CN103761475B - Method and device for detecting malicious code in intelligent terminal - Google Patents
Method and device for detecting malicious code in intelligent terminal Download PDFInfo
- Publication number
- CN103761475B CN103761475B CN201310746029.XA CN201310746029A CN103761475B CN 103761475 B CN103761475 B CN 103761475B CN 201310746029 A CN201310746029 A CN 201310746029A CN 103761475 B CN103761475 B CN 103761475B
- Authority
- CN
- China
- Prior art keywords
- function
- virtual machine
- decompiling
- execution file
- machine execution
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Virology (AREA)
- Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Storage Device Security (AREA)
- Telephone Function (AREA)
Abstract
The invention discloses a method and a device for detecting a malicious code in an intelligent terminal. The method comprises the steps of obtaining a virtual machine execution file of an application program from an application program layer of an intelligent terminal operation system; performing decompilation on the virtual machine execution file to obtain a decompiled function information structure; resolving the decompiled function information structure and extracting a function call sequence from the decompiled function information structure; utilizing a preset malicious code feature library, performing matching of the function call sequence and conforming that the virtual machine execution file of the application program includes the malicious code if the matching succeeds. By applying the method and the device, the malicious code including situation of the application program can be analyzed and confirmed through the virtual machine execution file of the application program, so that a tampered application program or malicious software can be searched and killed, and the safety of the intelligent terminal can be ensured.
Description
Technical field
The present invention relates to intelligent terminal's security technology area, and in particular to the side of malicious code in a kind of detection intelligent terminal
Method and device.
Background technology
With development in science and technology, intelligent terminal has increasing function.For example, the mobile phone of people from traditional GSM,
TDMA digital mobile phones turned to possess can process multimedia resource, to provide web page browsing, videoconference, ecommerce etc. various
The smart mobile phone of information service.However, the individual that the increasingly various mobile phone malicious code of kind is attacked and situation is increasingly serious
Problem of data safety is also following, and it is bitter that increasing mobile phone viruses endure it to the fullest extent by smart phone user.
The content of the invention
In view of the above problems, it is proposed that the present invention so as to provide one kind overcome the problems referred to above or at least in part solve on
State the method and device of malicious code in the detection intelligent terminal of problem.
According to one aspect of the present invention, there is provided a kind of method of malicious code in detection intelligent terminal, including:From intelligence
The application layer of terminal operating system, obtains the virtual machine execution file of application program;The virtual machine execution file is entered
Row decompiling, obtains the function information structure of decompiling;The function information structure of the decompiling is parsed, the anti-volume is extracted
Function calling sequence in the function information structure translated;Using the malicious code feature database for pre-setting, to the function call
Sequence is matched, if the match is successful, it is determined that the virtual machine execution file of the application program includes malicious code.
Preferably, also include:By the function information structure for parsing the decompiling, virtual machine memonic symbol sequence is obtained;
Extract from the virtual machine memonic symbol sequence and obtain the function calling sequence.
Preferably, the function calling sequence is multiple;Methods described also includes:By analysis perform in order it is many
The instruction of individual function calling sequence, determines the function of the function.
Preferably, the instruction that the plurality of function calling sequence is performed in order includes:Decryption character string, establishment message
Signature example, the sub- pin of acquisition character string, Hash encryption.
Preferably, it is described using the malicious code feature database for pre-setting, matching bag is carried out to the function calling sequence
Include:Using the malicious code feature database for pre-setting, functional similarity degree matching is carried out to the function calling sequence, and/or, it is right
The function calling sequence carries out Function feature fuzzy matching.
Preferably, the function with certain function for the plurality of function calling sequence being constituted is used as target characteristic;Institute
State using the malicious code feature database for pre-setting, carrying out matching to the function calling sequence includes:Using what is pre-set
Malicious code feature database, functional similarity degree matching is carried out to the target characteristic, and/or, line function is entered to the target characteristic
Feature Fuzzy is matched.
Preferably, the virtual machine execution file is carried out sample characteristics killing, based on virtual machine killing, heuristic look into
Kill, and/or, similar sample clustering.
Preferably, it is described that decompiling is carried out to the virtual machine execution file, obtain the function information structure bag of decompiling
Include:Virtual machine execution file is parsed according to virtual machine execution file form, obtains the function information structure of each class;
According to the field in the function information structure, position and the size of the function of the virtual machine execution file are determined, obtain
The function information structure of the decompiling.
Preferably, the field in the structure according to function information, determines the function of the virtual machine execution file
Position and size include:The function information structure is parsed, the byte of the function position of instruction virtual machine execution file is obtained
The list length field of the function size of yardage group field and instruction virtual machine execution file;According to the bytecode array word
Section and the list length field, determine position and the size of the function of the virtual machine execution file.
Preferably, it is described that decompiling is carried out to the virtual machine execution file, obtain the function information structure bag of decompiling
Include:It is Virtual Machine bytecodes by the virtual machine execution file decompiling using virtual machine execution file decompiling instrument.
Preferably, the application layer from intelligent terminal operation system, the virtual machine for obtaining application program performs text
Part includes:From the application layer of intelligent terminal operation system, the installation kit of the application program is found;Parse the installation
Bag, obtains the virtual machine execution file of the application program.
Preferably, the operating system refers to Android system.
According to another aspect of the present invention, there is provided the device of malicious code in a kind of detection intelligent terminal, including:File
Acquiring unit, for from the application layer of intelligent terminal operation system, obtaining the virtual machine execution file of application program;It is anti-to compile
Unit is translated, for carrying out decompiling to the virtual machine execution file, the function information structure of decompiling is obtained;Extraction unit,
For parsing the function information structure of the decompiling, the function call sequence in the function information structure of the decompiling is extracted
Row;Detector unit, for using the malicious code feature database for pre-setting, matching to the function calling sequence, if
The match is successful, it is determined that the virtual machine execution file of the application program includes malicious code.
Preferably, also include:Resolution unit, for by the function information structure of the parsing decompiling, obtaining virtual
Machine memonic symbol sequence;The extraction unit is to extract to obtain the function calling sequence from the virtual machine memonic symbol sequence
's.
Preferably, the function calling sequence is multiple;Described device also includes:Function performance determining unit, for leading to
The instruction of multiple function calling sequences that analysis is performed in order is crossed, the function of the function is determined.
Preferably, the instruction bag that multiple function calling sequences that the function performance determining unit determines are performed in order
Include:Decryption character string, establishment information signature example, the sub- pin of acquisition character string, Hash encryption.
Preferably, the detector unit to the function specifically for using the malicious code feature database for pre-setting, adjusting
Functional similarity degree matching is carried out with sequence, and/or, Function feature fuzzy matching is carried out to the function calling sequence.
Preferably, the detector unit to target characteristic specifically for using the malicious code feature database for pre-setting, entering
Line function similarity mode, and/or, Function feature fuzzy matching is carried out to the target characteristic, wherein, the target characteristic is
Refer to the function with certain function that the plurality of function calling sequence is constituted.
Preferably, the detector unit is carried out sample characteristics killing, is looked into based on virtual machine to the virtual machine execution file
Kill, heuristic killing, and/or, similar sample clustering.
Preferably, the decompiling unit is specifically for according to virtual machine execution file form to virtual machine execution file
Parsed, obtained the function information structure of each class;According to the field in the function information structure, the void is determined
Plan machine performs the position of the function of file and size, obtains the function information structure of the decompiling.
Preferably, the decompiling unit, parses the function information structure, obtains indicating virtual machine execution file
The list length field of the bytecode array field of function position and the function size of instruction virtual machine execution file;According to institute
Bytecode array field and the list length field are stated, the position of the function of the virtual machine execution file and big is determined
It is little.
Preferably, it is described to decompiling unit specifically for using virtual machine execution file decompiling instrument, by the void
Plan machine performs file reverse and is compiled as Virtual Machine bytecodes.
Preferably, the acquiring unit is specifically for from the application layer of intelligent terminal operation system, finding described
The installation kit of application program;The installation kit is parsed, the virtual machine execution file of the application program is obtained.
Preferably, the operating system refers to Android system.
It can be seen that, the embodiment of the present invention obtains function calling sequence by the format analysis to dex files and decompiling, leads to
Cross feature based on function calling sequence, carry out being matched with malicious code feature database, so that it is determined that whether dex files
Comprising malicious code.Additionally, by function calling sequence, the function of determining function can be analyzed, therefore, it can a series of letters
The code of number calling sequence carries out being matched with malicious code feature database, so that it is determined that dex files as a target characteristic
Whether malicious code is included.
Using the present invention program, by the dex files of application program, can analyze and determine the application program whether comprising malice
Code, it is possible thereby to application program to being tampered or killing be carried out to Malware, protects the safety of intelligent terminal.
Described above is only the general introduction of technical solution of the present invention, in order to better understand the technological means of the present invention,
And can be practiced according to the content of description, and in order to allow the above and other objects of the present invention, feature and advantage can
Become apparent, below especially exemplified by the specific embodiment of the present invention.
Description of the drawings
By the detailed description for reading hereafter preferred implementation, various other advantages and benefit is common for this area
Technical staff will be clear from understanding.Accompanying drawing is only used for illustrating the purpose of preferred implementation, and is not considered as to the present invention
Restriction.And in whole accompanying drawing, it is denoted by the same reference numerals identical part.In the accompanying drawings:
Fig. 1 shows the flow chart of the method for malicious code in detection intelligent terminal according to an embodiment of the invention;
And
Fig. 2 shows the structural representation of the device of malicious code in detection intelligent terminal according to an embodiment of the invention
Figure.
Specific embodiment
The exemplary embodiment of the disclosure is more fully described below with reference to accompanying drawings.Although showing the disclosure in accompanying drawing
Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure and should not be by embodiments set forth here
Limited.On the contrary, there is provided these embodiments are able to be best understood from the disclosure, and can be by the scope of the present disclosure
Complete conveys to those skilled in the art.
With ARIXTRA(Android)As a example by operating system, including application layer(App layers)With system framework layer
(Framework layers), then it is not covered as other layer of present invention being possible to include is divided from function.Wherein, generally
App layers can be understood as upper strata, be responsible for and the interface of user mutual, for example, application maintenance and recognize when clicking on the page
Different types of click on content is so as to showing different context menu etc..Generally framework layers as intermediate layer, this layer
Major responsibility be, the user's request that app layers are obtained, such as start with program, clickthrough, click on and preserve picture etc,
Forward toward lower floor and go;The content that lower floor is handled well, or by message, or upper strata is distributed to by middle-agent's class,
User is shown.
Dalvik is the Java Virtual Machine for Android platform.Dalvik is through optimization, it is allowed in limited internal memory
The example of multiple virtual machines, and each Dalvik are run simultaneously using as an independent Linux processes execution.It is independent
Process all programs when virtual machine crashes can be prevented all to be closed.Dalvik virtual machine can be supported to have been converted into
dex(Dalvik Executable)The operation of the java application of form, dex forms are the one kind for aiming at Dalvik designs
Compressed format, is adapted to the limited system of internal memory and processor speed.
It can be seen that, in android system, dex files can be directly in Dalvik virtual machine(Dalvik VM)Middle loading
The virtual machine execution file of operation.By ADT(Android Development Tools), through complicated compiling, can be
Java source codes are converted to dex files.Dex files are to be directed to the result that embedded system optimizes, the instruction of Dalvik virtual machine
Code is not the Java Virtual Machine order code of standard, and is the use of oneself exclusive a set of instruction set.Share in dex files
Many class name, constant character strings, make that its volume is smaller, and operational efficiency is also higher.
The present inventor has found in research process, through the parsing to dex files, in can knowing dex files
The function of function, thus, it is possible to judge dex files whether comprising malicious code accordingly(It is soft including dex files inherently malice
Part, or dex files are situations such as be tampered).
Referring to Fig. 1, the stream of the method for malicious code in detection intelligent terminal according to an embodiment of the invention is shown
Cheng Tu.
The method of malicious code is comprised the following steps in detection intelligent terminal.
S101:From the application layer of intelligent terminal operation system, the virtual machine execution file of application program is obtained, for example
Obtain the dex files of application program;
As it was previously stated, Android operation system includes application layer(App layers)With system framework layer(framework
Layer), present invention focuses on the research and improvement to app layers.But, it will be appreciated by those skilled in the art that when Android starts
When, Dalvik VM monitor all of program(APK file)And framework, and create a dependency tree for them.
DalvikVM by this dependency tree come for each program optimization code and be stored in Dalvik caching(dalvik-
cache)In.So, all programs operationally can all use the code for optimizing.When a program(Or framework storehouse)Occur
Change, Dalvik VM re-optimization code and will be deposited again in the buffer.It is to deposit in cache/dalvik-cache
The dex files of the Program Generating on system are put, and data/dalvik-cache is then that the dex that storage data/app is generated is literary
Part.It is, present invention focuses on the analysis carried out to the dex files that data/app is generated and process, it should be appreciated that,
For the dex files of the Program Generating on system, the theory of the present invention is equally applicable with operation.
Mode with regard to obtaining dex files, can be by parsing APK(Android Package, Android installation kit)
Obtain.APK file is in fact a compressed package of zip forms, but suffix name is modified to apk, after UnZip is decompressed, just
Dex files can be obtained.
S102:Decompiling is carried out to dex files, the function information structure of decompiling is obtained;
Decompiling is carried out to dex files(Or be referred to as:Dis-assembling)There are various ways.
First kind of way is that dex files are parsed according to dex file formats, obtains the function information knot of each class
Structure body;According to the field in function information structure, position and the size of the function of dex files are determined, obtain the letter of decompiling
Number message structure.Wherein, by analytical function information structure, the bytecode array of the function position of instruction dex files is obtained
Field and indicate dex files function size list length field, so that it is determined that the position of the function of dex files and big
It is little.
For example, according to dex file formats, dex files are parsed, finds each class and obtain function information body.Such as function letter
Breath structure is comprising such as the field in table 1.
Table 1
Wherein, insns_size the and insns fields in each function information structure, represent respectively the function size
And position.It is possible to according to the two fields of insns_size and insns, decompiling goes out the message structure of function.It is anti-to compile
The message structure translated is made up of Dalvik VM bytecodes, and rear extended meeting is discussed in detail.
The second way is, using dex file decompiling instruments, dex file reverses to be compiled as into Virtual Machine bytecodes.
Such as front introduction, Dalvik virtual machine operation is Dalvik bytecodes, and it is with a dex(Dalvik
Executable)Executable file form is present, and Dalvik virtual machine performs code by explaining dex files.Have one at present
A little instruments, can be by DEX file dis-assembling into Dalvik assembly codes.This kind of dex files decompiling instrument includes:baksmali、
Dedexer1.26、dexdump、dexinspecto03-12-12r、IDA Pro、androguard、dex2jar、010Editor
Deng.
It can be seen that, by the decompiling to dex files, all function information structures of decompiling can be obtained.Wherein, function
Message structure performs code comprising function, is by virtual machine instruction sequence and virtual machine memonic symbol sequence in the embodiment of the present invention
Constitute, such as the examples below, by the job sequence and the memonic symbol Sequence composition function information of Dalvik VM of Dalvik VM
Structure.
For example, the function information structure that decompiling obtains is carried out to dex files according to one embodiment of the invention as follows:
It can be seen that, dex files are decompiled into the job sequence of Dalvik VM and the memonic symbol sequence of Dalvik VM.
S103:The function information structure of parsing decompiling, extracts the function call in the function information structure of decompiling
Sequence;
As above example, in the function information structure that decompiling is obtained, front 2 numerals of the every a line in machine code field
It is job sequence(Upper example left side is by circle part), and the corresponding part of job sequence is memonic symbol(Upper example right side, partly quilt
Circle, does not all select).Memonic symbol is primarily to facilitate user to exchange and written in code.
As above example, dex files are through the job sequence that decompiling can be obtained by function:
“125438710c6e0c6e0a3854546e0c6e546e0c6e0c38720a391238546e54710e012854136e”.Help
Note accords with sequence:“const/4iget-object if-eqz invoke-static move-result-object
invoke-virtual move-result-object invoke-virtual move-result if-eqz iget-
object iget-object invoke-virtual move-result-object invoke-virtual iget-
object invoke-virtual move-result-object invoke-virtual move-result-object
if-eqz invoke-interface move-result if-nez const/4if-eqz iget-object invoke-
virtual iget-object invoke-static return-void move goto iget-object const/
16invoke-virtual”。
Next, can extract from above-mentioned memonic symbol sequence obtaining function calling sequence.Function calling sequence refers to have
The code of semantic function, the code with functions such as character string decryption, establishment examples for for example describing below.
The part of previous example frame choosing is associated functional calls.
These are called and are extracted, by call order sequence by component function calling sequence, the calling sequence base of function
Originally the behavior of this function is described.
As above example:
1:“Lcom/mzhengDS;.DecryptString:Ljava/lang/String”
By code analysis, one character string of function decryption can be learnt.
2:
“invoke-static{v0},Ljava/security/MessageDigest;.getInstance:Ljava/
security/Me ssageDigest”
By code analysis, one information signature example of program creation can be learnt, can guess that possibly preparation makes
With the similar hash algorithm such as md5sha to the character string encryption after 1 process interface.
3:“invoke-virtual{v6},Ljava/lang/String;.getBytes:[B”
The pointer of character string is obtained, can guess that character string is probably the character string after process 1 is decrypted, and acquisition pointer can
Can be in order that being encrypted to character string with the example of process 2.
4:“invoke-virtual{v0,v1},Ljava/security/MessageDigest;.update:V”;
“invoke-virtual{v0},Ljava/security/MessageDigest;.digest:[B”
This 2 function calls confirm above-mentioned judgement, according to function name it is known that this is to be hash to data to add
It is close.
Can be seen that from this example above just can determine this function by the calling sequence of function with fundamental analysis
Function.
S104:Using the malicious code feature database for pre-setting, function calling sequence is matched, if matched into
Work(, it is determined that the dex files of application program include malicious code.
Malicious code(Malicious Code)Refer to and propagated by storage medium or network, in certification without permission
In the case of destroy operating system integrity, steal in system be not disclosed secret information journey logic bomb.By taking mobile phone as an example, handss
Machine malicious code refers to the malicious code for handheld devices such as mobile phone, PDA.Mobile phone malicious code can be simply divided into multiple
Type malicious code processed and non-replicating malicious code.Wherein replication form malicious code mainly includes virus(Virus), anthelmintic
(Worm), non-replicating malicious code is mainly including backdoor Trojan(Trojan Horse), rogue software
(Rogue Software), Malicious mobile Code(Malicious Mobile Code)And Rootkit programs etc..
Mobile phone malicious code guard technology is protected for malicious code.Mobile phone malicious code protection method includes many
Kind.For example, eigenvalue scan mode, it needs study in advance to set up malicious code feature database, preserves in malicious code feature database
Eigenvalue can be that one section of continuous fixed character string, or several sections of centres are inserted with the discontinuous of other uncertain characters
Character string determine feature string therein;In scanning, the eigenvalue or feature string in feature based storehouse goes detection to treat side file
Or internal memory, it is found that occurrence then can determine that target infection malicious code.For another example malicious code, based on virtual machine technique is prevented
Shield.Such protectiving scheme is mainly for polymorphic and changeable viruses.So-called virtual machine refers to have completely firmly by software simulation
Part systemic-function, the complete computer operated in a completely isolated environment.The program is also referred to as software simulation method,
It is a kind of software analyzer, the operation with analysis program is simulated with software approach.Its essence is that one is simulated in internal memory
Little closed routine performing environment, it is all to treat that killing file is all virtually executed wherein.Killed virus using virtual machine technique
When, first by or eigenvalue scanning technique, when find target have encryption malicious code feature when, can just start void
Plan machine module allows encrypted code voluntarily to decode, after decoding, it is possible to carry out killing using traditional eigenvalue scan mode.Again
Such as, inspirational education mode.Inspirational education scheme is mainly for the continuous mutation of malicious code and in order to strengthen to unknown
The research of malicious code.It is so-called it is " heuristic " be derived from artificial intelligence, refer to " ability of self-discovery " or " fortune by some way or
Method removes the knowledge and skills for judging things ".The inspirational education of malicious code refers to that scanning software can be utilized from experience
The rule of extraction, virus is found by the structure of analysis program with its behavior.Because malicious code will reach infection and break
Bad purpose, common behavior can all have certain feature, such as unconventional reading and writing of files, terminate itself, unconventional incision zero
Ring etc..Therefore can judge whether a program is malicious code according to the combination for scanning specific behavior or various behaviors.
Further, it is also possible to similar sample clustering is carried out to target program, for example with the similar sample that K mean cluster algorithm determines to analysis
Originally clustered.
No matter which kind of protection method, its core all includes two parts, and first is the rational malicious code feature database of tissue, the
Two is efficient scanning algorithm(Also referred to as matching algorithm).Matching algorithm is generally divided into Single Pattern Matching Algorithms and multi-mode matching
Two kinds of algorithm.Single Pattern Matching Algorithms include BF (Brute-Force) algorithm, KMP(Knuth-Morris-Pratt)Algorithm, BM
(Boyer-Moore)Algorithm and QS(Quick Search)Algorithm etc..Multi-pattern matching algorithm includes classical multi-mode matching
DFSA algorithms and the multi-pattern matching algorithm based on ordered binary tree.In addition, can also by matching algorithm be divided into fuzzy matching algorithm,
Similarity matching algorithm.By taking BF algorithms as an example, it is a kind of Single Pattern Matching Algorithms of simple, intuitive, belongs to fuzzy matching algorithm.
Its basic thought is:The first character s1 in main string is compared with the first character t1 in pattern t first, if phase
Deng then continuing to compare subsequent character one by one;Otherwise, just second character s2 and t1 in s be compared, the like, directly
Each character is equal with a continuation character sequence in s successively in t(The match is successful), return first in the character string
Position of the individual character in main string;Or can not find the character string equal with t in s(It fails to match), return 0.Again with KMP
As a example by algorithm, it is a kind of algorithm of improved pattern match, and it is exactly for the improvement of its maximum of BF algorithms:In Land use models
The information of implicit " part matches ", the i pointers in the case where mismatch condition occur next time, when being compared in main string for making(Refer to
To mismatch character)Need not recall, and by the j pointers in pattern(The position that sensing is compared next time)One " is slided " backward to the greatest extent
Possible remote distance proceeds.This slip K is asked by next functions.KMP algorithms can be described as:Assume with pointer i and j difference
Increase 1;If si is not equal to tj, i is constant, and j falls back on next(j)Position is compared again, is so moved in circles, until finding in main string
The word string equal with pattern string is not found yet after complete main string of substring or search equal with pattern string, algorithm terminates.
In this step, using the malicious code feature database for pre-setting, function calling sequence is matched, if matching
Success, it is determined that the dex files of application program include malicious code.Specifically, and including two kinds of situations.The first situation is,
Using function calling sequence as killing target, using the malicious code feature database for pre-setting, function calling sequence is looked into
Kill, for example, carry out the matching of functional similarity degree or carry out Function feature fuzzy matching.Second situation is, by multiple function calls
The function with certain function of Sequence composition as target characteristic, using the malicious code feature database for pre-setting, to target
Feature carries out killing, for example, carries out the matching of functional similarity degree or carries out Function feature fuzzy matching.
It should be noted that the present invention is not limited malicious code is detected using which kind of malicious code protectiving scheme,
It is for instance possible to use sample characteristics killing presented hereinbefore(Eigenvalue is scanned), based on virtual machine killing or heuristic killing,
It can in addition contain carry out similar sample clustering.And, for matching algorithm is not also restricted, it is for instance possible to use presented hereinbefore
Fuzzy matching algorithm or Similarity matching algorithm etc..
It can be seen that, the embodiment of the present invention obtains function calling sequence by the format analysis to dex files and decompiling, leads to
Cross feature based on function calling sequence, carry out being matched with malicious code feature database, so that it is determined that whether dex files
Comprising malicious code.Additionally, by function calling sequence, the function of determining function can be analyzed, therefore, it can a series of letters
The code of number calling sequence carries out being matched with malicious code feature database, so that it is determined that dex files as a target characteristic
Whether malicious code is included.
Using the present invention program, by the dex files of application program, can analyze and determine the application program whether comprising malice
Code, it is possible thereby to application program to being tampered or killing be carried out to Malware, protects the safety of intelligent terminal.
Corresponding with said method, the embodiment of the present invention also provides a kind of device of malicious code in detection intelligent terminal.
The device can be realized by software, hardware or software and hardware combining.Specifically, the device may refer to a terminal unit,
May refer to the functional entity of device interior.For example, the device may refer to the functional module of interior of mobile phone.Preferably, the dress
Put and operate under Android operation system.
Referring to Fig. 2, the device includes that file obtaining unit 201, decompiling unit 202, extraction unit 203 and detection are single
Unit 204.
Wherein:
File obtaining unit 201, for from the application layer of intelligent terminal operation system, obtaining the virtual of application program
Machine performs file, for example, obtain dex files;
Decompiling unit 202, for carrying out decompiling to dex files, obtains the function information structure of decompiling;
Extraction unit 203, for parsing the function information structure of decompiling, in extracting the function information structure of decompiling
Function calling sequence;
Detector unit 204, for using the malicious code feature database for pre-setting, matching to function calling sequence,
If the match is successful, it is determined that the dex files of application program include malicious code.
Preferably, the device also includes resolution unit 205:
Resolution unit 205, for by the function information structure of parsing decompiling, obtaining virtual machine memonic symbol sequence;
In the case of this, extraction unit 203 is to extract to obtain function calling sequence from virtual machine memonic symbol sequence.
Preferably, function calling sequence is multiple;In the case of this, the device also includes:
Function performance determining unit 206, the instruction of the multiple function calling sequences for being performed in order by analysis,
Determine the function of function.
For example, the instruction that multiple function calling sequences that function performance determining unit 206 determines are performed in order includes:
Decryption character string, establishment information signature example, the sub- pin of acquisition character string, Hash encryption.
Wherein, detector unit 204 is specifically for using the malicious code feature database for pre-setting, to function calling sequence
Functional similarity degree matching is carried out, and/or, Function feature fuzzy matching is carried out to function calling sequence;
Or, detector unit 204 to target characteristic specifically for using the malicious code feature database for pre-setting, carrying out
Functional similarity degree is matched, and/or, Function feature fuzzy matching is carried out to target characteristic, wherein, target characteristic refers to function performance
The function with certain function that multiple function calling sequences that determining unit 206 determines are constituted.
Additionally, detector unit 204 sample characteristics killing is carried out to dex files, based on virtual machine killing, heuristic killing,
And/or, similar sample clustering.
Wherein, decompiling unit 202 specifically for, dex files are parsed according to dex file formats, obtain each
The function information structure of class;According to the field in function information structure, position and the size of the function of dex files are determined,
Obtain the function information structure of decompiling;Further, decompiling unit 202 is additionally operable to, analytical function information structure, is referred to
The list length field of the bytecode array field for showing the function position of dex files and the function size for indicating dex files;Root
According to bytecode array field and list length field, position and the size of the function of dex files are determined;
Or, decompiling unit 202 is specifically for using dex file decompiling instruments, by dex file reverses void being compiled as
Plan machine bytecode.
Wherein, acquiring unit 201 is specifically for from the application layer of intelligent terminal operation system, finding and applying journey
The installation kit of sequence;Parsing installation kit, the dex files of the program that is applied.
With regard to the device implement details can mothed of participating embodiment, will not be described here.
Provided herein algorithm and display be not inherently related to any certain computer, virtual system or miscellaneous equipment.
Various general-purpose systems can also be used together based on teaching in this.As described above, construct required by this kind of system
Structure be obvious.Additionally, the present invention is also not for any certain programmed language.It is understood that, it is possible to use it is various
Programming language realizes the content of invention described herein, and the description done to language-specific above is to disclose this
Bright preferred forms.
In description mentioned herein, a large amount of details are illustrated.It is to be appreciated, however, that the enforcement of the present invention
Example can be put into practice in the case of without these details.In some instances, known method, structure is not been shown in detail
And technology, so as not to obscure the understanding of this description.
Similarly, it will be appreciated that in order to simplify the disclosure and help understand one or more in each inventive aspect, exist
Above in the description of the exemplary embodiment of the present invention, each feature of the present invention is grouped together into single enforcement sometimes
In example, figure or descriptions thereof.However, the method for the disclosure should be construed to reflect following intention:I.e. required guarantor
The more features of feature that the application claims ratio of shield is expressly recited in each claim.More precisely, such as following
Claims reflect as, inventive aspect is all features less than single embodiment disclosed above.Therefore,
Thus the claims for following specific embodiment are expressly incorporated in the specific embodiment, wherein each claim itself
All as the separate embodiments of the present invention.
Those skilled in the art are appreciated that can be carried out adaptively to the module in the equipment in embodiment
Change and they are arranged in one or more equipment different from the embodiment.Can be the module or list in embodiment
Unit or component are combined into a module or unit or component, and can be divided in addition multiple submodule or subelement or
Sub-component.In addition at least some in such feature and/or process or unit is excluded each other, can adopt any
Combination is to this specification(Including adjoint claim, summary and accompanying drawing)Disclosed in all features and so disclosed appoint
Where all processes or unit of method or equipment are combined.Unless expressly stated otherwise, this specification(Including adjoint power
Profit requires, makes a summary and accompanying drawing)Disclosed in each feature can be by providing identical, equivalent or the alternative features of similar purpose carry out generation
Replace.
Although additionally, it will be appreciated by those of skill in the art that some embodiments described herein include other embodiments
In included some features rather than further feature, but the combination of the feature of different embodiments means in of the invention
Within the scope of and form different embodiments.For example, in the following claims, embodiment required for protection appoint
One of meaning can in any combination mode using.
The present invention all parts embodiment can be realized with hardware, or with one or more processor operation
Software module realize, or with combinations thereof realization.It will be understood by those of skill in the art that can use in practice
Microprocessor or digital signal processor(DSP)Malicious code in realize detection intelligent terminal according to embodiments of the present invention
Device in some or all parts some or all functions.The present invention is also implemented as performing institute here
Some or all equipment of the method for description or program of device(For example, computer program and computer program are produced
Product).Such program for realizing the present invention can be stored on a computer-readable medium, or can have one or more
The form of signal.Such signal can be downloaded from internet website and obtained, or be provided on carrier signal, or to appoint
What other forms is provided.
It should be noted that above-described embodiment the present invention will be described rather than limits the invention, and ability
Field technique personnel can design without departing from the scope of the appended claims alternative embodiment.In the claims,
Any reference markss between bracket should not be configured to limitations on claims.Word "comprising" is not excluded the presence of not
Element listed in the claims or step.Word "a" or "an" before element does not exclude the presence of multiple such
Element.The present invention can come real by means of the hardware for including some different elements and by means of properly programmed computer
It is existing.If in the unit claim for listing equipment for drying, several in these devices can be by same hardware branch
To embody.The use of word first, second, and third does not indicate that any order.These words can be explained and be run after fame
Claim.
The invention discloses following scheme:
A kind of method of malicious code in A1, detection intelligent terminal, including:
From the application layer of intelligent terminal operation system, the virtual machine execution file of application program is obtained;
Decompiling is carried out to the virtual machine execution file, the function information structure of decompiling is obtained;
The function information structure of the decompiling is parsed, the function extracted in the function information structure of the decompiling is adjusted
Use sequence;
Using the malicious code feature database for pre-setting, the function calling sequence is matched, if the match is successful,
The virtual machine execution file for then determining the application program includes malicious code.
A2, the method as described in A1, also include:
By the function information structure for parsing the decompiling, virtual machine memonic symbol sequence is obtained;
Extract from the virtual machine memonic symbol sequence and obtain the function calling sequence.
A3, the method as described in A1, the function calling sequence is multiple;Methods described also includes:
By the instruction for analyzing the multiple function calling sequences for performing in order, the function of the function is determined.
A4, the method as described in A3, the instruction that the plurality of function calling sequence is performed in order includes:Decryption character
String, establishment information signature example, the sub- pin of acquisition character string, Hash encryption.
A5, the method as described in A1, it is described using the malicious code feature database for pre-setting, to the function calling sequence
Carrying out matching includes:
Using the malicious code feature database for pre-setting, functional similarity degree matching is carried out to the function calling sequence, and/
Or, carrying out Function feature fuzzy matching to the function calling sequence.
A6, the method as described in A3, using the plurality of function calling sequence constitute the function with certain function as
Target characteristic;
Described to utilize the malicious code feature database for pre-setting, carrying out matching to the function calling sequence includes:
Using the malicious code feature database for pre-setting, functional similarity degree matching is carried out to the target characteristic, and/or,
Function feature fuzzy matching is carried out to the target characteristic.
A7, the method as described in A1, are carried out sample characteristics killing, are looked into based on virtual machine to the virtual machine execution file
Kill, heuristic killing, and/or, similar sample clustering.
A8, the method as described in A1, it is described that decompiling is carried out to the virtual machine execution file, obtain the function of decompiling
Message structure includes:
Virtual machine execution file is parsed according to virtual machine execution file form, obtains the function information knot of each class
Structure body;
According to the field in the function information structure, the position of the function of the virtual machine execution file and big is determined
It is little, obtain the function information structure of the decompiling.
A9, the method as described in A8, the field in the structure according to function information determines that the virtual machine performs text
The position of the function of part and size include:
The function information structure is parsed, the bytecode array word of the function position of instruction virtual machine execution file is obtained
The list length field of the function size of section and instruction virtual machine execution file;
According to the bytecode array field and the list length field, the letter of the virtual machine execution file is determined
Several position and size.
A10, the method as described in A1, it is described that decompiling is carried out to the virtual machine execution file, obtain the letter of decompiling
Number message structure includes:
It is virtual machine byte by the virtual machine execution file decompiling using virtual machine execution file decompiling instrument
Code.
A11, the method as described in A1, the application layer from intelligent terminal operation system obtains application program
Virtual machine execution file includes:
From the application layer of intelligent terminal operation system, the installation kit of the application program is found;
The installation kit is parsed, the virtual machine execution file of the application program is obtained.
A12, the method as described in any one of A1-A11, the operating system refers to Android system.
The device of malicious code in B13, a kind of detection intelligent terminal, including:
File obtaining unit, for from the application layer of intelligent terminal operation system, obtaining the virtual machine of application program
Perform file;
Decompiling unit, for carrying out decompiling to the virtual machine execution file, obtains the function information knot of decompiling
Structure;
Extraction unit, for parsing the function information structure of the decompiling, extracts the function information of the decompiling
Function calling sequence in structure;
Detector unit, for using the malicious code feature database for pre-setting, matching to the function calling sequence,
If the match is successful, it is determined that the virtual machine execution file of the application program includes malicious code.
B14, the device as described in B13, also include:
Resolution unit, for by the function information structure of the parsing decompiling, obtaining virtual machine memonic symbol sequence;
The extraction unit is to extract to obtain the function calling sequence from the virtual machine memonic symbol sequence.
B15, the device as described in B13, the function calling sequence is multiple;Described device also includes:
Function performance determining unit, the instruction of the multiple function calling sequences for being performed in order by analysis, really
The function of the fixed function.
B16, the device as described in B15, multiple function calling sequences that the function performance determining unit determines are according to suitable
The instruction that sequence is performed includes:Decryption character string, establishment information signature example, the sub- pin of acquisition character string, Hash encryption.
B17, the device as described in B13, the detector unit is specifically for using the malicious code feature for pre-setting
Storehouse, functional similarity degree matching is carried out to the function calling sequence, and/or, Function feature is carried out to the function calling sequence
Fuzzy matching.
B18, the device as described in B15, the detector unit is specifically for using the malicious code feature for pre-setting
Storehouse, functional similarity degree matching is carried out to target characteristic, and/or, Function feature fuzzy matching is carried out to the target characteristic, its
In, the target characteristic refers to the function with certain function that the plurality of function calling sequence is constituted.
B19, the device as described in B13, the detector unit virtual machine execution file is carried out sample characteristics killing,
Based on virtual machine killing, heuristic killing, and/or, similar sample clustering.
B20, the device as described in B13, the decompiling unit is specifically for according to virtual machine execution file form to void
Plan machine performs file and is parsed, and obtains the function information structure of each class;According to the word in the function information structure
Section, determines position and the size of the function of the virtual machine execution file, obtains the function information structure of the decompiling.
B21, the device as described in B20, the decompiling unit parses the function information structure, obtains indicating void
Plan machine performs the bytecode array field of the function position of file and indicates the list of the function size of virtual machine execution file
Length field;According to the bytecode array field and the list length field, the virtual machine execution file is determined
The position of function and size.
B22, the device as described in B13, it is described to decompiling unit specifically for using virtual machine execution file decompiling
Instrument, is Virtual Machine bytecodes by the virtual machine execution file decompiling.
B23, the device as described in B13, the acquiring unit is specifically for from the application program of intelligent terminal operation system
Layer, finds the installation kit of the application program;The installation kit is parsed, the virtual machine for obtaining the application program performs text
Part.
B24, the device as described in any one of B13-B23, the operating system refers to Android system.
Claims (18)
1. it is a kind of detection intelligent terminal in malicious code method, it is characterised in that include:
From the application layer of intelligent terminal operation system, the virtual machine execution file of application program is obtained;
Decompiling is carried out to the virtual machine execution file, the function information structure of decompiling is obtained;
The function information structure of the decompiling is parsed, virtual machine memonic symbol sequence is obtained;From the virtual machine memonic symbol sequence
In extract function calling sequence in the function information structure of the decompiling, wherein, the function calling sequence refers to tool
There is the code of semantic function, and the function calling sequence is multiple;
By the instruction for analyzing the multiple function calling sequences for performing in order, the function of the function is determined, will be described many
The function with certain function that individual function calling sequence is constituted is used as target characteristic;
Using the malicious code feature database for pre-setting, the target characteristic is matched, if the match is successful, it is determined that institute
The virtual machine execution file for stating application program includes malicious code.
2. the method for claim 1, it is characterised in that the instruction that the plurality of function calling sequence is performed in order
Including:Decryption character string, establishment information signature example, the sub- pin of acquisition character string, Hash encryption.
3. the method for claim 1, it is characterised in that described using the malicious code feature database for pre-setting, to institute
Stating target characteristic and carrying out matching includes:
Using the malicious code feature database for pre-setting, functional similarity degree matching is carried out to the target characteristic, and/or, to institute
Stating target characteristic carries out Function feature fuzzy matching.
4. the method for claim 1, it is characterised in that the virtual machine execution file is carried out sample characteristics killing,
Based on virtual machine killing, heuristic killing, and/or, similar sample clustering.
5. the method for claim 1, it is characterised in that described to carry out decompiling to the virtual machine execution file, obtains
Function information structure to decompiling includes:
Virtual machine execution file is parsed according to virtual machine execution file form, obtains the function information structure of each class
Body;
According to the field in the function information structure, position and the size of the function of the virtual machine execution file are determined,
Obtain the function information structure of the decompiling.
6. method as claimed in claim 5, it is characterised in that the field in the structure according to function information, determines institute
The position and size for stating the function of virtual machine execution file includes:
Parse the function information structure, obtain indicate virtual machine execution file function position bytecode array field with
And the list length field of the function size of instruction virtual machine execution file;
According to the bytecode array field and the list length field, the function of the virtual machine execution file is determined
Position and size.
7. the method for claim 1, it is characterised in that described to carry out decompiling to the virtual machine execution file, obtains
Function information structure to decompiling includes:
It is Virtual Machine bytecodes by the virtual machine execution file decompiling using virtual machine execution file decompiling instrument.
8. the method for claim 1, it is characterised in that the application layer from intelligent terminal operation system, obtains
Taking the virtual machine execution file of application program includes:
From the application layer of intelligent terminal operation system, the installation kit of the application program is found;
The installation kit is parsed, the virtual machine execution file of the application program is obtained.
9. the method as described in any one of claim 1-8, it is characterised in that the operating system refers to Android system.
10. it is a kind of detection intelligent terminal in malicious code device, it is characterised in that include:
File obtaining unit, for from the application layer of intelligent terminal operation system, the virtual machine for obtaining application program to be performed
File;
Decompiling unit, for carrying out decompiling to the virtual machine execution file, obtains the function information structure of decompiling;
Resolution unit, for by the function information structure of the parsing decompiling, obtaining virtual machine memonic symbol sequence;
Extraction unit, for extract the decompiling from the virtual machine memonic symbol sequence function information structure in letter
Number calling sequence, wherein, the function calling sequence refers to the code with semantic function, and the function calling sequence is many
It is individual;
Function performance determining unit, the instruction of the multiple function calling sequences for being performed in order by analysis, determines institute
The function of function is stated, the function with certain function that the plurality of function calling sequence is constituted is used as target characteristic;
Detector unit, for using the malicious code feature database for pre-setting, matching to the target characteristic, if matching
Success, it is determined that the virtual machine execution file of the application program includes malicious code.
11. devices as claimed in claim 10, it is characterised in that multiple functions that the function performance determining unit determines are adjusted
The instruction performed in order with sequence includes:Decryption character string, establishment information signature example, the sub- pin of acquisition character string, Hash
Encryption.
12. devices as claimed in claim 10, it is characterised in that the detector unit is specifically for using what is pre-set
Malicious code feature database, functional similarity degree matching is carried out to the target characteristic, and/or, line function is entered to the target characteristic
Feature Fuzzy is matched.
13. devices as claimed in claim 10, it is characterised in that the detector unit is carried out to the virtual machine execution file
Sample characteristics killing, based on virtual machine killing, heuristic killing, and/or, similar sample clustering.
14. devices as claimed in claim 10, it is characterised in that the decompiling unit according to virtual machine specifically for holding
Row file format is parsed to virtual machine execution file, obtains the function information structure of each class;Believed according to the function
Field in breath structure, determines position and the size of the function of the virtual machine execution file, obtains the letter of the decompiling
Number message structure.
15. devices as claimed in claim 14, it is characterised in that the decompiling unit, parse the function information structure
Body, the bytecode array field for obtaining the function position of instruction virtual machine execution file and the letter for indicating virtual machine execution file
The list length field of number size;According to the bytecode array field and the list length field, determine described virtual
Machine performs the position of the function of file and size.
16. devices as claimed in claim 10, it is characterised in that it is described to decompiling unit specifically for using virtual machine
File decompiling instrument is performed, is Virtual Machine bytecodes by the virtual machine execution file decompiling.
17. devices as claimed in claim 10, it is characterised in that the acquiring unit is specifically for from intelligent terminal's operation
Systematic difference program layer, finds the installation kit of the application program;The installation kit is parsed, the application program is obtained
Virtual machine execution file.
18. devices as described in any one of claim 10-17, it is characterised in that the operating system refers to Android system.
Priority Applications (5)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310746029.XA CN103761475B (en) | 2013-12-30 | 2013-12-30 | Method and device for detecting malicious code in intelligent terminal |
| PCT/CN2014/083908 WO2015101042A1 (en) | 2013-12-30 | 2014-08-07 | Method and device for detecting malicious code in smart terminal |
| US15/108,927 US9792433B2 (en) | 2013-12-30 | 2014-10-31 | Method and device for detecting malicious code in an intelligent terminal |
| PCT/CN2014/090032 WO2015101096A1 (en) | 2013-12-30 | 2014-10-31 | Method and device for detecting malicious code in smart terminal |
| US15/714,721 US10114946B2 (en) | 2013-12-30 | 2017-09-25 | Method and device for detecting malicious code in an intelligent terminal |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310746029.XA CN103761475B (en) | 2013-12-30 | 2013-12-30 | Method and device for detecting malicious code in intelligent terminal |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103761475A CN103761475A (en) | 2014-04-30 |
| CN103761475B true CN103761475B (en) | 2017-04-26 |
Family
ID=50528711
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310746029.XA Active CN103761475B (en) | 2013-12-30 | 2013-12-30 | Method and device for detecting malicious code in intelligent terminal |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN103761475B (en) |
| WO (1) | WO2015101042A1 (en) |
Families Citing this family (30)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103761475B (en) * | 2013-12-30 | 2017-04-26 | 北京奇虎科技有限公司 | Method and device for detecting malicious code in intelligent terminal |
| CN103902910B (en) * | 2013-12-30 | 2016-07-13 | 北京奇虎科技有限公司 | Detect method and the device of malicious code in intelligent terminal |
| WO2015101096A1 (en) * | 2013-12-30 | 2015-07-09 | 北京奇虎科技有限公司 | Method and device for detecting malicious code in smart terminal |
| CN104268473B (en) * | 2014-09-23 | 2017-05-24 | 龙芯中科技术有限公司 | Method and device for detecting application programs |
| CN105653949B (en) * | 2014-11-17 | 2019-06-21 | 华为技术有限公司 | A kind of malware detection methods and device |
| CN104657661B (en) * | 2015-01-26 | 2018-05-22 | 武汉安天信息技术有限责任公司 | The detection method and device of malicious code in mobile terminal |
| CN105550581B (en) * | 2015-12-10 | 2018-09-25 | 北京奇虎科技有限公司 | A kind of malicious code detecting method and device |
| CN106909841A (en) * | 2015-12-22 | 2017-06-30 | 北京奇虎科技有限公司 | A kind of method and device for judging viral code |
| CN106909839B (en) * | 2015-12-22 | 2020-04-17 | 北京奇虎科技有限公司 | Method and device for extracting sample code features |
| CN106909844A (en) * | 2015-12-22 | 2017-06-30 | 北京奇虎科技有限公司 | The sorting technique and device of a kind of application program sample |
| CN106940771A (en) * | 2016-01-04 | 2017-07-11 | 阿里巴巴集团控股有限公司 | Leak detection method and device based on file |
| US20200019702A1 (en) * | 2016-03-25 | 2020-01-16 | Nokia Technologies Oy | A hybrid approach of malware detection |
| CN106682505B (en) * | 2016-05-04 | 2020-06-12 | 腾讯科技(深圳)有限公司 | Virus detection method, terminal, server and system |
| CN106130959B (en) * | 2016-06-12 | 2019-07-23 | 微梦创科网络科技(中国)有限公司 | Malicious application recognition methods and device |
| CN105978911B (en) * | 2016-07-15 | 2019-05-21 | 江苏博智软件科技有限公司 | Malicious code detecting method and device based on virtual execution technology |
| CN106529294B (en) * | 2016-11-15 | 2019-03-01 | 广东华仝九方科技有限公司 | A method of determine for mobile phone viruses and filters |
| CN106650426A (en) * | 2016-12-09 | 2017-05-10 | 哈尔滨安天科技股份有限公司 | Method and system for dynamically extracting executable file memory maps |
| CN108401253B (en) * | 2017-02-06 | 2022-12-27 | 腾讯科技(深圳)有限公司 | Application information identification method, device and system |
| CN107169355B (en) * | 2017-04-28 | 2020-05-08 | 北京理工大学 | Worm homology analysis method and device |
| CN107292135A (en) * | 2017-06-06 | 2017-10-24 | 网易(杭州)网络有限公司 | A kind of program code guard method and device |
| CN108710492B (en) * | 2018-04-20 | 2021-09-07 | 四川普思科创信息技术有限公司 | Method for identifying third-party library in APP program |
| CN109120593A (en) * | 2018-07-12 | 2019-01-01 | 南方电网科学研究院有限责任公司 | Mobile application safety protection system |
| CN109492353B (en) * | 2018-10-11 | 2024-04-16 | 北京奇虎科技有限公司 | Application reinforcement method, device, electronic equipment and storage medium |
| CN110147671B (en) * | 2019-05-29 | 2022-04-29 | 奇安信科技集团股份有限公司 | Method and device for extracting character strings in program |
| CN112580043B (en) * | 2019-09-30 | 2023-08-01 | 奇安信安全技术(珠海)有限公司 | Virtual machine-based disinfection method and device, storage medium and computer equipment |
| CN111046385B (en) * | 2019-11-22 | 2022-04-22 | 北京达佳互联信息技术有限公司 | Software type detection method and device, electronic equipment and storage medium |
| CN111046388B (en) * | 2019-12-16 | 2022-09-13 | 北京智游网安科技有限公司 | Method for identifying third-party SDK in application, intelligent terminal and storage medium |
| CN111459822B (en) * | 2020-04-01 | 2023-10-03 | 抖音视界有限公司 | Method, device, equipment and readable medium for extracting system component data |
| CN112364349A (en) * | 2020-11-30 | 2021-02-12 | 江苏极鼎网络科技有限公司 | Cell-phone APP intellectual detection system equipment |
| CN112817603B (en) * | 2021-01-26 | 2023-06-30 | 京东科技控股股份有限公司 | Application processing method, device, electronic equipment, system and storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102819697A (en) * | 2011-12-26 | 2012-12-12 | 哈尔滨安天科技股份有限公司 | Method and system for detecting multi-platform malicious codes based on thread decompiling |
| CN103365699A (en) * | 2012-12-21 | 2013-10-23 | 北京安天电子设备有限公司 | System API and running character string extraction method and system based on APK |
| CN103440459A (en) * | 2013-09-25 | 2013-12-11 | 西安交通大学 | Function-call-based Android malicious code detection method |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103268445B (en) * | 2012-12-27 | 2016-01-13 | 武汉安天信息技术有限责任公司 | A kind of android malicious code detecting method based on OpCode and system |
| CN103473507B (en) * | 2013-09-25 | 2016-03-30 | 西安交通大学 | A kind of Android malicious code detecting method |
| CN103473509A (en) * | 2013-09-30 | 2013-12-25 | 清华大学 | Android platform malware automatic detecting method |
| CN103761476B (en) * | 2013-12-30 | 2016-11-09 | 北京奇虎科技有限公司 | The method and device of feature extraction |
| CN103902910B (en) * | 2013-12-30 | 2016-07-13 | 北京奇虎科技有限公司 | Detect method and the device of malicious code in intelligent terminal |
| CN103761475B (en) * | 2013-12-30 | 2017-04-26 | 北京奇虎科技有限公司 | Method and device for detecting malicious code in intelligent terminal |
-
2013
- 2013-12-30 CN CN201310746029.XA patent/CN103761475B/en active Active
-
2014
- 2014-08-07 WO PCT/CN2014/083908 patent/WO2015101042A1/en active Application Filing
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102819697A (en) * | 2011-12-26 | 2012-12-12 | 哈尔滨安天科技股份有限公司 | Method and system for detecting multi-platform malicious codes based on thread decompiling |
| CN103365699A (en) * | 2012-12-21 | 2013-10-23 | 北京安天电子设备有限公司 | System API and running character string extraction method and system based on APK |
| CN103440459A (en) * | 2013-09-25 | 2013-12-11 | 西安交通大学 | Function-call-based Android malicious code detection method |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2015101042A1 (en) | 2015-07-09 |
| CN103761475A (en) | 2014-04-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103761475B (en) | Method and device for detecting malicious code in intelligent terminal | |
| CN103902910B (en) | Detect method and the device of malicious code in intelligent terminal | |
| US10114946B2 (en) | Method and device for detecting malicious code in an intelligent terminal | |
| Zhang et al. | Libid: reliable identification of obfuscated third-party android libraries | |
| Crussell et al. | Andarwin: Scalable detection of android application clones based on semantics | |
| US10044750B2 (en) | Code labeling based on tokenized code samples | |
| Laskov et al. | Static detection of malicious JavaScript-bearing PDF documents | |
| WO2015101097A1 (en) | Method and device for feature extraction | |
| CN101438529B (en) | Proactive computer malware protection through dynamic translation | |
| Lin et al. | Automated forensic analysis of mobile applications on Android devices | |
| Zhang et al. | Android application forensics: A survey of obfuscation, obfuscation detection and deobfuscation techniques and their impact on investigations | |
| Webster et al. | Finding the needle: A study of the pe32 rich header and respective malware triage | |
| Martinelli et al. | Model checking and machine learning techniques for HummingBad mobile malware detection and mitigation | |
| Li et al. | Large-scale third-party library detection in android markets | |
| Naidu et al. | A syntactic approach for detecting viral polymorphic malware variants | |
| Akram et al. | DroidMD: an efficient and scalable android malware detection approach at source code level | |
| Ladisa et al. | On the feasibility of cross-language detection of malicious packages in npm and pypi | |
| Chen et al. | Malware classification using static disassembly and machine learning | |
| Feichtner et al. | Obfuscation-resilient code recognition in Android apps | |
| Zhou et al. | Model-less Is the Best Model: Generating Pure Code Implementations to Replace On-Device DL Models | |
| Guo et al. | A survey of obfuscation and deobfuscation techniques in android code protection | |
| Liu et al. | Enhancing Malware Detection for Android Apps: Detecting Fine-Granularity Malicious Components | |
| US11307962B2 (en) | Method for semantic preserving transform mutation discovery and vetting | |
| Gonzalez et al. | Measuring code reuse in Android apps | |
| Liu et al. | ImageDroid: Using deep learning to efficiently detect Android malware and automatically mark malicious features |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |