CN103761475A - Method and device for detecting malicious code in intelligent terminal - Google Patents
Method and device for detecting malicious code in intelligent terminal Download PDFInfo
- Publication number
- CN103761475A CN103761475A CN201310746029.XA CN201310746029A CN103761475A CN 103761475 A CN103761475 A CN 103761475A CN 201310746029 A CN201310746029 A CN 201310746029A CN 103761475 A CN103761475 A CN 103761475A
- Authority
- CN
- China
- Prior art keywords
- function
- virtual machine
- decompiling
- malicious code
- information structure
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Virology (AREA)
- Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Storage Device Security (AREA)
- Telephone Function (AREA)
Abstract
The invention discloses a method and a device for detecting a malicious code in an intelligent terminal. The method comprises the steps of obtaining a virtual machine execution file of an application program from an application program layer of an intelligent terminal operation system; performing decompilation on the virtual machine execution file to obtain a decompiled function information structure; resolving the decompiled function information structure and extracting a function call sequence from the decompiled function information structure; utilizing a preset malicious code feature library, performing matching of the function call sequence and conforming that the virtual machine execution file of the application program includes the malicious code if the matching succeeds. By applying the method and the device, the malicious code including situation of the application program can be analyzed and confirmed through the virtual machine execution file of the application program, so that a tampered application program or malicious software can be searched and killed, and the safety of the intelligent terminal can be ensured.
Description
Technical field
The present invention relates to intelligent terminal safety technique field, be specifically related to a kind of method and device that detects malicious code in intelligent terminal.
Background technology
Along with development in science and technology, intelligent terminal has increasing function.For example, people's mobile phone from traditional GSM, TDMA digital mobile phone turned to have can process multimedia resource, web page browsing is provided, the smart mobile phone of the much information service such as teleconference, ecommerce.But the personal data safety problem that mobile phone malicious code is attacked and situation is increasingly serious that kind is day by day various is also following, increasing mobile phone viruses is endured its hardship to the fullest extent by smart phone user.
Summary of the invention
In view of the above problems, the present invention has been proposed to method and the device of malicious code in a kind of detection intelligent terminal that overcomes the problems referred to above or address the above problem are at least in part provided.
According to one aspect of the present invention, a kind of method that detects malicious code in intelligent terminal is provided, comprising: from the application layer of intelligent terminal operating system, obtain the virtual machine execute file of application program; Described virtual machine execute file is carried out to decompiling, obtain the function information structure of decompiling; Resolve the function information structure of described decompiling, extract the function call sequence in the function information structure of described decompiling; The malicious code feature database that utilization sets in advance, mates described function call sequence, if the match is successful, determines that the virtual machine execute file of described application program comprises malicious code.
Preferably, also comprise: by resolving the function information structure of described decompiling, obtain virtual machine memonic symbol sequence; From described virtual machine memonic symbol sequence, extract and obtain described function call sequence.
Preferably, described function call sequence is multiple; Described method also comprises: by analyzing the instruction of multiple function call sequences of carrying out in order, determine the function of described function.
Preferably, the instruction that described multiple function call sequence is carried out in order comprises: decipher character string, establishment information signature example, obtain the sub-pin of character string, Hash encryption.
Preferably, the malicious code feature database that described utilization sets in advance, described function call sequence is mated and comprised: utilize the malicious code feature database setting in advance, described function call sequence is carried out to functional similarity degree coupling, and/or, described function call sequence is carried out to Function feature fuzzy matching.
Preferably, the function with certain function described multiple function call sequences being formed is as target signature; The malicious code feature database that described utilization sets in advance, described function call sequence is mated and comprised: utilize the malicious code feature database setting in advance, described target signature is carried out to functional similarity degree coupling, and/or, described target signature is carried out to Function feature fuzzy matching.
Preferably, to described virtual machine execute file carry out sample characteristics killing, based on virtual machine killing, heuristic killing, and/or, similar sample clustering.
Preferably, described described virtual machine execute file is carried out to decompiling, the function information structure that obtains decompiling comprises: according to virtual machine execute file form, virtual machine execute file is resolved, obtain the function information structure of each class; According to the field in described function information structure, determine position and the size of the function of described virtual machine execute file, obtain the function information structure of described decompiling.
Preferably, described according to the field in function information structure, position and the size of determining the function of described virtual machine execute file comprise: resolve described function information structure, obtain the list length field of the bytecode array field of the function position of indicating virtual machine execute file and the function size of indication virtual machine execute file; According to described bytecode array field and described list length field, determine position and the size of the function of described virtual machine execute file.
Preferably, described described virtual machine execute file is carried out to decompiling, the function information structure that obtains decompiling comprises: utilizing virtual machine execute file decompiling instrument, is virtual machine bytecode by the decompiling of described virtual machine execute file.
Preferably, the described application layer from intelligent terminal operating system, the virtual machine execute file that obtains application program comprises: from the application layer of intelligent terminal operating system, find the installation kit of described application program; Resolve described installation kit, obtain the virtual machine execute file of described application program.
Preferably, described operating system refers to Android system.
According to another aspect of the present invention, a kind of device that detects malicious code in intelligent terminal is provided, comprising: file acquisition unit, for the application layer from intelligent terminal operating system, obtains the virtual machine execute file of application program; Decompiling unit, for described virtual machine execute file is carried out to decompiling, obtains the function information structure of decompiling; Extraction unit, for resolving the function information structure of described decompiling, extracts the function call sequence in the function information structure of described decompiling; Detecting unit, for utilizing the malicious code feature database setting in advance, mates described function call sequence, if the match is successful, determines that the virtual machine execute file of described application program comprises malicious code.
Preferably, also comprise: resolution unit, for by the function information structure of resolving described decompiling, obtains virtual machine memonic symbol sequence; Described extraction unit extracts and obtains described function call sequence from described virtual machine memonic symbol sequence.
Preferably, described function call sequence is multiple; Described device also comprises: function performance determining unit, for by the instruction of analyzing multiple function call sequences of carrying out in order, determine the function of described function.
Preferably, the instruction that multiple function call sequences that described function performance determining unit is determined are carried out in order comprises: decipher character string, establishment information signature example, obtain the sub-pin of character string, Hash encryption.
Preferably, described detecting unit specifically for, utilize the malicious code feature database that sets in advance, described function call sequence is carried out to functional similarity degree coupling, and/or, described function call sequence is carried out to Function feature fuzzy matching.
Preferably, described detecting unit specifically for, the malicious code feature database that utilization sets in advance, target signature is carried out to functional similarity degree coupling, and/or, described target signature is carried out to Function feature fuzzy matching, and wherein, described target signature refers to the function with certain function that described multiple function call sequence forms.
Preferably, described detecting unit to described virtual machine execute file carry out sample characteristics killing, based on virtual machine killing, heuristic killing, and/or, similar sample clustering.
Preferably, described decompiling unit specifically for, according to virtual machine execute file form, virtual machine execute file is resolved, obtain the function information structure of each class; According to the field in described function information structure, determine position and the size of the function of described virtual machine execute file, obtain the function information structure of described decompiling.
Preferably, described decompiling unit, resolves described function information structure, obtains the list length field of the bytecode array field of the function position of indicating virtual machine execute file and the function size of indication virtual machine execute file; According to described bytecode array field and described list length field, determine position and the size of the function of described virtual machine execute file.
Preferably, described to decompiling unit specifically for, utilize virtual machine execute file decompiling instrument, by the decompiling of described virtual machine execute file, be virtual machine bytecode.
Preferably, described acquiring unit specifically for, from the application layer of intelligent terminal operating system, find the installation kit of described application program; Resolve described installation kit, obtain the virtual machine execute file of described application program.
Preferably, described operating system refers to Android system.
Visible, the embodiment of the present invention, by format analysis and decompiling to dex file, obtains function call sequence, by using function call sequence as foundation characteristic, carries out mating with malicious code feature database, thereby determines whether dex file comprises malicious code.In addition, by function call sequence, function that can Analysis deterrmination function, therefore, and can be using the code of a series of function call sequences as a target signature, carry out mating with malicious code feature database, thereby determine whether dex file comprises malicious code.
Whether application the present invention program, by the dex file of application program, can this application program of Analysis deterrmination comprise malicious code, can carry out killing to the application program being tampered or to Malware thus, the safety of protection intelligent terminal.
Above-mentioned explanation is only the general introduction of technical solution of the present invention, in order to better understand technological means of the present invention, and can be implemented according to the content of instructions, and for above and other objects of the present invention, feature and advantage can be become apparent, below especially exemplified by the specific embodiment of the present invention.
Accompanying drawing explanation
By reading below detailed description of the preferred embodiment, various other advantage and benefits will become cheer and bright for those of ordinary skills.Accompanying drawing is only for the object of preferred implementation is shown, and do not think limitation of the present invention.And in whole accompanying drawing, represent identical parts by identical reference symbol.In the accompanying drawings:
Fig. 1 shows the process flow diagram that detects according to an embodiment of the invention the method for malicious code in intelligent terminal; And
Fig. 2 shows the structural representation that detects according to an embodiment of the invention the device of malicious code in intelligent terminal.
Embodiment
Exemplary embodiment of the present disclosure is described below with reference to accompanying drawings in more detail.Although shown exemplary embodiment of the present disclosure in accompanying drawing, but should be appreciated that and can realize the disclosure and the embodiment that should do not set forth limits here with various forms.On the contrary, it is in order more thoroughly to understand the disclosure that these embodiment are provided, and can be by the those skilled in the art that conveys to complete the scope of the present disclosure.
Take Android (Android) operating system as example, comprise application layer (app layer) and system framework layer (framework layer), as for from function divide likely comprise other layer of the present invention do not discuss.Wherein, conventionally app layer can be understood as upper strata, be responsible for and the interface of user interactions, thus such as application maintenance and identify different types of click on content while clicking the page and show different context menu etc.Conventionally framework layer is as middle layer, and the major responsibility of this one deck is that user's request that app layer is obtained, as started with preserving picture and so on program, clickthrough, click, forwards toward lower floor and go; The content that lower floor is handled well, or by message, or by middle-agent's class, be distributed to upper strata, user is shown.
Dalvik is the Java Virtual Machine for Android platform.Dalvik, through optimizing, allows to move the example of multiple virtual machines in limited internal memory simultaneously, and each Dalvik application is as an independently Linux process execution.Independently process can prevent that all programs are all closed in virtual machine crashes.Dalvik virtual machine can be supported to be converted to dex(Dalvik Executable) operation of the java application of form, dex form is a kind of compressed format that aims at Dalvik design, is applicable to internal memory and the limited system of processor speed.
Visible, in Android system, dex file is the direct virtual machine execute file of load operating in Dalvik virtual machine (Dalvik VM).By ADT(Android Development Tools), through complicated compiling, java source code can be converted to dex file.Dex file is the result of optimizing for embedded system, and the order code of Dalvik virtual machine is not the Java Virtual Machine order code of standard, but has used own exclusive a set of instruction set.In dex file, shared a lot of class titles, constant character string, made its volume smaller, operational efficiency is also higher.
The present inventor finds in research process, through the parsing to dex file, can know the function of function in dex file, thus, can judge accordingly whether dex file comprises malicious code (comprise that dex file itself is exactly Malware, or dex file such as being tampered at the situation).
Referring to Fig. 1, show the process flow diagram that detects according to an embodiment of the invention the method for malicious code in intelligent terminal.
In this detection intelligent terminal, the method for malicious code comprises the following steps.
S101: from the application layer of intelligent terminal operating system, obtain the virtual machine execute file of application program, for example, obtain the dex file of application program;
As previously mentioned, Android operating system comprises application layer (app layer) and system framework layer (framework layer), present invention focuses on research and improvement to app layer.But, it will be appreciated by those skilled in the art that when Android starts, Dalvik VM monitors all programs (APK file) and framework, and is a dependency tree of they establishments.DalvikVM by this dependency tree for each program optimization code and be stored in Dalvik buffer memory (dalvik-cache).Like this, all programs all can be used the code of optimizing when operation.When a program (or framework storehouse) changes, Dalvik VM Optimized code and again being existed in buffer memory again.At cache/dalvik-cache, be to deposit the dex file that the program on system generates, data/dalvik-cache deposits the dex file that data/app generates.Namely, analysis and processing that the dex file that present invention focuses on that data/app is generated carries out, but should be appreciated that, the dex file generating for the program on system, theory of the present invention and operation are same to be suitable for.
About the mode of obtaining dex file, can pass through to resolve APK(Android Package, Android installation kit) obtain.APK file is a compressed package of zip form in fact, but suffix name is modified to apk, after UnZip decompress(ion), just can obtain Dex file.
S102: dex file is carried out to decompiling, obtain the function information structure of decompiling;
Dex file is carried out to decompiling (or being called: dis-assembling) and have various ways.
First kind of way is, according to dex file layout, dex file resolved, and obtains the function information structure of each class; According to the field in function information structure, determine position and the size of the function of dex file, obtain the function information structure of decompiling.Wherein, by analytical function information structure, obtain the list length field of the bytecode array field of the function position of indicating dex file and the function size of indication dex file, thereby determine position and the size of the function of dex file.
For example, according to dex file layout, resolve dex file, find each class and obtain function information body.Such as function information structure comprises as the field in table 1.
Table 1
Wherein, the insns_size in each function information structure and insns field, represented respectively this function size and position.So, just can be according to insns_size and these two fields of insns, decompiling goes out the message structure of function.The message structure of decompiling consists of Dalvik VM bytecode, and rear extended meeting is introduced in detail.
The second way is, utilizes dex file reverse compilation tool, and dex file reverse is compiled as to virtual machine bytecode.
As front introduction, what Dalvik virtual machine moved is Dalvik bytecode, and it is with a dex(Dalvik Executable) existence of executable file form, Dalvik virtual machine carrys out run time version by explaining dex file.There are at present some instruments, DEX file reverse can be assembled into Dalvik assembly code.This class dex file reverse compilation tool comprises: baksmali, Dedexer1.26, dexdump, dexinspecto03-12-12r, IDA Pro, androguard, dex2jar, 010Editor etc.
Visible, by the decompiling to dex file, can obtain all function information structures of decompiling.Wherein, function information structure inclusion function run time version, in the embodiment of the present invention, consists of virtual machine instruction sequence and virtual machine memonic symbol sequence, as example below, by the instruction sequence of Dalvik VM and the memonic symbol sequence constituting-functions message structure of Dalvik VM.
For example, according to one embodiment of the invention, dex file is carried out to the function information structure that decompiling obtains as follows:
Visible, dex file is decompiled into the instruction sequence of Dalvik VM and the memonic symbol sequence of Dalvik VM.
S103: resolve the function information structure of decompiling, extract the function call sequence in the function information structure of decompiling;
As above example, in the function information structure obtaining in decompiling, front 2 numerals of the every a line in machine code field refer to and make sequence (upper example left side is by circle part), and part corresponding to instruction sequence is memonic symbol (upper example right side, part is enclosed, and does not all select).Memonic symbol is mainly to write in order to facilitate user to exchange with code.
As above example, the instruction sequence that dex file just can obtain function through decompiling is: " 125438710c6e0c6e0a3854546e0c6e546e0c6e0c38720a391238546e 54710e012854136e ".Memonic symbol sequence is: " const/4iget-object if-eqz invoke-static move-result-object invoke-virtual move-result-object invoke-virtual move-result if-eqz iget-object iget-object invoke-virtual move-result-object invoke-virtual iget-object invoke-virtual move-result-object invoke-virtual move-result-object if-eqz invoke-interface move-result if-nez const/4if-eqz iget-object invoke-virtual iget-object invoke-static return-void move goto iget-object const/16invoke-virtual ".
Next, from above-mentioned memonic symbol sequence, can extract and obtain function call sequence.Function call sequence refers to the code with semantic function, and example has as described later character string deciphering, creates the code of the functions such as example.
The part of previous example frame choosing is associated functional calls.
These are called and are extracted, by calling order sequence, get final product component function calling sequence, the calling sequence of function has been described the behavior of this function substantially.
As above example:
1:“Lcom/mzhengDS;.DecryptString:Ljava/lang/String”
By code analysis, can learn that function deciphered a character string.
2:
“invoke-static{v0},Ljava/security/MessageDigest;.getInstance:Ljava/security/Me?ssageDigest”
By code analysis, the information signature example of can having learnt program creation, can guess it may is that character string after preparing to use the similar hash algorithms such as md5sha to 1 process interface is encrypted.
3:“invoke-virtual{v6},Ljava/lang/String;.getBytes:[B”
Obtaining the pointer of character string, can guess that character string may be the character string after process 1 deciphering, may be to encrypt to character string for the example of use procedure 2 and obtain pointer.
4:“invoke-virtual{v0,v1},Ljava/security/MessageDigest;.update:V”;
“invoke-virtual{v0},Ljava/security/MessageDigest;.digest:[B”
These 2 function calls have confirmed above-mentioned judgement, according to function name, can learn, this is that data have been done to hash encryption.
From this example above, can find out, the calling sequence by function just can fundamental analysis be determined the function of this function.
S104: utilize the malicious code feature database setting in advance, function call sequence is mated, if the match is successful, determine the dex file including malicious code of application program.
Malicious code (Malicious Code) refers to by storage medium or network to be propagated, in authentication without permission, in the situation that destroy operating system integrality, steal system in the journey logic bomb of unexposed secret information.Take mobile phone as example, mobile phone malicious code refers to the malicious code for handheld devices such as mobile phone, PDA.Mobile phone malicious code can be divided into science malicious code and non-replicating malicious code simply.Wherein science malicious code mainly comprises virus (Virus), worm (Worm), and non-replicating malicious code mainly comprises backdoor Trojan (Trojan Horse), rogue software (Rogue Software), Malicious mobile Code (Malicious Mobile Code) and Rootkit program etc.
Mobile phone malicious code guard technology protects for malicious code.Mobile phone malicious code protection method comprises multiple.For example, eigenwert scan mode, it need to learn to set up malicious code feature database in advance, and the eigenwert of preserving in malicious code feature database can be one section of continuous fixed character string, can be also the definite feature string wherein of discontinuous character string that several sections of centres are inserted with other uncertain characters; When scanning, the eigenwert based in feature database or feature string go to detect treats side file or internal memory, and discovery occurrence can determine that target has infected malicious code.For another example the protection of the malicious code based on virtual machine technique.This type of protectiving scheme is mainly for polymorphic and changeable viruses.So-called virtual machine refer to by software simulation have complete hardware system function, operate in a complete computer in complete isolation environment.This scheme, also referred to as software simulation method, is a kind of software analyzer, carrys out the operation of Simulation and analysis program with software approach.Its essence is in internal memory, to simulate a little closed routine execution environment, allly treats that killing file is all therein by virtual execution.While adopting virtual machine technique to kill virus, first the still eigenwert scanning technique of using, when finding that target has the feature of encrypting malicious code, just can start virtual machine module and allow encrypted code decode voluntarily, after decoding, just can adopt traditional eigenwert scan mode to carry out killing.For another example heuristic scan mode.Heuristic sweeping scheme is mainly for the continuous mutation of malicious code and in order to strengthen the research to unknown malicious code.So-called " heuristic " is derived from artificial intelligence, refers to " ability of self-discovery " or " fortune by some way or method remove to judge the knowledge and skills of things ".The heuristic scanning of malicious code refers to that scanning software can utilize the rule of extracting from experience, by the structure of routine analyzer and its behavior, finds virus.Because malicious code will reach the object that infects and destroy, common behavior all can have certain feature, such as unconventional reading and writing of files, terminate self, unconventional incision nullring etc.Therefore can judge whether a program is malicious code according to the combination of the specific behavior of scanning or multiple behavior.In addition, can also carry out similar sample clustering to target program, for example, adopt K means clustering algorithm to carry out cluster to the similar sample of Analysis deterrmination.
No matter which kind of protection method, its core all comprises two parts, the firstth, organize rational malicious code feature database, and the secondth, efficient scanning algorithm (also referred to as matching algorithm).Matching algorithm is generally divided into two kinds of Single Pattern Matching Algorithms and multi-pattern matching algorithms.Single Pattern Matching Algorithms comprises BF (Brute-Force) algorithm, KMP(Knuth-Morris-Pratt) algorithm, BM(Boyer-Moore) algorithm and QS(Quick Search) algorithm etc.Multi-pattern matching algorithm comprises classical multi-mode matching DFSA algorithm and the multi-pattern matching algorithm based on ordered binary tree.In addition, also matching algorithm can be divided into fuzzy matching algorithm, Similarity matching algorithm.Take BF algorithm as example, it is a kind of Single Pattern Matching Algorithms of simple, intuitive, belongs to fuzzy matching algorithm.Its basic thought is: first the first character t1 in the first character s1 in main string and pattern t is compared, if equate, continue one by one relatively subsequent character; Otherwise, just second character s2 in s and t1 are compared, the like, until in t each character successively with s in a continuation character sequence equate (the match is successful), return to the position of first character in main string in this character string; Or in s, can not find the character string equal with t (it fails to match), return to 0.Again take KMP algorithm as example, it is a kind of algorithm of improved pattern match, it for the improvement of its maximum of BF algorithm is exactly: the information of utilizing " part coupling " implicit in pattern, what make is occurring in mismatch situation, i pointer (pointing to mismatch character) while carrying out next time relatively in main string does not need to recall, and by the j pointer in pattern (pointing to the position of next time comparing) backward " slip " distance far away as far as possible proceed.This slip K is asked by next function.KMP algorithm can be described as: suppose to increase respectively 1 with pointer i and j; If si is not equal to tj, i is constant, and j falls back on next(j) position compares again, so moves in circles, until also do not find the word string equating with pattern string after finding the substring equating with pattern string or search for complete main string in main string, algorithm finishes.
In this step, utilize the malicious code feature database setting in advance, function call sequence is mated, if the match is successful, determine the dex file including malicious code of application program.Particularly, comprise again two kinds of situations.The first situation is that, using function call sequence as killing target, the malicious code feature database that utilization sets in advance, carries out killing to function call sequence, for example, carries out functional similarity degree coupling or carries out Function feature fuzzy matching.The second situation is, the function with certain function that multiple function call sequences are formed, as target signature, utilizes the malicious code feature database setting in advance, and target signature is carried out to killing, for example, carry out functional similarity degree coupling or carry out Function feature fuzzy matching.
It should be noted that, the present invention does not limit which kind of malicious code protectiving scheme of employing to be detected malicious code, for example, the sample characteristics killing (eigenwert scanning) introduced can be adopted above, based on virtual machine killing or heuristic killing, similar sample clustering can also be carried out in addition.And, for matching algorithm, be not also restricted, for example, can adopt the fuzzy matching algorithm introduced or Similarity matching algorithm etc. above.
Visible, the embodiment of the present invention, by format analysis and decompiling to dex file, obtains function call sequence, by using function call sequence as foundation characteristic, carries out mating with malicious code feature database, thereby determines whether dex file comprises malicious code.In addition, by function call sequence, function that can Analysis deterrmination function, therefore, and can be using the code of a series of function call sequences as a target signature, carry out mating with malicious code feature database, thereby determine whether dex file comprises malicious code.
Whether application the present invention program, by the dex file of application program, can this application program of Analysis deterrmination comprise malicious code, can carry out killing to the application program being tampered or to Malware thus, the safety of protection intelligent terminal.
Corresponding with said method, the embodiment of the present invention also provides a kind of device that detects malicious code in intelligent terminal.This device can pass through software, hardware or software and hardware combining to be realized.Particularly, this device can refer to a terminal device, also can refer to the functional entity of device interior.For example, this device can refer to the functional module of interior of mobile phone.Preferably, this device operates under Android operating system.
Referring to Fig. 2, this device comprises file acquisition unit 201, decompiling unit 202, extraction unit 203 and detecting unit 204.
Wherein:
File acquisition unit 201, for the application layer from intelligent terminal operating system, obtains the virtual machine execute file of application program, for example, obtain dex file;
Decompiling unit 202, for dex file is carried out to decompiling, obtains the function information structure of decompiling;
Extraction unit 203, for resolving the function information structure of decompiling, extracts the function call sequence in the function information structure of decompiling;
Detecting unit 204, for utilizing the malicious code feature database setting in advance, mates function call sequence, if the match is successful, determines the dex file including malicious code of application program.
Preferably, this device also comprises resolution unit 205:
Resolution unit 205, for by the function information structure of resolving decompiling, obtains virtual machine memonic symbol sequence;
In the case, extraction unit 203 is to extract and obtain function call sequence from virtual machine memonic symbol sequence.
Preferably, function call sequence is multiple; In the case, this device also comprises:
Function performance determining unit 206, for by the instruction of analyzing multiple function call sequences of carrying out in order, determines the function of function.
For example, the instruction that multiple function call sequences that function performance determining unit 206 is determined are carried out in order comprises: decipher character string, establishment information signature example, obtain the sub-pin of character string, Hash encryption.
Wherein, detecting unit 204 specifically for, utilize the malicious code feature database that sets in advance, function call sequence is carried out to functional similarity degree coupling, and/or, function call sequence is carried out to Function feature fuzzy matching;
Or, detecting unit 204 specifically for, the malicious code feature database that utilization sets in advance, target signature is carried out to functional similarity degree coupling, and/or, target signature is carried out to Function feature fuzzy matching, and wherein, target signature refers to the function with certain function that the definite multiple function call sequences of function performance determining unit 206 form.
In addition, detecting unit 204 to dex file carry out sample characteristics killing, based on virtual machine killing, heuristic killing, and/or, similar sample clustering.
Wherein, decompiling unit 202 specifically for, according to dex file layout, dex file is resolved, obtain the function information structure of each class; According to the field in function information structure, determine position and the size of the function of dex file, obtain the function information structure of decompiling; Further, decompiling unit 202, also for, analytical function information structure, obtains the list length field of the bytecode array field of the function position of indicating dex file and the function size of indication dex file; According to bytecode array field and list length field, determine position and the size of the function of dex file;
Or, decompiling unit 202 specifically for, utilize dex file reverse compilation tool, dex file reverse is compiled as to virtual machine bytecode.
Wherein, acquiring unit 201 specifically for, from the application layer of intelligent terminal operating system, find the installation kit of application program; Resolve installation kit, the dex file of the program that is applied.
Can mothed of participating embodiment about the specific implementation details of this device, be not repeated herein.
The algorithm providing at this is intrinsic not relevant to any certain computer, virtual system or miscellaneous equipment with demonstration.Various general-purpose systems also can with based on using together with this teaching.According to description above, it is apparent constructing the desired structure of this type systematic.In addition, the present invention is not also for any certain programmed language.It should be understood that and can utilize various programming languages to realize content of the present invention described here, and the description of above language-specific being done is in order to disclose preferred forms of the present invention.
In the instructions that provided herein, a large amount of details have been described.But, can understand, embodiments of the invention can be put into practice in the situation that there is no these details.In some instances, be not shown specifically known method, structure and technology, so that not fuzzy understanding of this description.
Similarly, be to be understood that, in order to simplify the disclosure and to help to understand one or more in each inventive aspect, in the above in the description of exemplary embodiment of the present invention, each feature of the present invention is grouped together into single embodiment, figure or sometimes in its description.But, the method for the disclosure should be construed to the following intention of reflection: the present invention for required protection requires than the more feature of feature of clearly recording in each claim.Or rather, as reflected in claims below, inventive aspect is to be less than all features of disclosed single embodiment above.Therefore, claims of following embodiment are incorporated to this embodiment thus clearly, and wherein each claim itself is as independent embodiment of the present invention.
Those skilled in the art are appreciated that and can the module in the equipment in embodiment are adaptively changed and they are arranged in one or more equipment different from this embodiment.Module in embodiment or unit or assembly can be combined into a module or unit or assembly, and can put them in addition multiple submodules or subelement or sub-component.At least some in such feature and/or process or unit are mutually repelling, and can adopt any combination to combine all processes or the unit of disclosed all features in this instructions (comprising claim, summary and the accompanying drawing followed) and disclosed any method like this or equipment.Unless clearly statement in addition, in this instructions (comprising claim, summary and the accompanying drawing followed) disclosed each feature can be by providing identical, be equal to or the alternative features of similar object replaces.
In addition, those skilled in the art can understand, although embodiment more described herein comprise some feature rather than further feature included in other embodiment, the combination of the feature of different embodiment means within scope of the present invention and forms different embodiment.For example, in the following claims, the one of any of embodiment required for protection can be used with array mode arbitrarily.
All parts embodiment of the present invention can realize with hardware, or realizes with the software module of moving on one or more processor, or realizes with their combination.It will be understood by those of skill in the art that and can use in practice microprocessor or digital signal processor (DSP) to realize according to the some or all functions of the some or all parts in the device of malicious code in the detection intelligent terminal of the embodiment of the present invention.The present invention can also be embodied as part or all equipment or the device program (for example, computer program and computer program) for carrying out method as described herein.Realizing program of the present invention and can be stored on computer-readable medium like this, or can there is the form of one or more signal.Such signal can be downloaded and obtain from internet website, or provides on carrier signal, or provides with any other form.
It should be noted above-described embodiment the present invention will be described rather than limit the invention, and those skilled in the art can design alternative embodiment in the case of not departing from the scope of claims.In the claims, any reference symbol between bracket should be configured to limitations on claims.Word " comprises " not to be got rid of existence and is not listed as element or step in the claims.Being positioned at word " " before element or " one " does not get rid of and has multiple such elements.The present invention can be by means of including the hardware of some different elements and realizing by means of the computing machine of suitably programming.In the unit claim of having enumerated some devices, several in these devices can be to carry out imbody by same hardware branch.The use of word first, second and C grade does not represent any order.Can be title by these word explanations.
The invention discloses following scheme:
A1, a kind of method that detects malicious code in intelligent terminal, comprising:
From the application layer of intelligent terminal operating system, obtain the virtual machine execute file of application program;
Described virtual machine execute file is carried out to decompiling, obtain the function information structure of decompiling;
Resolve the function information structure of described decompiling, extract the function call sequence in the function information structure of described decompiling;
The malicious code feature database that utilization sets in advance, mates described function call sequence, if the match is successful, determines that the virtual machine execute file of described application program comprises malicious code.
A2, the method as described in A1, also comprise:
By resolving the function information structure of described decompiling, obtain virtual machine memonic symbol sequence;
From described virtual machine memonic symbol sequence, extract and obtain described function call sequence.
A3, the method as described in A1, described function call sequence is multiple; Described method also comprises:
By analyzing the instruction of multiple function call sequences of carrying out in order, determine the function of described function.
A4, the method as described in A3, the instruction that described multiple function call sequences are carried out in order comprises: decipher character string, establishment information signature example, obtain the sub-pin of character string, Hash encryption.
A5, the method as described in A1, the malicious code feature database that described utilization sets in advance, mates and comprises described function call sequence:
The malicious code feature database that utilization sets in advance, carries out functional similarity degree coupling to described function call sequence, and/or, described function call sequence is carried out to Function feature fuzzy matching.
A6, the method as described in A3, the function with certain function that described multiple function call sequences are formed is as target signature;
The malicious code feature database that described utilization sets in advance, mates and comprises described function call sequence:
The malicious code feature database that utilization sets in advance, carries out functional similarity degree coupling to described target signature, and/or, described target signature is carried out to Function feature fuzzy matching.
A7, the method as described in A1, to described virtual machine execute file carry out sample characteristics killing, based on virtual machine killing, heuristic killing, and/or, similar sample clustering.
A8, the method as described in A1, describedly carry out decompiling to described virtual machine execute file, and the function information structure that obtains decompiling comprises:
According to virtual machine execute file form, virtual machine execute file is resolved, obtain the function information structure of each class;
According to the field in described function information structure, determine position and the size of the function of described virtual machine execute file, obtain the function information structure of described decompiling.
A9, the method as described in A8, described according to the field in function information structure, determine that position and the size of the function of described virtual machine execute file comprises:
Resolve described function information structure, obtain the list length field of the bytecode array field of the function position of indicating virtual machine execute file and the function size of indication virtual machine execute file;
According to described bytecode array field and described list length field, determine position and the size of the function of described virtual machine execute file.
A10, the method as described in A1, describedly carry out decompiling to described virtual machine execute file, and the function information structure that obtains decompiling comprises:
Utilizing virtual machine execute file decompiling instrument, is virtual machine bytecode by the decompiling of described virtual machine execute file.
A11, the method as described in A1, the described application layer from intelligent terminal operating system, the virtual machine execute file that obtains application program comprises:
From the application layer of intelligent terminal operating system, find the installation kit of described application program;
Resolve described installation kit, obtain the virtual machine execute file of described application program.
A12, the method as described in A1-A11 any one, described operating system refers to Android system.
B13, a kind of device that detects malicious code in intelligent terminal, comprising:
File acquisition unit, for the application layer from intelligent terminal operating system, obtains the virtual machine execute file of application program;
Decompiling unit, for described virtual machine execute file is carried out to decompiling, obtains the function information structure of decompiling;
Extraction unit, for resolving the function information structure of described decompiling, extracts the function call sequence in the function information structure of described decompiling;
Detecting unit, for utilizing the malicious code feature database setting in advance, mates described function call sequence, if the match is successful, determines that the virtual machine execute file of described application program comprises malicious code.
B14, the device as described in B13, also comprise:
Resolution unit, for by the function information structure of resolving described decompiling, obtains virtual machine memonic symbol sequence;
Described extraction unit extracts and obtains described function call sequence from described virtual machine memonic symbol sequence.
B15, the device as described in B13, described function call sequence is multiple; Described device also comprises:
Function performance determining unit, for by the instruction of analyzing multiple function call sequences of carrying out in order, determines the function of described function.
B16, the device as described in B15, the instruction that multiple function call sequences that described function performance determining unit is determined are carried out in order comprises: decipher character string, establishment information signature example, obtain the sub-pin of character string, Hash encryption.
B17, the device as described in B13, described detecting unit specifically for, utilize the malicious code feature database that sets in advance, described function call sequence is carried out to functional similarity degree coupling, and/or, described function call sequence is carried out to Function feature fuzzy matching.
B18, the device as described in B15, described detecting unit specifically for, the malicious code feature database that utilization sets in advance, target signature is carried out to functional similarity degree coupling, and/or, described target signature is carried out to Function feature fuzzy matching, and wherein, described target signature refers to the function with certain function that described multiple function call sequence forms.
B19, the device as described in B13, described detecting unit to described virtual machine execute file carry out sample characteristics killing, based on virtual machine killing, heuristic killing, and/or, similar sample clustering.
B20, the device as described in B13, described decompiling unit specifically for, according to virtual machine execute file form, virtual machine execute file is resolved, obtain the function information structure of each class; According to the field in described function information structure, determine position and the size of the function of described virtual machine execute file, obtain the function information structure of described decompiling.
B21, the device as described in B20, described decompiling unit, resolves described function information structure, obtains the list length field of the bytecode array field of the function position of indicating virtual machine execute file and the function size of indication virtual machine execute file; According to described bytecode array field and described list length field, determine position and the size of the function of described virtual machine execute file.
B22, the device as described in B13, described to decompiling unit specifically for, utilize virtual machine execute file decompiling instrument, by the decompiling of described virtual machine execute file, be virtual machine bytecode.
B23, the device as described in B13, described acquiring unit specifically for, from the application layer of intelligent terminal operating system, find the installation kit of described application program; Resolve described installation kit, obtain the virtual machine execute file of described application program.
B24, the device as described in B13-B23 any one, described operating system refers to Android system.
Claims (10)
1. a method that detects malicious code in intelligent terminal, is characterized in that, comprising:
From the application layer of intelligent terminal operating system, obtain the virtual machine execute file of application program;
Described virtual machine execute file is carried out to decompiling, obtain the function information structure of decompiling;
Resolve the function information structure of described decompiling, extract the function call sequence in the function information structure of described decompiling;
The malicious code feature database that utilization sets in advance, mates described function call sequence, if the match is successful, determines that the virtual machine execute file of described application program comprises malicious code.
2. the method for claim 1, is characterized in that, also comprises:
By resolving the function information structure of described decompiling, obtain virtual machine memonic symbol sequence;
From described virtual machine memonic symbol sequence, extract and obtain described function call sequence.
3. the method for claim 1, is characterized in that, described function call sequence is multiple; Described method also comprises:
By analyzing the instruction of multiple function call sequences of carrying out in order, determine the function of described function.
4. method as claimed in claim 3, is characterized in that, the instruction that described multiple function call sequences are carried out in order comprises: decipher character string, establishment information signature example, obtain the sub-pin of character string, Hash encryption.
5. the method for claim 1, is characterized in that, the malicious code feature database that described utilization sets in advance mates and comprises described function call sequence:
The malicious code feature database that utilization sets in advance, carries out functional similarity degree coupling to described function call sequence, and/or, described function call sequence is carried out to Function feature fuzzy matching.
6. method as claimed in claim 3, is characterized in that, the function with certain function that described multiple function call sequences are formed is as target signature;
The malicious code feature database that described utilization sets in advance, mates and comprises described function call sequence:
The malicious code feature database that utilization sets in advance, carries out functional similarity degree coupling to described target signature, and/or, described target signature is carried out to Function feature fuzzy matching.
7. the method for claim 1, is characterized in that, to described virtual machine execute file carry out sample characteristics killing, based on virtual machine killing, heuristic killing, and/or, similar sample clustering.
8. the method for claim 1, is characterized in that, described described virtual machine execute file is carried out to decompiling, and the function information structure that obtains decompiling comprises:
According to virtual machine execute file form, virtual machine execute file is resolved, obtain the function information structure of each class;
According to the field in described function information structure, determine position and the size of the function of described virtual machine execute file, obtain the function information structure of described decompiling.
9. method as claimed in claim 8, is characterized in that, described according to the field in function information structure, determines that position and the size of the function of described virtual machine execute file comprises:
Resolve described function information structure, obtain the list length field of the bytecode array field of the function position of indicating virtual machine execute file and the function size of indication virtual machine execute file;
According to described bytecode array field and described list length field, determine position and the size of the function of described virtual machine execute file.
10. a device that detects malicious code in intelligent terminal, is characterized in that, comprising:
File acquisition unit, for the application layer from intelligent terminal operating system, obtains the virtual machine execute file of application program;
Decompiling unit, for described virtual machine execute file is carried out to decompiling, obtains the function information structure of decompiling;
Extraction unit, for resolving the function information structure of described decompiling, extracts the function call sequence in the function information structure of described decompiling;
Detecting unit, for utilizing the malicious code feature database setting in advance, mates described function call sequence, if the match is successful, determines that the virtual machine execute file of described application program comprises malicious code.
Priority Applications (5)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310746029.XA CN103761475B (en) | 2013-12-30 | 2013-12-30 | Method and device for detecting malicious code in intelligent terminal |
| PCT/CN2014/083908 WO2015101042A1 (en) | 2013-12-30 | 2014-08-07 | Method and device for detecting malicious code in smart terminal |
| US15/108,927 US9792433B2 (en) | 2013-12-30 | 2014-10-31 | Method and device for detecting malicious code in an intelligent terminal |
| PCT/CN2014/090032 WO2015101096A1 (en) | 2013-12-30 | 2014-10-31 | Method and device for detecting malicious code in smart terminal |
| US15/714,721 US10114946B2 (en) | 2013-12-30 | 2017-09-25 | Method and device for detecting malicious code in an intelligent terminal |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310746029.XA CN103761475B (en) | 2013-12-30 | 2013-12-30 | Method and device for detecting malicious code in intelligent terminal |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103761475A true CN103761475A (en) | 2014-04-30 |
| CN103761475B CN103761475B (en) | 2017-04-26 |
Family
ID=50528711
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310746029.XA Active CN103761475B (en) | 2013-12-30 | 2013-12-30 | Method and device for detecting malicious code in intelligent terminal |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN103761475B (en) |
| WO (1) | WO2015101042A1 (en) |
Cited By (30)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104268473A (en) * | 2014-09-23 | 2015-01-07 | 龙芯中科技术有限公司 | Method and device for detecting application programs |
| CN104657661A (en) * | 2015-01-26 | 2015-05-27 | 武汉安天信息技术有限责任公司 | Method and device for detecting malicious code in mobile terminal |
| WO2015101042A1 (en) * | 2013-12-30 | 2015-07-09 | 北京奇虎科技有限公司 | Method and device for detecting malicious code in smart terminal |
| WO2015101043A1 (en) * | 2013-12-30 | 2015-07-09 | 北京奇虎科技有限公司 | Method and device for detecting malicious code in smart terminal |
| WO2015101096A1 (en) * | 2013-12-30 | 2015-07-09 | 北京奇虎科技有限公司 | Method and device for detecting malicious code in smart terminal |
| CN105550581A (en) * | 2015-12-10 | 2016-05-04 | 北京奇虎科技有限公司 | Malicious code detection method and device |
| CN105653949A (en) * | 2014-11-17 | 2016-06-08 | 华为技术有限公司 | Malicious program detection method and device |
| CN105978911A (en) * | 2016-07-15 | 2016-09-28 | 江苏博智软件科技有限公司 | Malicious code detection method and device based on virtual execution technology |
| CN106130959A (en) * | 2016-06-12 | 2016-11-16 | 微梦创科网络科技(中国)有限公司 | Malicious application recognition methods and device |
| CN106529294A (en) * | 2016-11-15 | 2017-03-22 | 广东华仝九方科技有限公司 | Method for determining and filtering mobile phone viruses |
| CN106650426A (en) * | 2016-12-09 | 2017-05-10 | 哈尔滨安天科技股份有限公司 | Method and system for dynamically extracting executable file memory maps |
| CN106682505A (en) * | 2016-05-04 | 2017-05-17 | 腾讯科技(深圳)有限公司 | Virus detection method, terminal, server and system |
| CN106909841A (en) * | 2015-12-22 | 2017-06-30 | 北京奇虎科技有限公司 | A kind of method and device for judging viral code |
| CN106909844A (en) * | 2015-12-22 | 2017-06-30 | 北京奇虎科技有限公司 | The sorting technique and device of a kind of application program sample |
| CN106909839A (en) * | 2015-12-22 | 2017-06-30 | 北京奇虎科技有限公司 | A kind of method and device for extracting sample code feature |
| CN106940771A (en) * | 2016-01-04 | 2017-07-11 | 阿里巴巴集团控股有限公司 | Leak detection method and device based on file |
| CN107169355A (en) * | 2017-04-28 | 2017-09-15 | 北京理工大学 | A kind of worm homology analysis method and apparatus |
| WO2017161571A1 (en) * | 2016-03-25 | 2017-09-28 | Nokia Technologies Oy | A hybrid approach of malware detection |
| CN107292135A (en) * | 2017-06-06 | 2017-10-24 | 网易(杭州)网络有限公司 | A kind of program code guard method and device |
| CN108401253A (en) * | 2017-02-06 | 2018-08-14 | 腾讯科技(深圳)有限公司 | A kind of application message recognition methods, device and system |
| CN108710492A (en) * | 2018-04-20 | 2018-10-26 | 四川普思科创信息技术有限公司 | A method of third party library in identification APP programs |
| CN109120593A (en) * | 2018-07-12 | 2019-01-01 | 南方电网科学研究院有限责任公司 | A kind of mobile application security guard system |
| CN109492353A (en) * | 2018-10-11 | 2019-03-19 | 北京奇虎科技有限公司 | Using reinforcement means, device, electronic equipment and storage medium |
| CN110147671A (en) * | 2019-05-29 | 2019-08-20 | 北京奇安信科技有限公司 | Text string extracting method and device in a kind of program |
| CN111046388A (en) * | 2019-12-16 | 2020-04-21 | 北京智游网安科技有限公司 | Method for identifying third-party SDK in application, intelligent terminal and storage medium |
| CN111046385A (en) * | 2019-11-22 | 2020-04-21 | 北京达佳互联信息技术有限公司 | Software type detection method and device, electronic equipment and storage medium |
| CN111459822A (en) * | 2020-04-01 | 2020-07-28 | 北京字节跳动网络技术有限公司 | Method, device and equipment for extracting system component data and readable medium |
| CN112364349A (en) * | 2020-11-30 | 2021-02-12 | 江苏极鼎网络科技有限公司 | Cell-phone APP intellectual detection system equipment |
| CN112580043A (en) * | 2019-09-30 | 2021-03-30 | 奇安信安全技术(珠海)有限公司 | Virtual machine-based virus killing method and device, storage medium and computer equipment |
| CN112817603A (en) * | 2021-01-26 | 2021-05-18 | 京东数字科技控股股份有限公司 | Application program processing method and device, electronic equipment, system and storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102819697A (en) * | 2011-12-26 | 2012-12-12 | 哈尔滨安天科技股份有限公司 | Method and system for detecting multi-platform malicious codes based on thread decompiling |
| CN103365699A (en) * | 2012-12-21 | 2013-10-23 | 北京安天电子设备有限公司 | System API and running character string extraction method and system based on APK |
| CN103440459A (en) * | 2013-09-25 | 2013-12-11 | 西安交通大学 | Function-call-based Android malicious code detection method |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103268445B (en) * | 2012-12-27 | 2016-01-13 | 武汉安天信息技术有限责任公司 | A kind of android malicious code detecting method based on OpCode and system |
| CN103473507B (en) * | 2013-09-25 | 2016-03-30 | 西安交通大学 | A kind of Android malicious code detecting method |
| CN103473509A (en) * | 2013-09-30 | 2013-12-25 | 清华大学 | Android platform malware automatic detecting method |
| CN103761476B (en) * | 2013-12-30 | 2016-11-09 | 北京奇虎科技有限公司 | The method and device of feature extraction |
| CN103761475B (en) * | 2013-12-30 | 2017-04-26 | 北京奇虎科技有限公司 | Method and device for detecting malicious code in intelligent terminal |
| CN103902910B (en) * | 2013-12-30 | 2016-07-13 | 北京奇虎科技有限公司 | Detect method and the device of malicious code in intelligent terminal |
-
2013
- 2013-12-30 CN CN201310746029.XA patent/CN103761475B/en active Active
-
2014
- 2014-08-07 WO PCT/CN2014/083908 patent/WO2015101042A1/en active Application Filing
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102819697A (en) * | 2011-12-26 | 2012-12-12 | 哈尔滨安天科技股份有限公司 | Method and system for detecting multi-platform malicious codes based on thread decompiling |
| CN103365699A (en) * | 2012-12-21 | 2013-10-23 | 北京安天电子设备有限公司 | System API and running character string extraction method and system based on APK |
| CN103440459A (en) * | 2013-09-25 | 2013-12-11 | 西安交通大学 | Function-call-based Android malicious code detection method |
Cited By (45)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2015101042A1 (en) * | 2013-12-30 | 2015-07-09 | 北京奇虎科技有限公司 | Method and device for detecting malicious code in smart terminal |
| WO2015101043A1 (en) * | 2013-12-30 | 2015-07-09 | 北京奇虎科技有限公司 | Method and device for detecting malicious code in smart terminal |
| WO2015101096A1 (en) * | 2013-12-30 | 2015-07-09 | 北京奇虎科技有限公司 | Method and device for detecting malicious code in smart terminal |
| CN104268473A (en) * | 2014-09-23 | 2015-01-07 | 龙芯中科技术有限公司 | Method and device for detecting application programs |
| CN105653949B (en) * | 2014-11-17 | 2019-06-21 | 华为技术有限公司 | A kind of malware detection methods and device |
| CN105653949A (en) * | 2014-11-17 | 2016-06-08 | 华为技术有限公司 | Malicious program detection method and device |
| CN104657661A (en) * | 2015-01-26 | 2015-05-27 | 武汉安天信息技术有限责任公司 | Method and device for detecting malicious code in mobile terminal |
| CN104657661B (en) * | 2015-01-26 | 2018-05-22 | 武汉安天信息技术有限责任公司 | The detection method and device of malicious code in mobile terminal |
| CN105550581A (en) * | 2015-12-10 | 2016-05-04 | 北京奇虎科技有限公司 | Malicious code detection method and device |
| CN105550581B (en) * | 2015-12-10 | 2018-09-25 | 北京奇虎科技有限公司 | A kind of malicious code detecting method and device |
| CN106909841A (en) * | 2015-12-22 | 2017-06-30 | 北京奇虎科技有限公司 | A kind of method and device for judging viral code |
| CN106909839A (en) * | 2015-12-22 | 2017-06-30 | 北京奇虎科技有限公司 | A kind of method and device for extracting sample code feature |
| CN106909839B (en) * | 2015-12-22 | 2020-04-17 | 北京奇虎科技有限公司 | Method and device for extracting sample code features |
| CN106909844A (en) * | 2015-12-22 | 2017-06-30 | 北京奇虎科技有限公司 | The sorting technique and device of a kind of application program sample |
| CN106940771A (en) * | 2016-01-04 | 2017-07-11 | 阿里巴巴集团控股有限公司 | Leak detection method and device based on file |
| WO2017161571A1 (en) * | 2016-03-25 | 2017-09-28 | Nokia Technologies Oy | A hybrid approach of malware detection |
| CN106682505A (en) * | 2016-05-04 | 2017-05-17 | 腾讯科技(深圳)有限公司 | Virus detection method, terminal, server and system |
| US10803171B2 (en) | 2016-05-04 | 2020-10-13 | Tencent Technology (Shenzhen) Company Limited | Virus detection method, terminal and server |
| CN106682505B (en) * | 2016-05-04 | 2020-06-12 | 腾讯科技(深圳)有限公司 | Virus detection method, terminal, server and system |
| CN106130959A (en) * | 2016-06-12 | 2016-11-16 | 微梦创科网络科技(中国)有限公司 | Malicious application recognition methods and device |
| CN106130959B (en) * | 2016-06-12 | 2019-07-23 | 微梦创科网络科技(中国)有限公司 | Malicious application recognition methods and device |
| CN105978911A (en) * | 2016-07-15 | 2016-09-28 | 江苏博智软件科技有限公司 | Malicious code detection method and device based on virtual execution technology |
| CN105978911B (en) * | 2016-07-15 | 2019-05-21 | 江苏博智软件科技有限公司 | Malicious code detecting method and device based on virtual execution technology |
| CN106529294A (en) * | 2016-11-15 | 2017-03-22 | 广东华仝九方科技有限公司 | Method for determining and filtering mobile phone viruses |
| CN106529294B (en) * | 2016-11-15 | 2019-03-01 | 广东华仝九方科技有限公司 | A method of determine for mobile phone viruses and filters |
| CN106650426A (en) * | 2016-12-09 | 2017-05-10 | 哈尔滨安天科技股份有限公司 | Method and system for dynamically extracting executable file memory maps |
| CN108401253A (en) * | 2017-02-06 | 2018-08-14 | 腾讯科技(深圳)有限公司 | A kind of application message recognition methods, device and system |
| CN107169355B (en) * | 2017-04-28 | 2020-05-08 | 北京理工大学 | Worm homology analysis method and device |
| CN107169355A (en) * | 2017-04-28 | 2017-09-15 | 北京理工大学 | A kind of worm homology analysis method and apparatus |
| CN113761482A (en) * | 2017-06-06 | 2021-12-07 | 杭州网易智企科技有限公司 | Program code protection method and device |
| CN107292135A (en) * | 2017-06-06 | 2017-10-24 | 网易(杭州)网络有限公司 | A kind of program code guard method and device |
| CN108710492A (en) * | 2018-04-20 | 2018-10-26 | 四川普思科创信息技术有限公司 | A method of third party library in identification APP programs |
| CN109120593A (en) * | 2018-07-12 | 2019-01-01 | 南方电网科学研究院有限责任公司 | A kind of mobile application security guard system |
| CN109492353A (en) * | 2018-10-11 | 2019-03-19 | 北京奇虎科技有限公司 | Using reinforcement means, device, electronic equipment and storage medium |
| CN109492353B (en) * | 2018-10-11 | 2024-04-16 | 北京奇虎科技有限公司 | Application reinforcement method, device, electronic equipment and storage medium |
| CN110147671A (en) * | 2019-05-29 | 2019-08-20 | 北京奇安信科技有限公司 | Text string extracting method and device in a kind of program |
| CN110147671B (en) * | 2019-05-29 | 2022-04-29 | 奇安信科技集团股份有限公司 | Method and device for extracting character strings in program |
| CN112580043A (en) * | 2019-09-30 | 2021-03-30 | 奇安信安全技术(珠海)有限公司 | Virtual machine-based virus killing method and device, storage medium and computer equipment |
| CN111046385A (en) * | 2019-11-22 | 2020-04-21 | 北京达佳互联信息技术有限公司 | Software type detection method and device, electronic equipment and storage medium |
| CN111046385B (en) * | 2019-11-22 | 2022-04-22 | 北京达佳互联信息技术有限公司 | Software type detection method and device, electronic equipment and storage medium |
| CN111046388A (en) * | 2019-12-16 | 2020-04-21 | 北京智游网安科技有限公司 | Method for identifying third-party SDK in application, intelligent terminal and storage medium |
| CN111459822A (en) * | 2020-04-01 | 2020-07-28 | 北京字节跳动网络技术有限公司 | Method, device and equipment for extracting system component data and readable medium |
| CN111459822B (en) * | 2020-04-01 | 2023-10-03 | 抖音视界有限公司 | Method, device, equipment and readable medium for extracting system component data |
| CN112364349A (en) * | 2020-11-30 | 2021-02-12 | 江苏极鼎网络科技有限公司 | Cell-phone APP intellectual detection system equipment |
| CN112817603A (en) * | 2021-01-26 | 2021-05-18 | 京东数字科技控股股份有限公司 | Application program processing method and device, electronic equipment, system and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103761475B (en) | 2017-04-26 |
| WO2015101042A1 (en) | 2015-07-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103761475A (en) | Method and device for detecting malicious code in intelligent terminal | |
| CN103902910B (en) | Detect method and the device of malicious code in intelligent terminal | |
| US10114946B2 (en) | Method and device for detecting malicious code in an intelligent terminal | |
| Alrabaee et al. | Fossil: a resilient and efficient system for identifying foss functions in malware binaries | |
| CN103761476A (en) | Characteristic extraction method and device | |
| Chen et al. | Detecting android malware using clone detection | |
| Crussell et al. | Andarwin: Scalable detection of android application clones based on semantics | |
| CN101438529B (en) | Proactive computer malware protection through dynamic translation | |
| Lin et al. | Automated forensic analysis of mobile applications on Android devices | |
| US9135443B2 (en) | Identifying malicious threads | |
| US20170372068A1 (en) | Method to identify known compilers functions, libraries and objects inside files and data items containing an executable code | |
| Zhang et al. | Android application forensics: A survey of obfuscation, obfuscation detection and deobfuscation techniques and their impact on investigations | |
| Webster et al. | Finding the needle: A study of the pe32 rich header and respective malware triage | |
| Zakeri et al. | A static heuristic approach to detecting malware targets | |
| Van Overveldt et al. | FlashDetect: ActionScript 3 malware detection | |
| Tian et al. | DKISB: Dynamic key instruction sequence birthmark for software plagiarism detection | |
| CN103559447A (en) | Detection method, detection device and detection system based on virus sample characteristics | |
| Akram et al. | DroidMD: an efficient and scalable android malware detection approach at source code level | |
| Chen et al. | Malware classification using static disassembly and machine learning | |
| Cheers et al. | Spplagiarise: A tool for generating simulated semantics-preserving plagiarism of java source code | |
| Kalysch et al. | Tackling androids native library malware with robust, efficient and accurate similarity measures | |
| Zhou et al. | Modelobfuscator: Obfuscating model information to protect deployed ml-based systems | |
| Mahawer et al. | Metamorphic malware detection using base malware identification approach | |
| Ceccato et al. | Search based clustering for protecting software with diversified updates | |
| Kalogranis | Antivirus software evasion: an evaluation of the av evasion tools |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |