CN104252593B - Script monitoring method and device - Google Patents

Script monitoring method and device Download PDF

Info

Publication number
CN104252593B
CN104252593B CN201310263489.7A CN201310263489A CN104252593B CN 104252593 B CN104252593 B CN 104252593B CN 201310263489 A CN201310263489 A CN 201310263489A CN 104252593 B CN104252593 B CN 104252593B
Authority
CN
China
Prior art keywords
script
function
component
monitoring information
compiling
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN201310263489.7A
Other languages
Chinese (zh)
Other versions
CN104252593A (en
Inventor
苏海峰
白彦庚
杨景杰
邹义鹏
张楠
陈勇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Kingsoft Internet Security Software Co Ltd
Conew Network Technology Beijing Co Ltd
Shell Internet Beijing Security Technology Co Ltd
Zhuhai Juntian Electronic Technology Co Ltd
Beijing Kingsoft Internet Science and Technology Co Ltd
Original Assignee
Beijing Kingsoft Internet Security Software Co Ltd
Conew Network Technology Beijing Co Ltd
Shell Internet Beijing Security Technology Co Ltd
Zhuhai Juntian Electronic Technology Co Ltd
Beijing Kingsoft Internet Science and Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Kingsoft Internet Security Software Co Ltd, Conew Network Technology Beijing Co Ltd, Shell Internet Beijing Security Technology Co Ltd, Zhuhai Juntian Electronic Technology Co Ltd, Beijing Kingsoft Internet Science and Technology Co Ltd filed Critical Beijing Kingsoft Internet Security Software Co Ltd
Priority to CN201310263489.7A priority Critical patent/CN104252593B/en
Publication of CN104252593A publication Critical patent/CN104252593A/en
Application granted granted Critical
Publication of CN104252593B publication Critical patent/CN104252593B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3003Monitoring arrangements specially adapted to the computing system or computing system component being monitored
    • G06F11/302Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system component is a software system

Abstract

The application discloses a script monitoring method and a device, wherein the method comprises the following steps: acquiring monitoring information generated by a component in the process of running a script, wherein the component is a system component in an operating system; and monitoring the script according to the monitoring information. Through the method and the device, the problem that the monitoring effect of the script is poor due to the fact that the mode of adopting the plaintext to carry out virus feature matching is prone to being interfered is solved, and monitoring of the script is enhanced.

Description

Script monitoring method and device
Technical field
The present invention relates to computer safety fields, in particular to script monitoring method and device.
Background technique
Script file, does not need to be compiled into binary file generally, but the program by being had in operating system It is executed, for example, Microsoft visualizes basic formula script version (Microsoft Visual Basic Script Edition, referred to as VBScript, are also abbreviated as VBS), which is a kind of based on the basic programming language (Visual of visualization Basic scripting language).The VBS script be do not need to be compiled into binary file then can be directly by host (for example, operation be Wscript.exe in system) it explains source code and executes.
For script file, in the related art, antivirus software carrys out scan script file generally by characteristic information In plain text, if being matched to characteristic information, suggest that user is virus.However for the script of encryption, if directly matching in plain text, It matches less than anything.The antivirus software of some large manufacturers will use the script virtual machine dynamic that they voluntarily research and develop The script of encryption is decrypted in ground, and uses the feature in the plaintext of the script after decryption matching virus base.Inventor exists It is found in research process, since the matching process is also to carry out before host carries out actual operation processing to the script, It is still using matched mode in plain text, therefore success of this matched result dependent on decryption.If the encryption Script in further comprise the measures of some interference, then expected effect may be not achieved in the matching result.
For the prison for leading to script vulnerable to interference using the progress matched mode of virus characteristic in plain text in the related technology Ineffective problem is controlled, currently no effective solution has been proposed.
Summary of the invention
This application provides a kind of script monitoring method and devices, at least to solve using progress virus characteristic matching in plain text The mode problem that causes the monitoring effect of script bad vulnerable to interference.
According to the one aspect of the application, a kind of script monitoring method is provided, comprising: securing component is in Run Script The monitoring information generated in the process, wherein the component is the system component in operating system;According to the monitoring information to institute Script is stated to be monitored.
Preferably, obtaining the monitoring information that the component generates during running the script includes: hook Compiling function or analytical function in the component;It obtains the component and executes the compiling function or the analytical function During the monitoring information that generates.
Preferably, in the case where the script is encryption script, the compiling function in the component is linked up with;Wherein, institute State the plaintext that monitoring information is the script that the script is decrypted in the compiling function.
Preferably, in the case where linking up with the analytical function in the component, the monitoring information is the parsing Function carries out what syntactic analysis obtained to the script, and the monitoring information includes: component tune when executing the script System command in one or more operating systems.
Preferably, before linking up with the compiling function or the analytical function in the component, the method is also It include: the type for judging the script;It is determined according to the type of the script and links up with the compiling function or the hook solution Analyse function.
Preferably, it is determined according to the type of the script and links up with the compiling function or the hook analytical function packet It includes: in the case where the type of the script is that Microsoft visualizes basic formula VBS script, determining and link up with the compiling letter Number;In the case where the type of the script is batch processing script, determines and link up with the analytical function.
According to the another aspect of the application, a kind of script monitoring device is additionally provided, comprising: module is obtained, for obtaining The monitoring information that component generates during Run Script, wherein the component is the system component in operating system;Monitoring Module, for being monitored according to the monitoring information to the script.
Preferably, the acquisition module includes: hook subelement, for linking up with compiling function or solution in the component Analyse function;Subelement is obtained, is produced for obtaining during the component executes the compiling function or the analytical function The raw monitoring information.
Preferably, the hook subelement, for being linked up in the component in the case where the script is encryption script Compiling function;Wherein, the monitoring information is the script that the script is decrypted in the compiling function In plain text.
Preferably, in the case where linking up with the analytical function in the component, the monitoring information is the parsing Function carries out what syntactic analysis obtained to the script, and the monitoring information includes: component tune when executing the script System command in one or more operating systems.
Preferably, described device further include: judgment module, for judging the type of the script;Determining module is used for root It is determined according to the type of the script and links up with the compiling function or the hook analytical function.
Preferably, the determining module includes: the first determining subelement, for being Microsoft in the type of the script In the case where visualizing basic formula VBS script, determines and link up with the compiling function;Second determines subelement, for described In the case that the type of script is batch processing script, determines and link up with the analytical function.
Pass through the application, the monitoring information generated during Run Script using acquisition system component, according to the prison Control information is monitored the script.Solving leads to foot vulnerable to interference using the progress matched mode of virus characteristic in plain text The bad problem of this monitoring effect, strengthens the monitoring to script.
Detailed description of the invention
The drawings described herein are used to provide a further understanding of the present application, constitutes part of this application, this Shen Illustrative embodiments and their description please are not constituted an undue limitation on the present application for explaining the application.In the accompanying drawings:
Fig. 1 is the flow chart according to the script monitoring method of the embodiment of the present application;
Fig. 2 is the structural block diagram according to the script monitoring device of the embodiment of the present application;
Fig. 3 is the preferred structure block diagram one according to the script monitoring device of the embodiment of the present application;
Fig. 4 is the preferred structure block diagram two according to the script monitoring device of the embodiment of the present application;
Fig. 5 is the preferred structure block diagram three according to the script monitoring device of the embodiment of the present application;
Fig. 6 is the flow chart monitored according to the VBS script of the application preferred embodiment;
Fig. 7 is the flow chart monitored according to the BAT script of the application preferred embodiment.
Specific embodiment
It should be noted that in the absence of conflict, the features in the embodiments and the embodiments of the present application can phase Mutually combination.The application is described in detail below with reference to the accompanying drawings and in conjunction with the embodiments.
It should be noted that step shown in the flowchart of the accompanying drawings can be in such as a group of computer-executable instructions It is executed in computer system, although also, logical order is shown in flow charts, and it in some cases, can be with not The sequence being same as herein executes shown or described step.
Following embodiment can be applied in computer, such as be applied in PC.Also it can be applied to and use intelligence at present In mobile terminal in energy operating system, and it is not limited to this.For computer or mobile terminal operating system not Particular/special requirement, as long as supporting script operation.For example, following embodiment can be applied in Windows operating system.
A kind of script monitoring method is present embodiments provided, Fig. 1 is the script monitoring method according to the embodiment of the present application Flow chart, as shown in Figure 1, comprising the following steps that
Step S102, the monitoring information that securing component generates during Run Script, wherein the component is operation system System component in system;
Step S104 is monitored the script according to the monitoring information.
System component in operating system can be handled the script in Run Script.In the treatment process, meeting The monitoring information that can be used to be monitored the script is obtained, since the monitoring information is system component to script This dynamic process of reason obtains, compared with static state compares the mode of script plaintext in the related technology, on the one hand, provide one The new script monitor mode of kind, on the other hand, the monitoring information obtained in this way is less susceptible to interference employed in script and arranges The influence applied, to can be improved monitoring effect to a certain extent.
System component may call at least one of in Run Script: the order of bottom, function, other association journeys Sequence.These recalls informations can be exported and execute these orders, function when institute as monitoring information, or by system component The information of generation is as monitoring information, it will be able to realize the monitoring to script, compared to the mode monitored in the related technology, be promoted The effect of monitoring.
There are many mode possibility for obtaining these monitoring informations, provides a kind of preferably mode in the present embodiment: adopting The monitoring information generated during Run Script with the mode securing component of hook system component, for example, can be hooked and be Compiling function in system component, can be with the analytical function in hook system component.At this point, obtaining system component executes the compiling The monitoring information generated during function or the analytical function.
Preferably, the compiling function in system component under normal circumstances can also be decrypted script.Therefore, in script In the case where for encryption script, the compiling function in component can be hooked, the monitoring information generated in this case includes compiling Translate the plaintext for the script that script is decrypted in function.The script obtained in this way is compiled in system component in plain text It is obtained during translating script, the mode compared to the plaintext for using script virtual machine decryption script to obtain is more excellent, for example, making When script being decrypted with script virtual machine, the type for the encryption script that can be decrypted is extremely limited, by using system group Function is compiled in part script is decrypted, the type for more encrypting script can be supported, to improve the effect of monitoring.
For some scripts, the relevant information for the Basic API that the available script calls by way of hook passes through The relevant information of the Basic API is to be monitored the script, and still, there are the following problems for this monitor mode: for example, only leading to The behavior that the script is carried out can not be immediately arrived at by crossing Basic API information sometimes.This is because the order of this kind of script is all high The order of layer encapsulation, for example, netuse order has been used in script, a certain machine in the accessible local area network of the order. But in Basic API, which can be converted to many functions, and it is very difficult to be reduced into netuse order by these functions, So that analyzing the original meaning of its more difficult script function during the script.
Preferably, can be by the way of the analytical function of hook system component for the script of the above-mentioned type, and pass through The process that syntactic analysis is carried out to script obtains the monitoring information monitored for script.The monitoring information may include system group The system command in one or more operating systems that part is called when executing the script.System command therein is different from bottom The readability of API, the system command obtained by syntactic analysis are stronger, convenient for the analysis to the type script.
For example, carrying out syntactic analysis to BAT script by the cmd.exe in Windows operating system for BAT script Later, the BAT script after analysis is divided into one or more orders, and exports these lives before these orders distribute execution It enables to be monitored to BAT script.This mode in the related technology directly to distribute execute after system API link up with The mode of monitoring is directly monitored brought problem to the plaintext of BAT script, such as analysis difficulty causes to monitor greatly Effect is poor, provides preferably solution.
Preferably, the processing movement of above two mode can be carried out respectively to the script before running to script, so Selected from the monitoring information for monitoring script of output afterwards it is relatively good, to be monitored to above-mentioned script.Another ratio Preferably embodiment is: before the compiling function or analytical function in hanging hook assembly, judging the type of script;According to foot This type determines hook compiling function or hook analytical function.For example, the type in script is Microsoft's visualization base In the case where plinth formula VBS script, hook compiling function;In the case where the type of script is batch processing script, hook parsing Function.Also, the function of the type for judging script in the preferred embodiment can by the respective function in operating system Lai It executes.
The present embodiment additionally provides a kind of script monitoring device, which can be used to implement above-mentioned script monitoring method. Fig. 2 is according to the structural block diagram of the script monitoring device of the embodiment of the present application, as shown in Fig. 2, the device includes: to obtain module 22 With monitoring module 24, wherein module 22 is obtained, for the monitoring information that securing component generates during Run Script, In, component is the system component in operating system;Monitoring module 24 is coupled to above-mentioned acquisition module 22, for being believed according to monitoring Breath is monitored script.
By above-mentioned apparatus, the monitoring information generated during Run Script using acquisition 22 securing component of module, Wherein, component is the system component in operating system;The mode that monitoring module 24 is monitored script according to monitoring information.By This, the system component in operating system can be handled the script in Run Script.In the treatment process, it can obtain It can be used to the monitoring information that is monitored to the script, since the monitoring information is that system component is handled to script This dynamic process obtains, compared with static state compares the mode of script plaintext in the related technology, on the one hand, provides a kind of new Script monitor mode, on the other hand, the monitoring information obtained in this way is less susceptible to jamming countermeasure employed in script It influences, to can be improved monitoring effect to a certain extent
It should be understood that module involved in the present embodiment, subelement can be realized by way of software, It can be realized by way of hardware.Wherein described module, subelement can also in the processor, for example, a kind of place Device is managed, including obtains module 22, monitoring module 24.Wherein, these modules, the title of subelement are not constituted in some cases Restriction to the module itself, for example, obtaining module 22 can also be described as " for securing component during Run Script The monitoring information 22 " of generation.
Fig. 3 be according to the preferred structure block diagram one of the script monitoring device of the embodiment of the present application, as shown in figure 3, more preferably, The acquisition module 22 includes: hook subelement 32 and acquisition subelement 34, wherein hook subelement 32, in hanging hook assembly Compiling function or analytical function;Subelement 34 is obtained, above-mentioned hook subelement 32 is coupled to, executes volume for securing component The monitoring information generated during translating function or analytical function.
More preferably, above-mentioned hook subelement 32 is used for the compiling letter in the case where script is to encrypt script in hanging hook assembly Number;Wherein, monitoring information is the plaintext for compiling the script that script is decrypted in function.
More preferably, in the case where linking up with the analytical function in 32 hanging hook assembly of subelement, monitoring information is analytical function What syntactic analysis obtained is carried out to script, monitoring information includes: one or more operation systems that component is called in perform script System command in system.
Fig. 4 be according to the preferred structure block diagram two of the script monitoring device of the embodiment of the present application, as shown in figure 4, more preferably, The script monitoring device further include: judgment module 42 and determining module 44, wherein judgment module 42 is coupled to determining module 44, For judging the type of script;Determining module 44 is coupled to and obtains module 22, for determining hook compiling according to the type of script Function or hook analytical function.
Fig. 5 be according to the preferred structure block diagram three of the script monitoring device of the embodiment of the present application, as shown in figure 5, more preferably, Above-mentioned determining module 44 includes: that the first determining subelement 52 and second determines subelement 54, wherein and first determines subelement 52, It is coupled to and obtains module 22, in the case where for the type in script being that Microsoft visualizes basic formula VBS script, determine Hook compiling function;Second determines subelement 54, is coupled to and obtains module 22, is batch processing script for the type in script In the case of, determine hook analytical function.
It should be noted that script monitoring device described in Installation practice corresponds to above-mentioned embodiment of the method, Concrete implementation process had carried out detailed description in embodiment of the method, and details are not described herein.
In order to keep technical solution and the implementation method of the application clearer, below in conjunction with preferred embodiment in fact Existing process is described in detail.
Preferred embodiment one
In the platform of dynamic analysis, when VBS script obtains operation, using API hook technology, links up with and be used in memory The decryption function of script decryption, the function are located in vbscript.dll module.Wscript.exe is when executing VBS script, meeting Vbscript.dll is loaded as enforcement engine.For being encrypted or unencrypted function (function i.e. in script), it is necessary to pass through After the compiling of vbscript.dll, the code of the script can be just executable by a machine.
Fig. 6 is the flow chart monitored according to the VBS script of the application preferred embodiment, as shown in fig. 6, the process includes such as Lower step:
Step S602, navigates to the function that VBS engine is responsible for compiling, which is located in COleScript::Compile.
Step S604 has one in the compiling function when the normal execution of VBS script proceeds to this compiling function Content pointed by field is exactly the scripted code after compiling.
Step S606 is output to the content after compiling in file, the VBS script after forming a decryption.
Step S608 can report poison for the VBS scripts match virus characteristic after decryption if having virus.
Initiative type safeguard technology is realized by the API of hook system, since the api function of system compares bottom, because This can more completely capture the operation of the progress of corresponding demand for system.
Preferred embodiment two
In the preferred embodiment, to another script file: being illustrated for autoexec.
Autoexec: being under form sequence of maneuvers system (Windows) platform, suffix is the file of .bat.Batch processing File is explained by system process cmd.exe and is executed.
Fig. 7 is the flow chart monitored according to the BAT script of the application preferred embodiment, as shown in fig. 7, the process includes such as Lower step:
Step S702, cmd.exe process carries out syntactic analysis to the BAT file (i.e. autoexec) needed to be implemented.
Step S704, cmd.exe process is split each instruction.
Step S706 obtains right of execution, and print log (log) when cmd.exe process distributes execution.
Step S708, cmd.exe process distributes the instruction after segmentation.
Through the above steps, the execution order of entire BAT script can be got, provides very big side for subsequent analysis Just.
It wherein, is the letter that stdcall Dispatch (x, x) is named as at one when cmd.exe carries out distributing execution to BAT In number (by the symbol table of Microsoft), this function is responsible for carrying out distributing execution to the execution parsed.
This function is there are two parameter, and first parameter is to indicate the type (type) of instruction, and second parameter is one The pointer of structural body, wherein be order performed by BAT pointed by structural body member addr_cmd.In specific implementation, right Parsing (Dispatch) function is linked up with, and when CMD normally goes to Dispatch function, is introduced into processing function.Locating It manages in function, by the field addr_cmd field of structural body cmd_desc_t pointed by the second parameter of Dispatch function Pointed Unicode (UNICODE) character string is written in file and is recorded.
By the technical solution of this preferred embodiment, solves and supervised similar to the process of the script of BAT by API Control and the plaintext directly not applicable problem of matching.
In conclusion improving the effect of monitoring and virus scan according to above-described embodiment and preferred embodiment of the application Fruit.
Obviously, those skilled in the art should be understood that each module of the above invention, each submodule or each step can To be realized with general computing device, they be can be concentrated on a single computing device, or be distributed in multiple calculating dresses On network composed by setting, optionally, they can be realized with the program code that computing device can perform, it is thus possible to will They store and are performed by computing device in the storage device, or they are fabricated to each integrated circuit modules, or Person makes multiple modules or steps in them to single integrated circuit module to realize.In this way, the present invention is not limited to appoint What specific hardware and software combines.
The foregoing is only a preferred embodiment of the present invention, is not intended to restrict the invention, for the skill of this field For art personnel, the invention may be variously modified and varied.All within the spirits and principles of the present invention, made any to repair Change, equivalent replacement, improvement etc., should all be included in the protection scope of the present invention.

Claims (6)

1. a kind of script monitoring method characterized by comprising
The monitoring information that securing component generates during Run Script, wherein the component is the system in operating system Component;
The script is monitored according to the monitoring information;
Wherein, obtaining the monitoring information that the component generates during running the script includes:
Link up with compiling function or the analytical function in the component;
Obtain the monitoring information generated during the component executes the compiling function or the analytical function;
Wherein, before linking up with the compiling function or the analytical function in the component, the method also includes:
Judge the type of the script;
It is determined according to the type of the script and links up with the compiling function or the hook analytical function;
Wherein, in the case where the script is encryption script, the compiling function in the component is linked up with;Wherein, the monitoring Information is the plaintext for the script that the script is decrypted in the compiling function.
2. the method according to claim 1, wherein the case where linking up with the analytical function in the component Under, the monitoring information is that the analytical function obtains script progress syntactic analysis, and the monitoring information includes:
The system command in the one or more operating system that the component is called when executing the script.
3. linking up with the compiling letter the method according to claim 1, wherein determining according to the type of the script It counts or links up with the analytical function and include:
In the case where the type of the script is that Microsoft visualizes basic formula VBS script, determines and link up with the compiling Function;
In the case where the type of the script is batch processing script, determines and link up with the analytical function.
4. a kind of script monitoring device characterized by comprising
Obtain module, the monitoring information generated during Run Script for securing component, wherein the component is operation System component in system;
Monitoring module, for being monitored according to the monitoring information to the script;
Wherein, the acquisition module includes:
Subelement is linked up with, for linking up with compiling function or analytical function in the component;
Subelement is obtained, is generated for obtaining during the component executes the compiling function or the analytical function The monitoring information;
Wherein, described device further include:
Judgment module, for judging the type of the script;
Determining module links up with the compiling function or the hook analytical function for determining according to the type of the script;
Wherein, the hook subelement, for linking up with the compiling in the component in the case where the script is to encrypt script Function;Wherein, the monitoring information is the plaintext for the script that the script is decrypted in the compiling function.
5. device according to claim 4, which is characterized in that described in being linked up in the component in the hook subelement In the case where analytical function, the monitoring information is that the analytical function obtains script progress syntactic analysis, described Monitoring information includes: the system life in the one or more operating system that the component is called when executing the script It enables.
6. device according to claim 4, which is characterized in that the determining module includes: the first determining subelement, is used for In the case where the type of the script is that Microsoft visualizes basic formula VBS script, determines and link up with the compiling function; Second determines subelement, for determining and linking up with the analytical function in the case where the type of the script is batch processing script.
CN201310263489.7A 2013-06-27 2013-06-27 Script monitoring method and device Expired - Fee Related CN104252593B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310263489.7A CN104252593B (en) 2013-06-27 2013-06-27 Script monitoring method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310263489.7A CN104252593B (en) 2013-06-27 2013-06-27 Script monitoring method and device

Publications (2)

Publication Number Publication Date
CN104252593A CN104252593A (en) 2014-12-31
CN104252593B true CN104252593B (en) 2019-07-30

Family

ID=52187479

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310263489.7A Expired - Fee Related CN104252593B (en) 2013-06-27 2013-06-27 Script monitoring method and device

Country Status (1)

Country Link
CN (1) CN104252593B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105303073B (en) * 2015-11-26 2018-07-06 北京深思数盾科技股份有限公司 Software code guard method

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1983295A (en) * 2005-12-12 2007-06-20 北京瑞星国际软件有限公司 Method and device for recognizing virus
CN101667230A (en) * 2008-09-02 2010-03-10 北京瑞星国际软件有限公司 Method and device for monitoring script execution

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7636945B2 (en) * 2000-07-14 2009-12-22 Computer Associates Think, Inc. Detection of polymorphic script language viruses by data driven lexical analysis
CN100389391C (en) * 2005-11-24 2008-05-21 北京中星微电子有限公司 System and method for calling host software functions by using script and its compiler
CN101587522B (en) * 2009-06-17 2011-03-23 北京东方微点信息技术有限责任公司 Method and system for identifying script virus

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1983295A (en) * 2005-12-12 2007-06-20 北京瑞星国际软件有限公司 Method and device for recognizing virus
CN101667230A (en) * 2008-09-02 2010-03-10 北京瑞星国际软件有限公司 Method and device for monitoring script execution

Also Published As

Publication number Publication date
CN104252593A (en) 2014-12-31

Similar Documents

Publication Publication Date Title
US10698668B1 (en) Custom code transformations during compilation process
US10402179B1 (en) Application randomization mechanism
US9471288B2 (en) Compile based obfuscation
EP3097509B1 (en) Intercepting and supervising calls to transformed operations and objects
US20140344569A1 (en) Protecting data
EP3502944B1 (en) Detecting script-based malware cross reference to related applications
US20170286644A1 (en) Protection Method and Device for Application Data
Meyerovich et al. Object views: Fine-grained sharing in browsers
CN109347882B (en) Webpage Trojan horse monitoring method, device, equipment and storage medium
CN105022936A (en) Class file encryption and decryption method and class file encryption and decryption device
EP2972828B1 (en) Operating system support for contracts
CN104252594A (en) Virus detection method and device
Soliman et al. Taxonomy of malware analysis in the IoT
US11609985B1 (en) Analyzing scripts to create and enforce security policies in dynamic development pipelines
CN103514405B (en) The detection method of a kind of buffer overflow and system
WO2022078366A1 (en) Application protection method and apparatus, device and medium
CN113779578B (en) Intelligent confusion method and system for mobile terminal application
US10242200B1 (en) Static analysis of vulnerabilities in application packages
KR101557455B1 (en) Application Code Analysis Apparatus and Method For Code Analysis Using The Same
Sayed et al. If-transpiler: Inlining of hybrid flow-sensitive security monitor for JavaScript
CN104252593B (en) Script monitoring method and device
Feichtner A comparative study of misapplied crypto in Android and iOS applications
Jones et al. A service-oriented approach to mobile code security
US10200401B1 (en) Evaluating results of multiple virtual machines that use application randomization mechanism
CN115174192A (en) Application security protection method and device, electronic equipment and storage medium

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20190730

Termination date: 20200627