CN104200164A - Loader virus searching and killing method, device and terminal - Google Patents
Loader virus searching and killing method, device and terminal Download PDFInfo
- Publication number
- CN104200164A CN104200164A CN201410458394.5A CN201410458394A CN104200164A CN 104200164 A CN104200164 A CN 104200164A CN 201410458394 A CN201410458394 A CN 201410458394A CN 104200164 A CN104200164 A CN 104200164A
- Authority
- CN
- China
- Prior art keywords
- function
- derivative
- file
- target detection
- detection program
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Abstract
The embodiment of the invention discloses a method for checking and killing Loader viruses, which comprises the following steps: acquiring a Dynamic Link Library (DLL) file of a target detection program; extracting a plurality of export functions of a DLL file of the target detection program; judging whether one and only one export function in the plurality of export functions of the DLL file have a logic function, if so, determining that the DLL file of the target detection program is the Loader virus; and clearing or isolating the target detection program. Correspondingly, the embodiment of the invention also discloses a device for searching and killing Loader viruses and a terminal. By adopting the invention, the Loader virus can be searched and killed, and the method has the characteristics of low maintenance cost and high accuracy.
Description
Technical field
The present invention relates to network security technology field, relate in particular to a kind of checking and killing method, device and terminal of loader Loader virus.
Background technology
Trojan horse is a kind of common computer virus, it is hidden in host computer, virus author can by trojan horse to host computer damage, steal files or remote control etc., such as: viral author can carry out sensitive operation such as " switch cameras " or " switch microphone " at Long-distance Control host computer by trojan horse, user's privacy is caused to great threat.Wherein, loader (Loader) virus just belongs to trojan horse, and loader virus pretends to do DLL (Dynamic Link Library, the dynamic link libraries) file of master routine conventionally, with master routine, starts and moves.It is pointed out that master routine that loader virus the depends on program of esbablished corporation often, there is the digital signature of safety certification, therefore large by killing difficulty.
At present, the method of generally tackling loader virus is, first determine master routine to be tested, in default database, search again the filename list of the dll file of this master routine under normal circumstances, then check filename list consistent with under normal circumstances whether of the dll file of this master routine, if puppet is equipped with loader virus in this master routine of inconsistent explanation.But because master routine number is huge and it is frequent to upgrade, the cost of maintenance data base is very high, once safeguard that synchronously the probability of wrong report is very not high, has affected user's experience.
Summary of the invention
Embodiment of the present invention technical matters to be solved is, a kind of checking and killing method, device and terminal of loader Loader virus is provided, and can realize the killing to Loader virus, has the low and high feature of accuracy rate of maintenance cost.
In order to solve the problems of the technologies described above, the embodiment of the present invention provides a kind of checking and killing method of loader Loader virus, comprising:
Obtain the dynamic link library (DLL) file of target detection program;
Extract a plurality of derivative functions of the dll file of described target detection program;
Whether judgement has and only has a described derivative function to have logic function in a plurality of derivative functions of described dll file, and the dll file of if so, determining described target detection program is described Loader virus;
Remove or isolate described target detection program.
Correspondingly, the embodiment of the present invention also provides a kind of killing device of loader Loader virus, comprising:
File acquisition module, for obtaining the dynamic link library (DLL) file of target detection program;
Function extraction module, for extracting a plurality of derivative functions of the dll file of described target detection program;
Virus determination module, for judging whether a plurality of derivative functions at described dll file have and only have a described derivative function to have logic function, the dll file of if so, determining described target detection program is described Loader virus;
Virus treated module, for removing or isolating described target detection program.
Implement the embodiment of the present invention, there is following beneficial effect: the embodiment of the present invention is by extracting a plurality of derivative functions of the dll file of target detection program, whether judgement has and only has a derivative function to have the method for logic function in a plurality of derivative functions of dll file, thereby whether the dll file of determining target detection program is Loader virus, can realize the killing to Loader virus, there is the low and high feature of accuracy rate of maintenance cost.
Accompanying drawing explanation
In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, to the accompanying drawing of required use in embodiment or description of the Prior Art be briefly described below, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skills, do not paying under the prerequisite of creative work, can also obtain according to these accompanying drawings other accompanying drawing.
Fig. 1 is the schematic flow sheet of the checking and killing method of a kind of loader Loader virus of providing of the embodiment of the present invention;
Fig. 2 is the schematic flow sheet of the checking and killing method of the another kind of loader Loader virus that provides of the embodiment of the present invention;
Fig. 3 is the structural representation of the killing device of a kind of loader Loader virus of providing of the embodiment of the present invention;
Fig. 4 is the structural representation of a kind of file acquisition module of providing of the embodiment of the present invention;
Fig. 5 is the structural representation of a kind of function extraction module of providing of the embodiment of the present invention;
Fig. 6 is the schematic diagram of a kind of file directory of providing of the embodiment of the present invention;
Fig. 7 is the structural representation of the killing device of the another kind of loader Loader virus that provides of the embodiment of the present invention.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is clearly and completely described, obviously, described embodiment is only the present invention's part embodiment, rather than whole embodiment.Embodiment based in the present invention, those of ordinary skills, not making the every other embodiment obtaining under creative work prerequisite, belong to the scope of protection of the invention.
The killing device (being designated hereinafter simply as " apparatus of the present invention ") of the loader Loader virus in the embodiment of the present invention is built in terminal, described terminal can comprise PC, smart mobile phone, panel computer, game machine and electronic reader etc., and described terminal can be installed or working procedure.
The Loader virus that should be understood that the embodiment of the present invention is a kind of trojan horse, viral author can by trojan horse to host computer damage, steal files or remote control etc.Loader virus pretends to do the son file of master routine conventionally, with master routine, starts and moves.Wherein, in the terminal of Windows system, above-mentioned master routine can be to carry out (EXE) program, using " .EXE " as filename suffix, son file can be DLL (Dynamic Link Library, dynamic link libraries) file, it is pointed out that the function of EXE program realizes by moving one or more dll files.Usually, the dll file of EXE program otherwise with it under identical file catalogue, in system file catalogue, therefore when EXE program starts, first terminal can be given tacit consent to search dll file under the file directory of EXE program, if search dll file again under system file catalogue without lookup result.Utilize These characteristics, virus author replaces Loader virus the dll file of EXE program or Loader virus is placed under the file directory of EXE program, then above-mentioned EXE program puppet is pretended to normal EXE program user cheating and use in terminal, after terminal starts this EXE program, just can move Loader virus.
Should also be understood that Loader virus has following characteristics: 1, in file type, Loader virus is dll file; 2, terminal in fraud of, the number of the derivative function of Loader virus is identical with the number of the derivative function of normal DLL; 3, Loader virus only utilizes one of them derivative function to realize its behavior command, and other derivative function makes up the number by instruction constant.
Fig. 1 is the schematic flow sheet of a kind of checking and killing method of loader Loader virus in the embodiment of the present invention.The flow process of the checking and killing method of the loader Loader virus in the present embodiment can comprise as shown in the figure:
S101, obtains the dynamic link library (DLL) file of target detection program.
Described target detection program can be any one application program in terminal, and in embodiments of the present invention, target detection program can be EXE program, and such as QQ.EXE etc., target detection program comprises one or more dll files.Described dll file starts and moves with target detection program, during dll file operation, will call behavior command, thus the function of realize target trace routine.
Concrete, apparatus of the present invention are obtained one or more dll files of target detection program.In specific implementation process, apparatus of the present invention can first be determined the file directory at target detection program place, then obtain the one or more dll files under file directory.
For example, apparatus of the present invention are according to the path of target detection program, find the file directory of target detection program, file directory can be as shown in Figure 6, wherein, Document1, Document2 represent file, X.EXE represents target detection program, A.DLL, B.DLL, E.DLL and F.DLL represent the dll file of target detection program, C.SYS and D.DAT represent the file of other form, because Loader virus in file type is dll file, so apparatus of the present invention only need to obtain the dll file under file directory.It is to be noted, dll file can comprise the dll file of resources-type (resource), resources-type dll file is usually used in deriving icon, cursor, dialog box or character string etc., therefore its byte is very little, cannot carry out more complicated behavior command, and then viral author can be by the dll file of the camouflage of Loader virus or replacement resource class, therefore further, apparatus of the present invention only need to obtain the dll file of the non-resource class under file directory.
S102, extracts a plurality of derivative functions of the dll file of described target detection program.
Should be understood that the performed instruction of dll file realizes by derivative function, each dll file can have a plurality of derivative functions.
Concrete, apparatus of the present invention are extracted a plurality of derivative functions of the dll file of target detection program.In specific implementation process, apparatus of the present invention can be extracted derivative function by the following method: first obtain a plurality of function addresses in the dll file of target detection program, then extract a plurality of function addresses corresponding a plurality of derivative functions respectively.Wherein, described function address can point to the memory location of derivative function, thereby apparatus of the present invention can be extracted derivative function according to the memory location of derivative function.
For example: apparatus of the present invention first get three function addresses of the dll file of target detection program, be respectively address_A, address_B and address_C, then extract respectively its corresponding derivative function A (), B () and C () according to address_A, address_B and address_C.
S103, whether judgement has and only has a described derivative function to have logic function in a plurality of derivative functions of described dll file, and the dll file of if so, determining described target detection program is described Loader virus.
Optionally, in order to improve the accuracy of judgement, whether apparatus of the present invention are greater than default number threshold value by the number that first judges the derivative function of each dll file, be greater than after default number threshold value, then carry out step below in the number of determining derivative function.Wherein, default number threshold value is traditionally arranged to be 2, and the number of the derivative function of each dll file should have 3 at least, is less than the dll file of 3 does not have a ubiquity without derivative function or derivative function, can affect the accuracy of judgement.
Concrete, whether apparatus of the present invention judgement has and only has a derivative function to have logic function in a plurality of derivative functions of dll file, and the dll file of if so, determining target detection program is Loader virus.The embodiment of the present invention make above-mentioned judgement according to being, terminal in fraud of, the number of the derivative function of Loader virus is identical with the number of the derivative function of normal dll file, the number of supposing the derivative function of normal dll file is 5, the derivative function of Loader virus is also 5 so, and still, Loader virus only utilizes wherein 1 derivative function to realize its behavior command, other 4 derivative functions are without any effect, thereby conventionally by instruction constant, fill other 4 derivative functions.
Optionally, apparatus of the present invention can judge in a plurality of derivative functions of dll file, whether have and only have a derivative function to have logic function by following steps: based on dis-assembling engine, the derivative function of dll file is converted to source code by bytecode; By carrying out logic analysis to being converted to the derivative function of source code, whether judgement has and only has the source code of a derivative function to have logic function in a plurality of derivative functions of dll file.It is to be noted, the derivative function of dll file is comprised of bytecode, and be difficult to directly according to the derivative function of bytecode judgement dll file, have or not logic function, therefore apparatus of the present invention can first be converted to source code by derivative function by bytecode by dis-assembling engine, for example, the statement that apparatus of the present invention are " 74 " by bytecode is converted to source code for the assembly statement of " GNZ ".Then, apparatus of the present invention are carried out logic analysis to source code, whether each derivative function that judges dll file has logic function, as the source code of certain derivative function can call by application programs DLL (dynamic link library) API, illustrate that this derivative function has logic function, and for example the source code of certain derivative function is the instruction constant that occupy-places such as " A (): Xor eax, eax Retn " is used, and illustrates that this derivative function does not have logic function.
Further alternative, at judgement derivative function, have or not in the specific implementation process of logic function, the derivative function that apparatus of the present invention can be only greater than preset length threshold value to the length of source code carries out logic analysis.Reason is, want to realize certain logic function, the length certainty of the source code of its derivative function can be too not short, by above-mentioned preset length threshold value is set, apparatus of the present invention can be ignored the too short source code of length is carried out to logic analysis, and directly judge that it does not possess logic function, for example: suppose that certain dll file has 100 derivative functions, and the length of the source code of 80 derivative functions wherein is all not more than preset length threshold value, apparatus of the present invention can directly judge that these 80 derivative functions are without logic function so, and then only the source code of 20 remaining derivative functions is carried out to logic analysis.Well-known, carry out logic analysis and need to consume certain expense and time, by said method, apparatus of the present invention can be pared down expenses and the time, increase efficiency, improve user and experience.
S104, removes or isolates described target detection program.
Concrete, apparatus of the present invention will be removed or the definite target detection program that carries Loader virus of isolation quilt.
Further alternative, apparatus of the present invention are for above-mentioned target detection program updates virus database, when detecting while there is target detection program, to user, send hydropac.Wherein, above-mentioned virus database can be high in the clouds database, and other terminal can be obtained viral data from high in the clouds database by internet.
The embodiment of the present invention is by extracting a plurality of derivative functions of the dll file of target detection program, whether judgement has and only has a derivative function to have the method for logic function in a plurality of derivative functions of dll file, whether the dll file of determining target detection program is Loader virus, can realize the killing to Loader virus, there is the low and high feature of accuracy rate of maintenance cost.
Fig. 2 is the schematic flow sheet of the checking and killing method of another kind of loader Loader virus in the embodiment of the present invention, can comprise:
S201, determines the file directory at described target detection program place.
Described target detection program can be any one application program in terminal, and in embodiments of the present invention, target detection program can be EXE program, and such as QQ.EXE etc., target detection program comprises one or more dll files.Described dll file starts and moves with target detection program, during dll file operation, will call behavior command, thus the function of realize target trace routine.
Concrete, apparatus of the present invention can be determined the file directory at target detection program place.For example, apparatus of the present invention are according to the path of target detection program, find the file directory of target detection program, file directory can be as shown in Figure 6, wherein, Document1, Document2 represent file, and X.EXE represents target detection program, A.DLL, B.DLL, E.DLL and F.DLL represent the dll file of target detection program, and C.SYS and D.DAT represent the file of other form.
S202, obtains the dll file of the non-resource class under described file directory.
Concrete, apparatus of the present invention are obtained the dll file of the one or more non-resource classes under file directory.It is pointed out that because Loader virus in file type is dll file, so apparatus of the present invention only need to obtain the dll file under file directory.In addition, dll file can comprise the dll file of resources-type (resource), resources-type dll file is usually used in deriving icon, cursor, dialog box or character string etc., therefore its byte is very little, cannot carry out more complicated behavior command, and then viral author can be by the dll file of the camouflage of Loader virus or replacement resource class, therefore further, apparatus of the present invention only need to obtain the dll file of the non-resource class under file directory.
S203, obtains a plurality of function addresses in the dll file of described target detection program.
Should be understood that the performed instruction of dll file realizes by derivative function, each dll file can have a plurality of derivative functions, and wherein, described function address can point to the memory location of derivative function, according to the memory location of derivative function, can extract derivative function.
Concrete, apparatus of the present invention are extracted a plurality of derivative functions of the dll file of target detection program.
S204, extracts described a plurality of function address a plurality of described derivative function of correspondence respectively.
Concrete, apparatus of the present invention are extracted a plurality of function addresses a plurality of derivative functions of correspondence respectively.For example: three function addresses supposing to get the dll file of target detection program, be respectively address_A, address_B and address_C, apparatus of the present invention are extracted respectively its corresponding derivative function A (), B () and C () according to address_A, address_B and address_C.
S205, judges whether the number of the derivative function of described dll file is greater than 3.
Concrete, in order to improve the accuracy of judgement, whether apparatus of the present invention are greater than default number threshold value by the number that judges the derivative function of each dll file, be greater than after default number threshold value, then perform step S206 in the number of determining derivative function.Wherein, default number threshold value is traditionally arranged to be 2, and the number of the derivative function of each dll file should have 3 at least, is less than the dll file of 3 does not have a ubiquity without derivative function or derivative function, can affect the accuracy of judgement.
S206, based on dis-assembling engine, is converted to source code by the derivative function of described dll file by bytecode.
General, the derivative function of dll file is comprised of bytecode.Concrete, apparatus of the present invention can be converted to source code by derivative function by bytecode by dis-assembling engine, and for example, the statement that apparatus of the present invention are " 74 " by bytecode is converted to source code for the assembly statement of " GNZ ".
S207, the length of obtaining described source code is greater than the derivative function of preset length threshold value.
Concrete, the length that apparatus of the present invention are obtained source code is greater than the derivative function of preset length threshold value, and the derivative function that the length of judging source code is not more than preset length threshold value does not possess logic function.Reason is, want to realize certain logic function, the length certainty of the source code of its derivative function can be too not short, by above-mentioned preset length threshold value is set, apparatus of the present invention can directly judge that it does not possess logic function, for example: suppose that certain dll file has 100 derivative functions, and the length of the source code of 80 derivative functions wherein is all not more than preset length threshold value, apparatus of the present invention can directly judge that these 80 derivative functions are without logic function so.
S208, by the length of described source code being greater than to the derivative function of preset length threshold value, carry out logic analysis, whether judgement has and only has the source code of a described derivative function to have logic function in a plurality of derivative functions of described dll file, if so, the dll file of determining described target detection program is described Loader virus.
The embodiment of the present invention make above-mentioned judgement according to being, terminal in fraud of, the number of the derivative function of Loader virus is identical with the number of the derivative function of normal dll file, the number of supposing the derivative function of normal dll file is 5, the derivative function of Loader virus is also 5 so, and still, Loader virus only utilizes wherein 1 derivative function to realize its behavior command, other 4 derivative functions are without any effect, thereby conventionally by instruction constant, fill other 4 derivative functions.
In specific implementation process, as the source code of certain derivative function can call by application programs DLL (dynamic link library) API, illustrate that this derivative function has logic function, and for example the source code of certain derivative function is the instruction constant that occupy-places such as " A (): Xor eax; eax Retn " is used, and illustrates that this derivative function does not have logic function.
It is pointed out that carrying out logic analysis need to consume certain expense and time, the derivative function that the embodiment of the present invention is only greater than preset length threshold value to source code length carries out logic analysis, has saved as seen expense and time, increases efficiency, improves user and experiences.For example: suppose that certain dll file has 100 derivative functions, and the length of the source code of 80 derivative functions wherein is all not more than preset length threshold value, apparatus of the present invention can directly judge that these 80 derivative functions are without logic function so, and then only the source code of 20 remaining derivative functions are carried out to logic analysis.
S209, removes or isolates described target detection program.
Concrete, apparatus of the present invention will be removed or the definite target detection program that carries Loader virus of isolation quilt.
Further alternative, apparatus of the present invention are for above-mentioned target detection program updates virus database, when detecting while there is target detection program, to user, send hydropac.Wherein, above-mentioned virus database can be high in the clouds database, and other terminal can be obtained viral data from high in the clouds database by internet.
The embodiment of the present invention is by extracting a plurality of derivative functions of the dll file of target detection program, whether judgement has and only has a derivative function to have the method for logic function in a plurality of derivative functions of dll file, whether the dll file of determining target detection program is Loader virus, can realize the killing to Loader virus, there is the low and high feature of accuracy rate of maintenance cost.
Fig. 3 is the structural representation of a kind of killing device of loader Loader virus in the embodiment of the present invention.The killing device of the loader Loader virus in the embodiment of the present invention at least can comprise file acquisition module 310, function extraction module 320, viral determination module 330 and virus treated module 340 as shown in the figure, wherein:
File acquisition module 310, for obtaining the dynamic link library (DLL) file of target detection program.Concrete, described file acquisition module 310 can further comprise as shown in Figure 4: catalogue determining unit 311 and file acquisition unit 312, wherein:
Catalogue determining unit 311, for determining the file directory at described target detection program place.
Described target detection program can be any one application program in terminal, and in embodiments of the present invention, target detection program can be EXE program, and such as QQ.EXE etc., target detection program comprises one or more dll files.Described dll file starts and moves with target detection program, during dll file operation, will call behavior command, thus the function of realize target trace routine.
Concrete, catalogue determining unit 311 can be determined the file directory at target detection program place.For example, catalogue determining unit 311 is according to the path of target detection program, find the file directory of target detection program, file directory can be as shown in Figure 6, wherein, Document1, Document2 represent file, and X.EXE represents target detection program, A.DLL, B.DLL, E.DLL and F.DLL represent the dll file of target detection program, and C.SYS and D.DAT represent the file of other form.
File acquisition unit 312, for obtaining the dll file of the non-resource class under described file directory.
Concrete, file acquisition unit 312 obtains the dll file of the one or more non-resource classes under file directory.It is pointed out that because Loader virus in file type is dll file, so file acquisition unit 312 only needs to obtain the dll file under file directory.In addition, dll file can comprise the dll file of resources-type (resource), resources-type dll file is usually used in deriving icon, cursor, dialog box or character string etc., therefore its byte is very little, cannot carry out more complicated behavior command, and then viral author can be by the dll file of the camouflage of Loader virus or replacement resource class, therefore further, file acquisition unit 312 only needs to obtain the dll file of the non-resource class under file directory.
Function extraction module 320, for extracting a plurality of derivative functions of the dll file of described target detection program.Described function extraction module 320 can further comprise as shown in Figure 5: address acquisition unit 321 and function extraction unit 322, wherein:
Address acquisition unit 321, for obtaining a plurality of function addresses of the dll file of described target detection program.
Should be understood that the performed instruction of dll file realizes by derivative function, each dll file can have a plurality of derivative functions, and wherein, described function address can point to the memory location of derivative function, according to the memory location of derivative function, can extract derivative function.
Concrete, address acquisition unit 321 is extracted a plurality of derivative functions of the dll file of target detection program.
Function extraction unit 322, for extracting described a plurality of function address a plurality of described derivative function of correspondence respectively.
Concrete, function extraction unit 322 extracts a plurality of function addresses a plurality of derivative functions of correspondence respectively.For example: three function addresses supposing to get the dll file of target detection program, be respectively address_A, address_B and address_C, function extraction unit 322 extracts respectively its corresponding derivative function A (), B () and C () according to address_A, address_B and address_C.
Virus determination module 330, for judging whether a plurality of derivative functions at described dll file have and only have a described derivative function to have logic function, the dll file of if so, determining described target detection program is described Loader virus.
Concrete, whether viral determination module 330 judgements have and only have a derivative function to have logic function in a plurality of derivative functions of dll file, and the dll file of if so, determining target detection program is Loader virus.The embodiment of the present invention make above-mentioned judgement according to being, terminal in fraud of, the number of the derivative function of Loader virus is identical with the number of the derivative function of normal dll file, the number of supposing the derivative function of normal dll file is 5, the derivative function of Loader virus is also 5 so, and still, Loader virus only utilizes wherein 1 derivative function to realize its behavior command, other 4 derivative functions are without any effect, thereby conventionally by instruction constant, fill other 4 derivative functions.
Virus treated module 340, for removing or isolating described target detection program.
Concrete, virus treated module 340 will be removed or the definite target detection program that carries Loader virus of isolation quilt.
Further alternative, virus treated module 340 is for above-mentioned target detection program updates virus database, when detecting while there is target detection program, to user, sends hydropac.Wherein, above-mentioned virus database can be high in the clouds database, and other terminal can be obtained viral data from high in the clouds database by internet.
Optionally, refer to Fig. 3, the killing device of the loader Loader virus in the embodiment of the present invention can also comprise threshold determination module 350 as shown in the figure, for whether having and only have before a described derivative function has logic function at a plurality of derivative functions of described dll file in described viral determination module 330 judgements, determine that the number of the derivative function of described dll file is greater than default number threshold value.
Concrete, in order to improve the accuracy of judgement, whether threshold determination module 350 is greater than default number threshold value by the number that first judges the derivative function of each dll file, in the number of determining derivative function, be greater than after default number threshold value, then trigger viral determination module 330 judgements and in a plurality of derivative functions of described dll file, whether have and only have a described derivative function to there is logic function.Wherein, default number threshold value is traditionally arranged to be 2, and the number of the derivative function of each dll file should have 3 at least, is less than the dll file of 3 does not have a ubiquity without derivative function or derivative function, can affect the accuracy of judgement.
Optionally, refer to Fig. 3, the killing device of the loader Loader virus in the embodiment of the present invention can also comprise code conversion module 360 as shown in the figure, for based on dis-assembling engine, the derivative function of described dll file is converted to source code by bytecode.
Accordingly, whether viral determination module 330, specifically for by carrying out logic analysis to being converted to the derivative function of source code, judge and in a plurality of derivative functions of described dll file, have and only have the source code of a described derivative function to have logic function.
It is to be noted, the derivative function of dll file is comprised of bytecode, and be difficult to directly according to the derivative function of bytecode judgement dll file, have or not logic function, therefore code conversion module 360 can first be converted to source code by derivative function by bytecode by dis-assembling engine, for example, the statement that code conversion module 360 is " 74 " by bytecode is converted to source code for the assembly statement of " GNZ ".Then, 330 pairs of source codes of virus determination module carry out logic analysis, whether each derivative function that judges dll file has logic function, as the source code of certain derivative function can call by application programs DLL (dynamic link library) API, illustrate that this derivative function has logic function, and for example the source code of certain derivative function is the instruction constant that occupy-places such as " A (): Xor eax, eax Retn " is used, and illustrates that this derivative function does not have logic function.
Further alternative, refer to Fig. 3, the killing device of the loader Loader virus in the embodiment of the present invention can also comprise function screening module 370 as shown in the figure, is greater than the derivative function of preset length threshold value for obtaining the length of described source code.
Accordingly, virus determination module 330, specifically for carrying out logic analysis by the length of described source code being greater than to the derivative function of preset length threshold value, whether judgement has and only has the source code of a described derivative function to have logic function in a plurality of derivative functions of described dll file.
Reason is, want to realize certain logic function, the length certainty of the source code of its derivative function can be too not short, by above-mentioned preset length threshold value is set, virus determination module 330 can be ignored the too short source code of length is carried out to logic analysis, and directly judge that it does not possess logic function, for example: suppose that certain dll file has 100 derivative functions, and the length of the source code of 80 derivative functions wherein is all not more than preset length threshold value, function screening module 370 can directly judge that these 80 derivative functions are without logic function so, and then 330 of viral determination modules carry out logic analysis to the source code of 20 remaining derivative functions.Well-known, carry out logic analysis and need to consume certain expense and time, by said method, viral determination module 330 can be pared down expenses and the time, increases efficiency, improves user and experiences.
Refer to Fig. 7, the embodiment of the present invention provides the structural representation of the killing device of another kind of loader Loader virus, and this killing device can be for the checking and killing method of the loader Loader virus implementing to provide in the embodiment of Fig. 1~Fig. 2.Specifically:
Killing device 400 can comprise network interface 410, includes the storer 420 of one or more computer-readable recording mediums, input block 430, display unit 440, power supply 450, include one or the above parts such as processor 460 of processing core.It will be understood by those skilled in the art that the structure shown in Fig. 7 does not form the restriction to killing device, can comprise the parts more more or less than diagram, or combine some parts, or different parts are arranged.Wherein:
Network interface 410 can be used for access network, and specific implementation process can use Broadband Network Interface, WiFi (wireless fidelity, Wireless Fidelity) module or RF (Radio Frequency, radio frequency) module to realize.
Storer 420 can be used for storing software program and module, and processor 460 is stored in software program and the module of storer 420 by operation, thereby carries out various function application and data processing.Storer 460 can mainly comprise storage program district and storage data field.In addition, storer 420 can comprise high-speed random access memory, can also comprise nonvolatile memory (non-volatile memory), for example at least one disk memory, flush memory device or other volatile solid-state parts.Correspondingly, storer 420 can also comprise Memory Controller, so that the access of processor 460 and 430 pairs of storeies 420 of input block to be provided.
Input block 430 can be used for receiving numeral or the character information of input, and generation arranges with user and function is controlled relevant keyboard, mouse, control lever, optics or the input of trace ball signal.Particularly, input block 430 can comprise touch-screen or key mouse 431 and other input equipments 432.Touch-screen or key mouse 431, comprise touch-screen or key mouse, touch-screen is also referred to as touch display screen or Trackpad, can collect user or near touch operation (using any applicable object or near the operations of annex on surface of contact or surface of contact such as finger, stylus such as user) thereon, and drive corresponding coupling arrangement according to predefined formula.Except touch-screen or key mouse 431, input block 430 can also comprise other input equipments 432.Key mouse comprises physical keyboard and physics mouse.In addition, other input equipments 432 can include but not limited to one or more in function key (controlling button, switch key etc. such as volume), trace ball, control lever etc.
Display unit 440 can be used for showing the information inputted by user or the various graphical user interface of the information that offers user and killing device 400, and these graphical user interface can consist of figure, text, icon, video and its combination in any.Display unit 440 can comprise display panel 441, optionally, can adopt the forms such as LCD (Liquid Crystal Display, liquid crystal display), OLED (Organic Light-Emitting Diode, Organic Light Emitting Diode) to configure display panel 441.
Killing device 400 also comprises the power supply 450 (such as battery) to all parts power supply, preferably, power supply can be connected with processor 460 logics by power-supply management system, thereby realizes the functions such as management charging, electric discharge and power managed by power-supply management system.Power supply 450 can also comprise the random component such as one or more direct current or AC power, recharging system, power failure detection circuit, power supply changeover device or inverter, power supply status indicator.
Processor 460 is control centers of killing device, utilize the various piece of various interface and the whole mobile phone of connection, by moving or carry out software program and/or the module being stored in storer 420, and call the data that are stored in storer 420, carry out various functions and deal with data.Optionally, processor 460 can comprise one or more processing cores; Preferably, processor 460 can integrated application processor and modem processor, and wherein, application processor is mainly processed operating system, user interface and application program etc., and modem processor is mainly processed communication.Be understandable that, above-mentioned modem processor also can not be integrated in processor 460.
Further, processor 460 calls the program code of storage in storer 420, for carrying out following operation:
Obtain the dynamic link library (DLL) file of target detection program;
Extract a plurality of derivative functions of the dll file of described target detection program;
Whether judgement has and only has a described derivative function to have logic function in a plurality of derivative functions of described dll file, and the dll file of if so, determining described target detection program is described Loader virus;
Remove or isolate described target detection program.
The part that the technical scheme of the embodiment of the present invention contributes to prior art in essence in other words can embody by the form of computer software product, this computer software product is stored in a storage medium (as ROM/RAM, magnetic disc or CD), comprises that some instructions are in order to the part or all of step in the checking and killing method of the described loader Loader of control terminal execution embodiment of the present invention Fig. 1~Fig. 2 virus.
The embodiment of the present invention is by extracting a plurality of derivative functions of the dll file of target detection program, whether judgement has and only has a derivative function to have the method for logic function in a plurality of derivative functions of dll file, thereby whether the dll file of determining target detection program is Loader virus, can realize the killing to Loader virus, there is the low and high feature of accuracy rate of maintenance cost.
In the description of this instructions, the description of reference term " embodiment ", " some embodiment ", " example ", " concrete example " or " some examples " etc. means to be contained at least one embodiment of the present invention or example in conjunction with specific features, structure, material or the feature of this embodiment or example description.In this manual, to the schematic statement of above-mentioned term not must for be identical embodiment or example.And, the specific features of description, structure, material or feature can one or more embodiment in office or example in suitable mode combination.In addition,, not conflicting in the situation that, those skilled in the art can carry out combination and combination by the feature of the different embodiment that describe in this instructions or example and different embodiment or example.
In addition, term " first ", " second " be only for describing object, and can not be interpreted as indication or hint relative importance or the implicit quantity that indicates indicated technical characterictic.Thus, at least one this feature can be expressed or impliedly be comprised to the feature that is limited with " first ", " second ".In description of the invention, the implication of " a plurality of " is at least two, for example two, and three etc., unless otherwise expressly limited specifically.
In process flow diagram or any process of otherwise describing at this or method describe and can be understood to, represent to comprise that one or more is for realizing module, fragment or the part of code of executable instruction of the step of specific logical function or process, and the scope of the preferred embodiment of the present invention comprises other realization, wherein can be not according to order shown or that discuss, comprise according to related function by the mode of basic while or by contrary order, carry out function, this should be understood by embodiments of the invention person of ordinary skill in the field.
The logic and/or the step that in process flow diagram, represent or otherwise describe at this, for example, can be considered to for realizing the sequencing list of the executable instruction of logic function, may be embodied in any computer-readable medium, for instruction execution system, device or equipment (as computer based system, comprise that the system of processor or other can and carry out the system of instruction from instruction execution system, device or equipment instruction fetch), use, or use in conjunction with these instruction execution systems, device or equipment.With regard to this instructions, " computer-readable medium " can be anyly can comprise, storage, communication, propagation or transmission procedure be for instruction execution system, device or equipment or the device that uses in conjunction with these instruction execution systems, device or equipment.The example more specifically of computer-readable medium (non-exhaustive list) comprises following: the electrical connection section (electronic installation) with one or more wirings, portable computer diskette box (magnetic device), random access memory (RAM), ROM (read-only memory) (ROM), the erasable ROM (read-only memory) (EPROM or flash memory) of editing, fiber device, and portable optic disk ROM (read-only memory) (CDROM).In addition, computer-readable medium can be even paper or other the suitable medium that can print described program thereon, because can be for example by paper or other media be carried out to optical scanning, then edit, decipher or process in electronics mode and obtain described program with other suitable methods if desired, be then stored in computer memory.
Should be appreciated that each several part of the present invention can realize with hardware, software, firmware or their combination.In the above-described embodiment, a plurality of steps or method can realize with being stored in storer and by software or the firmware of suitable instruction execution system execution.For example, if realized with hardware, the same in another embodiment, can realize by any one in following technology well known in the art or their combination: have for data-signal being realized to the discrete logic of the logic gates of logic function, the special IC with suitable combinational logic gate circuit, programmable gate array (PGA), field programmable gate array (FPGA) etc.
Those skilled in the art are appreciated that realizing all or part of step that above-described embodiment method carries is to come the hardware that instruction is relevant to complete by program, described program can be stored in a kind of computer-readable recording medium, this program, when carrying out, comprises step of embodiment of the method one or a combination set of.In addition, each functional unit in each embodiment of the present invention can be integrated in a processing module, can be also that the independent physics of unit exists, and also can be integrated in a module two or more unit.Above-mentioned integrated module both can adopt the form of hardware to realize, and also can adopt the form of software function module to realize.If described integrated module usings that the form of software function module realizes and during as production marketing independently or use, also can be stored in a computer read/write memory medium.
The above-mentioned storage medium of mentioning can be ROM (read-only memory), disk or CD etc.Although illustrated and described embodiments of the invention above, be understandable that, above-described embodiment is exemplary, can not be interpreted as limitation of the present invention, and those of ordinary skill in the art can change above-described embodiment within the scope of the invention, modification, replacement and modification.
Above disclosed is only preferred embodiment of the present invention, certainly can not limit with this interest field of the present invention, and the equivalent variations of therefore doing according to the claims in the present invention, still belongs to the scope that the present invention is contained.
Claims (19)
1. a checking and killing method for loader Loader virus, is characterized in that, described method comprises:
Obtain the dynamic link library (DLL) file of target detection program;
Extract a plurality of derivative functions of the dll file of described target detection program;
Whether judgement has and only has a described derivative function to have logic function in a plurality of derivative functions of described dll file, and the dll file of if so, determining described target detection program is described Loader virus;
Remove or isolate described target detection program.
2. the method for claim 1, is characterized in that, described in obtain the dynamic link library (DLL) file of target detection program, comprising:
Determine the file directory at described target detection program place;
Obtain the dll file of the non-resource class under described file directory.
3. the method for claim 1, is characterized in that, a plurality of derivative functions of the dll file of the described target detection program of described extraction, comprising:
Obtain a plurality of function addresses in the dll file of described target detection program;
Extract described a plurality of function address a plurality of described derivative function of correspondence respectively.
4. the method for claim 1, is characterized in that, whether described judgement has and only have a described derivative function to have logic function in a plurality of derivative functions of described dll file, comprising:
Based on dis-assembling engine, the derivative function of described dll file is converted to source code by bytecode;
By carrying out logic analysis to being converted to the derivative function of source code, whether judgement has and only has the source code of a described derivative function to have logic function in a plurality of derivative functions of described dll file.
5. method as claimed in claim 4, it is characterized in that, described by carrying out logic analysis to being converted to the derivative function of source code, whether judgement has and only has the source code of a described derivative function to have logic function in a plurality of derivative functions of described dll file, comprising:
The length of obtaining described source code is greater than the derivative function of preset length threshold value;
By the length of described source code being greater than to the derivative function of preset length threshold value, carry out logic analysis, whether judgement has and only has the source code of a described derivative function to have logic function in a plurality of derivative functions of described dll file.
6. method as claimed in claim 4, is characterized in that, described source code has logic function and comprises:
Described source code application programs DLL (dynamic link library) API calls.
7. the method for claim 1, is characterized in that, whether described judgement has and only have before a described derivative function has logic function in a plurality of derivative functions of described dll file, also comprises:
The number of determining the derivative function of described dll file is greater than default number threshold value.
8. method as claimed in claim 7, is characterized in that, described default number threshold value is 2.
9. the method as described in claim 1-8 any one, is characterized in that, described removing or isolate described target detection program after, also comprise:
For described target detection program updates virus database;
When the described target detection program of appearance being detected, to user, send hydropac.
10. a killing device for loader Loader virus, is characterized in that, described killing device comprises:
File acquisition module, for obtaining the dynamic link library (DLL) file of target detection program;
Function extraction module, for extracting a plurality of derivative functions of the dll file of described target detection program;
Virus determination module, for judging whether a plurality of derivative functions at described dll file have and only have a described derivative function to have logic function, the dll file of if so, determining described target detection program is described Loader virus;
Virus treated module, for removing or isolating described target detection program.
11. killing devices as claimed in claim 10, is characterized in that, described file acquisition module, comprising:
Catalogue determining unit, for determining the file directory at described target detection program place;
File acquisition unit, for obtaining the dll file of the non-resource class under described file directory.
12. killing devices as claimed in claim 10, is characterized in that, described function extraction module, comprising:
Address acquisition unit, for obtaining a plurality of function addresses of the dll file of described target detection program;
Function extraction unit, for extracting described a plurality of function address a plurality of described derivative function of correspondence respectively.
13. killing devices as claimed in claim 10, is characterized in that, described killing device also comprises:
Code conversion module, for based on dis-assembling engine, is converted to source code by the derivative function of described dll file by bytecode;
Whether described viral determination module, specifically for by carrying out logic analysis to being converted to the derivative function of source code, judge and in a plurality of derivative functions of described dll file, have and only have the source code of a described derivative function to have logic function.
14. killing devices as claimed in claim 13, is characterized in that, described killing device also comprises:
Function screens module, is greater than the derivative function of preset length threshold value for obtaining the length of described source code;
Described viral determination module, specifically for carrying out logic analysis by the length of described source code being greater than to the derivative function of preset length threshold value, whether judgement has and only has the source code of a described derivative function to have logic function in a plurality of derivative functions of described dll file.
15. killing devices as claimed in claim 13, is characterized in that, described source code has logic function and comprises:
Described source code application programs DLL (dynamic link library) API calls.
16. killing devices as claimed in claim 10, is characterized in that, described killing device also comprises:
Threshold determination module, for whether having and only have before a described derivative function has logic function at a plurality of derivative functions of described dll file in described viral determination module judgement, determine that the number of the derivative function of described dll file is greater than default number threshold value.
17. killing devices as claimed in claim 16, is characterized in that, described default number threshold value is 2.
18. killing devices as described in claim 10-17 any one, is characterized in that, described virus treated module, also for for described target detection program updates virus database; When the described target detection program of appearance being detected, to user, send hydropac.
19. 1 kinds of terminals, is characterized in that, described terminal comprises the killing device as described in claim 10-18 any one.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410458394.5A CN104200164B (en) | 2014-09-10 | 2014-09-10 | Loader virus searching and killing method, device and terminal |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410458394.5A CN104200164B (en) | 2014-09-10 | 2014-09-10 | Loader virus searching and killing method, device and terminal |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104200164A true CN104200164A (en) | 2014-12-10 |
| CN104200164B CN104200164B (en) | 2017-07-25 |
Family
ID=52085455
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410458394.5A Active CN104200164B (en) | 2014-09-10 | 2014-09-10 | Loader virus searching and killing method, device and terminal |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104200164B (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104965777A (en) * | 2015-02-04 | 2015-10-07 | 腾讯科技(深圳)有限公司 | Safety test method, apparatus and system |
| CN105653953A (en) * | 2015-12-24 | 2016-06-08 | 北京金山安全软件有限公司 | Virus checking and killing method and device |
| CN108604273A (en) * | 2016-01-27 | 2018-09-28 | 安移通网络公司 | Prevent Malware from downloading |
| CN110069936A (en) * | 2019-03-29 | 2019-07-30 | 合肥高维数据技术有限公司 | A kind of wooden horse steganography method and detection method |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101373501A (en) * | 2008-05-12 | 2009-02-25 | 公安部第三研究所 | Method for capturing dynamic behavior aiming at computer virus |
| US20130055369A1 (en) * | 2011-08-24 | 2013-02-28 | Mcafee, Inc. | System and method for day-zero authentication of activex controls |
| CN103632093A (en) * | 2013-09-17 | 2014-03-12 | 中国人民解放军61599部队计算所 | Trojan detection method |
-
2014
- 2014-09-10 CN CN201410458394.5A patent/CN104200164B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101373501A (en) * | 2008-05-12 | 2009-02-25 | 公安部第三研究所 | Method for capturing dynamic behavior aiming at computer virus |
| US20130055369A1 (en) * | 2011-08-24 | 2013-02-28 | Mcafee, Inc. | System and method for day-zero authentication of activex controls |
| CN103632093A (en) * | 2013-09-17 | 2014-03-12 | 中国人民解放军61599部队计算所 | Trojan detection method |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104965777A (en) * | 2015-02-04 | 2015-10-07 | 腾讯科技(深圳)有限公司 | Safety test method, apparatus and system |
| CN104965777B (en) * | 2015-02-04 | 2019-02-05 | 腾讯科技(深圳)有限公司 | A kind of method, apparatus and system of safety test |
| CN105653953A (en) * | 2015-12-24 | 2016-06-08 | 北京金山安全软件有限公司 | Virus checking and killing method and device |
| CN105653953B (en) * | 2015-12-24 | 2019-04-26 | 珠海豹趣科技有限公司 | A kind of checking and killing virus method and device |
| CN108604273A (en) * | 2016-01-27 | 2018-09-28 | 安移通网络公司 | Prevent Malware from downloading |
| US11816216B2 (en) | 2016-01-27 | 2023-11-14 | Hewlett Packard Enterprise Development Lp | Preventing malware downloads |
| CN110069936A (en) * | 2019-03-29 | 2019-07-30 | 合肥高维数据技术有限公司 | A kind of wooden horse steganography method and detection method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104200164B (en) | 2017-07-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102736978B (en) | A kind of method and device detecting the installment state of application program | |
| CN108932429B (en) | Application program analysis method, terminal and storage medium | |
| CN104135500B (en) | The method and system that prompting application upgrades | |
| CN103065090B (en) | A kind of application program malice Ad blocking method and device | |
| CN104123218B (en) | Method, device and system for code coverage test | |
| CN105404585A (en) | Method and apparatus for acquiring code coverage rate | |
| CN106502703B (en) | Function calling method and device | |
| CN105005735A (en) | Downloading management method and downloading management device | |
| CN110196795B (en) | Method and related device for detecting running state of mobile terminal application | |
| CN103473163A (en) | Application program detection method and device | |
| CN109791497B (en) | Method, device and terminal for executing hot patch | |
| US9747449B2 (en) | Method and device for preventing application in an operating system from being uninstalled | |
| CN104794014A (en) | System operation method and intelligent terminal | |
| CN109086606B (en) | Program vulnerability mining method, device, terminal and storage medium | |
| CN104239102A (en) | Operation method and device of application program | |
| CN103744824A (en) | Outgoing testing method and testing system | |
| CN104200164A (en) | Loader virus searching and killing method, device and terminal | |
| CN108572908B (en) | Information feedback method and device | |
| CN104915306A (en) | Data operation control method and device manager | |
| CN105068819A (en) | Application calling method and device and terminal | |
| CN104536776A (en) | Method and device for running plug-in application in plug-in running environment at host end | |
| CN110442426B (en) | Password resetting method, device and storage medium | |
| CN104317840A (en) | File cleaning method and device and terminal | |
| CN102591680A (en) | Method for automatically deleting and unloading software related files | |
| CN104199704A (en) | Application program installation package clearing method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20181129 Address after: Room 105-53811, No. 6 Baohua Road, Hengqin New District, Zhuhai City, Guangdong Province Patentee after: Zhuhai Leopard Technology Co.,Ltd. Address before: 100085 East District, Second Floor, 33 Xiaoying West Road, Haidian District, Beijing Patentee before: BEIJING KINGSOFT INTERNET SECURITY SOFTWARE Co.,Ltd. |
|
| TR01 | Transfer of patent right |