing, does not represent the quality of embodiment.
One of ordinary skill in the art will appreciate that all or part of step that realizes above-described embodiment can complete by hardware, also can carry out the hardware that instruction is relevant by program completes, described program can be stored in a kind of computer-readable recording medium, the above-mentioned storage medium of mentioning can be ROM (read-only memory), disk or CD etc.
The foregoing is only preferred embodiment of the present invention, in order to limit the present invention, within the spirit and principles in the present invention not all, any amendment of doing, be equal to replacement, improvement etc., within all should being included in protection scope of the present invention.

Claims (10)

1. a characteristics information extraction method for application program installation kit, is characterized in that, described method comprises:
The data that are not more than a threshold value in application programs installation kit decompress;
The decompressed data that obtains of decompressing is analyzed, abandoned resource file in described decompressed data or the data of configuration file, the executable file that retains described application program installation kit comprises the critical data of characteristic information;
Repeat above-mentioned two steps, until decompress complete to described application program installation kit, get all critical datas in described application program installation kit, described all critical datas are resolved, from described all critical datas, extract the characteristic information of described application program installation kit.
2. method according to claim 1, is characterized in that, described threshold value is a preset value or determines according to the size of described application program installation kit.
3. according to the arbitrary described method of claim 1-2, it is characterized in that, the characteristic information of described application program installation kit comprises at least one in class name, method name and constant character string.
4. a feature information extraction device for application program installation kit, is characterized in that, described device comprises:
Decompression module, the data that are not more than a threshold value for application programs installation kit decompress;
Acquisition module, for the decompressed data obtaining that decompresses from described decompression module is analyzed, abandon resource file in described decompressed data or the data of configuration file, the executable file that retains described application program installation kit comprises the critical data of characteristic information;
Control module, for controlling described decompression module and described acquisition module repeats corresponding operating, until it is complete that described application program installation kit is decompressed, described acquisition module gets all critical datas in described application program installation kit;
Extraction module, for described all critical datas are resolved, extracts the characteristic information of described application program installation kit from described acquisition module the described all critical datas that get.
5. device according to claim 4, is characterized in that, described device also comprises threshold determination module:
Described threshold determination module, for presetting described threshold value or determining described threshold value according to the size of described application program installation kit.
6. according to the device described in claim 4 or 5, it is characterized in that, the characteristic information of described application program installation kit comprises at least one in class name, method name and constant character string.
7. a characteristics information extraction method in apk file, is characterized in that, it adopts the arbitrary described method of claim 1-3.
8. a client device, is characterized in that, comprises the feature information extraction device of the application program installation kit as described in as arbitrary in claim 4-6 on described client device.
9. equipment according to claim 8, is characterized in that, described client device comprises mobile terminal.
10. equipment according to claim 8, is characterized in that, described client device comprises the mobile terminal that Android system is installed.
CN201210250545.9A 2012-07-19 2012-07-19 Method and device for extracting characteristic information of application program installation package as well as client equipment Active CN102789506B (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
CN201210250545.9A CN102789506B (en) 2012-07-19 2012-07-19 Method and device for extracting characteristic information of application program installation package as well as client equipment
KR1020147023000A KR101691948B1 (en) 2012-07-19 2013-07-11 Method, apparatus and client device for extracting signature information from application installation packages
PCT/CN2013/079222 WO2014012459A1 (en) 2012-07-19 2013-07-11 Method, apparatus and client device for extracting signature information from application installation packages

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201210250545.9A CN102789506B (en) 2012-07-19 2012-07-19 Method and device for extracting characteristic information of application program installation package as well as client equipment

Publications (2)

Publication Number Publication Date
CN102789506A CN102789506A (en) 2012-11-21
CN102789506B true CN102789506B (en) 2014-09-24

Family

ID=47154909

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201210250545.9A Active CN102789506B (en) 2012-07-19 2012-07-19 Method and device for extracting characteristic information of application program installation package as well as client equipment

Country Status (3)

Country Link
KR (1) KR101691948B1 (en)
CN (1) CN102789506B (en)
WO (1) WO2014012459A1 (en)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103366118A (en) * 2012-04-06 2013-10-23 腾讯科技(深圳)有限公司 Installation package virus searching and killing method and device
CN102789506B (en) * 2012-07-19 2014-09-24 腾讯科技(深圳)有限公司 Method and device for extracting characteristic information of application program installation package as well as client equipment
CN103279709A (en) * 2012-12-28 2013-09-04 武汉安天信息技术有限责任公司 Method and system for comprehensively detecting advertisement plug-in based on multi-features
CN105205074B (en) * 2014-06-25 2019-03-26 优视科技有限公司 File increment upgrade method and system
CN105915623A (en) * 2016-05-20 2016-08-31 努比亚技术有限公司 Device and method of processing application installation package
CN106599017B (en) * 2016-10-20 2019-09-17 广州优视网络科技有限公司 Scanning analytic method, device and the mobile terminal of installation kit
CN108804314A (en) * 2018-05-23 2018-11-13 北京五八信息技术有限公司 Installation kit test method, device, equipment and computer readable storage medium
US11436331B2 (en) 2020-01-16 2022-09-06 AVAST Software s.r.o. Similarity hash for android executables

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102024025A (en) * 2010-11-12 2011-04-20 电子科技大学 Method for decompressing large-data-volume package in mobile rich media application
CN102222183A (en) * 2011-04-28 2011-10-19 奇智软件(北京)有限公司 Mobile terminal software package safety detection method and system thereof

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101043299B1 (en) * 2009-07-21 2011-06-22 (주) 세인트 시큐리티 Method, system and computer readable recording medium for detecting exploit code
KR101161493B1 (en) * 2010-01-18 2012-06-29 (주)쉬프트웍스 Method of Examining Malicious Codes and Dangerous Files in Android Terminal Platform
KR20110138076A (en) * 2010-06-18 2011-12-26 삼성전자주식회사 Data storage device and write method thereof
CN102789506B (en) * 2012-07-19 2014-09-24 腾讯科技(深圳)有限公司 Method and device for extracting characteristic information of application program installation package as well as client equipment

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102024025A (en) * 2010-11-12 2011-04-20 电子科技大学 Method for decompressing large-data-volume package in mobile rich media application
CN102222183A (en) * 2011-04-28 2011-10-19 奇智软件(北京)有限公司 Mobile terminal software package safety detection method and system thereof

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
A Shabtai等.Automated Static Code Analysis for Classifying Android Applications Using Machine Learning.《2010 International Conference on Computational Intelligence and Security》.2010,329-333.
Automated Static Code Analysis for Classifying Android Applications Using Machine Learning;A Shabtai等;《2010 International Conference on Computational Intelligence and Security》;20101211;329-333 *

Also Published As

Publication number Publication date
CN102789506A (en) 2012-11-21
WO2014012459A1 (en) 2014-01-23
KR101691948B1 (en) 2017-01-02
KR20140114437A (en) 2014-09-26

Similar Documents

Publication Publication Date Title
CN102789506B (en) Method and device for extracting characteristic information of application program installation package as well as client equipment
CN102799826B (en) The detection method of application program installation kit decompression procedure and device, client device
US10165001B2 (en) Method and device for processing computer viruses
US8990148B1 (en) System and method for dynamic hierarchical data parsing
CN109960932B (en) File detection method and device and terminal equipment
CN103778373A (en) Virus detection method and device
CN105975311A (en) Application startup method and device
CN103246566A (en) Resource monitoring method and device for application program
US9520896B1 (en) Non-transitory computer-readable recording medium, encoding method, encoding device, decoding method, and decoding device
CN112417014A (en) Dynamic modification execution plan method, system, and computer-readable storage medium
CN108279988B (en) Message processing method and system based on Lua script language
US10831669B2 (en) Systems, methods and computer program products using multi-tag storage for efficient data compression in caches
CN108446300B (en) Data information scanning method and device
CN107169057B (en) Method and device for detecting repeated pictures
US11429317B2 (en) Method, apparatus and computer program product for storing data
CN109617708B (en) Compression method, device and system for embedded point log
KR20140108378A (en) Detecting system and detecting method for malicious code infection of compressed file
CN108965295A (en) A kind of compressing file merging method and relevant apparatus
CN114253479A (en) CAN bus intrusion detection method and system
CN114942781A (en) Data format adaptation method and device for data reading
CN111414299B (en) SSD (solid State disk) extension information acquisition method and device based on hdchart
Wang et al. Research on intelligent reverse analysis technology of firmware of internet of things
CN111338956A (en) Automatic pressure measurement method, device, equipment and storage medium
US20230030049A1 (en) Device and method for generating graphical user interface test case
CN113031959B (en) Variable replacement method, device, system and storage medium

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant