CN104573514A - Compressed file detecting method and device - Google Patents
Compressed file detecting method and device Download PDFInfo
- Publication number
- CN104573514A CN104573514A CN201310521658.2A CN201310521658A CN104573514A CN 104573514 A CN104573514 A CN 104573514A CN 201310521658 A CN201310521658 A CN 201310521658A CN 104573514 A CN104573514 A CN 104573514A
- Authority
- CN
- China
- Prior art keywords
- file
- package
- fileinfo
- footers
- compressed
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Virology (AREA)
- Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Debugging And Monitoring (AREA)
- Telephone Function (AREA)
Abstract
The embodiment of the invention discloses a compressed file detecting method and device, and relates to the technical field of a computer. The method and the device solve the problem that the time of the whole detecting process is longer in the existing Zip compressed file detecting mode. The method comprises the following steps that a tail sub page of a compressed file is obtained, wherein the compressed file comprises each package-in file, and the tail sub page comprises file information of each package-in file; the tail sub page is traversed, and the file information of each package-in file is sequentially selected from the tail sub page according to the preset rules; whether the information of an executable file to be tested exists in the file information of the package-in file or not is judged; if the information of the executable file exists in the file information of the package-in file, the occurring times of the information of the executable file in the file information of the package-in file is determined; if the occurring times of the information of the executable file in the file information of the package-in file is greater than a preset threshold value, the executable file is determined to be a malicious file. The method and the device provided by the invention are applicable to compressed file security detection by a Zip compression algorithm.
Description
Technical field
The present invention relates to field of computer technology, particularly relate to a kind of detection method and device of compressed file.
Background technology
At present, along with the development of file compression techniques, Zip compression algorithm is owing to having higher compressibility, and the advantages such as applicable platform is more, have been widely recognized.File can be carried out compression by Zip compression algorithm and form application program Android bag etc., such as, Android installation kit (Android Package is called for short APK) in Android (Android) system is exactly have employed Zip compression algorithm to be formed.
Current, there is leak in the APK formed by Zip compression algorithm compressed file.Such as, in android system, the executable file (such as execute file classes.dex) of some malice is compressed in APK, and the executable file of this malice put in order before legal executable file, when android system sets up signature verification File Mapping table, legal executable file can be override, thus the executable file of malice can walk around Installation Validation link by mistake.The Net silver forged with one using this malice executable file as running example, such as, after this malice executable file runs, can be logined interface and substitutes original Net silver and login interface, thus may cause the leakage of user's Net silver information by final APK after being installed.Visible, determine in Zip compressed file, there is harmless executable file particularly important.Determine in Zip compressed file, have the method for harmless executable file generally to need first to open this Zip compressed file at present, such as open the APK in android system, namely need to carry out the operations such as file verification, file addressing, document classification, need each file traveled through in this APK afterwards, to judge whether the there is executable file repeated.
In the detection mode of current Zip compressed file, all need to open Zip compressed file, to carry out the operations such as file verification, file addressing, document classification, cause the whole testing process time longer.
Summary of the invention
Embodiments of the invention provide a kind of detection method and device of compressed file, can solve problem longer due to the testing process time of the detection mode of current Zip compressed file in prior art.
For achieving the above object, the present invention adopts following technical scheme:
A detection method for compressed file, comprising:
Obtain the afterbody paging of compressed file; Described compressed file comprises each package-in file, and described afterbody paging comprises the fileinfo of each package-in file;
Travel through described afterbody paging, from described afterbody paging, select the fileinfo of package-in file according to preset rules successively;
Judge the information with or without executable file to be measured in the fileinfo of described package-in file;
If there is the information of described executable file in the fileinfo of described package-in file, determine the number of times that described executable file information occurs in the fileinfo of described each package-in file;
If the number of times that described executable file information occurs in the fileinfo of described each package-in file is greater than a predetermined threshold, then determine that described executable file is malicious file.
A pick-up unit for compressed file, comprising:
Acquiring unit, for obtaining the afterbody paging of compressed file; Described compressed file comprises each package-in file, and described afterbody paging comprises the fileinfo of each package-in file;
Traversal Unit, for traveling through the afterbody paging that described acquiring unit obtains, selects the fileinfo of package-in file successively from described afterbody paging according to preset rules;
Judging unit, for judge the described package-in file that described Traversal Unit is selected fileinfo in or without the information of executable file to be measured;
Determining unit, for determine described package-in file at described judging unit fileinfo in have the information of described executable file, determine the number of times that described executable file information occurs in the fileinfo of described each package-in file;
Described determining unit, if the number of times also occurred in the fileinfo of described each package-in file for described executable file information is greater than a predetermined threshold, then determines that described executable file is malicious file.
The detection method of the compressed file that the embodiment of the present invention provides and device, obtain the afterbody paging of compressed file, travels through described afterbody paging, and judge the information with or without executable file to be measured in the fileinfo of the package-in file in compressed file; When having the information of described executable file in the fileinfo of described package-in file, by determining the number of times that described executable file information occurs in the fileinfo of described each package-in file, judge whether described executable file is malicious file, like this without the need to opening compressed file, when avoiding carrying out the operations such as file verification, file addressing, document classification, the security can carrying out compressed file detects.And in prior art, in the detection mode of Zip compressed file, all need to open Zip compressed file, to carry out the operations such as file verification, file addressing, document classification, cause the whole testing process time longer.Therefore, the present invention is when avoiding carrying out the operations such as file verification, file addressing, document classification, and the security can carrying out compressed file detects, and the whole testing process time is shorter.
Accompanying drawing explanation
In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, be briefly described to the accompanying drawing used required in embodiment or description of the prior art below, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skill in the art, under the prerequisite not paying creative work, other accompanying drawing can also be obtained according to these accompanying drawings.
The process flow diagram of the detection method of the compressed file that Fig. 1 provides for the embodiment of the present invention;
The process flow diagram of the detection method of the compressed file that Fig. 2 provides for further embodiment of this invention;
Fig. 3 is the schematic diagram of the executable file duplicated in the embodiment of the present invention;
The structural representation one of the pick-up unit of the compressed file that Fig. 4 provides for the embodiment of the present invention;
The structural representation two of the pick-up unit of the compressed file that Fig. 5 provides for the embodiment of the present invention.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, be clearly and completely described the technical scheme in the embodiment of the present invention, obviously, described embodiment is only the present invention's part embodiment, instead of whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art, not making the every other embodiment obtained under creative work prerequisite, belong to the scope of protection of the invention.
For making the advantage of technical solution of the present invention clearly, below in conjunction with drawings and Examples, the present invention is elaborated.
As shown in Figure 1, the detection method of the compressed file that the embodiment of the present invention provides, comprising:
101, the afterbody paging of compressed file is obtained.
Described compressed file comprises each package-in file, and described afterbody paging comprises the fileinfo of each package-in file.Described compressed file is generally the file of Zip compression algorithm compression, and such as, installation kit (Android Package is called for short APK) in Android (Android) system is exactly have employed Zip compression algorithm to be formed.In the afterbody paging of described compressed file, generally comprise the fileinfo of each package-in file of compressed file, described fileinfo comprises, and such as file divides footers, is used to indicate the information such as the file mark position of file name and type.
The afterbody paging of described acquisition compressed file can be obtained by instruments such as winhex, but is not only confined to this.
102, travel through described afterbody paging, from described afterbody paging, select the fileinfo of package-in file according to preset rules successively.
When obtaining afterbody paging, also may get other pagings of compressed file, these other pagings before described afterbody paging, therefore travel through described afterbody paging time, described preset rules can be travel through from the afterbody of afterbody paging to head, thus selects the fileinfo of package-in file successively.
103, the information with or without executable file to be measured in the fileinfo of described package-in file is judged.
Before detection compressed file, need to pre-determine the executable file needing test, executable file namely to be measured, such as, classes.dex file in android system APK.Because classes.dex is as executable file, code wherein may be modified, and therefore this classes.dex can be used as executable file to be measured, but is not only confined to this.
If there is the information of described executable file in the fileinfo of 104 described package-in files, determine the number of times that described executable file information occurs in the fileinfo of described each package-in file.
The information of described executable file at least comprises the file mark position of this executable file and point footers etc. of this executable file.
If the number of times that 105 described executable file information occur in the fileinfo of described each package-in file is greater than a predetermined threshold, then determine that described executable file is malicious file.
If the number of times that described executable file information occurs in the fileinfo of described each package-in file is greater than a predetermined threshold, such as described predetermined threshold is 1, then represent in each package-in file, there is the executable file that at least two titles are identical.In compressed file, such as, in Zip compressed file, if there is the executable file that at least two titles are identical, can confirm that this executable file exists risk, belong to malicious file.
What deserves to be explained is, the executive agent of the embodiment of the present invention is a kind of pick-up unit of compressed file, can run in the application programs such as antivirus software, but not only be confined to this.Or the pick-up unit of described compressed file self as application program, can run in the equipment such as smart mobile phone, computing machine.
The detection method of the compressed file that the embodiment of the present invention provides, obtains the afterbody paging of compressed file, travels through described afterbody paging, and judges the information with or without executable file to be measured in the fileinfo of the package-in file in compressed file; When having the information of described executable file in the fileinfo of described package-in file, by determining the number of times that described executable file information occurs in the fileinfo of described each package-in file, judge whether described executable file is malicious file, like this without the need to opening compressed file, when avoiding carrying out the operations such as file verification, file addressing, document classification, the security can carrying out compressed file detects.And in prior art, in the detection mode of Zip compressed file, all need to open Zip compressed file, to carry out the operations such as file verification, file addressing, document classification, cause the whole testing process time longer.Therefore, the present invention is when avoiding carrying out the operations such as file verification, file addressing, document classification, and the security can carrying out compressed file detects, and the whole testing process time is shorter.
Enumerate a more specifically embodiment below, as shown in Figure 2, the detection method of the compressed file that further embodiment of this invention provides, comprising:
201, the afterbody paging of compressed file is obtained.
Described compressed file comprises each package-in file, and described afterbody paging comprises the fileinfo of each package-in file.Described compressed file is generally the file of Zip compression algorithm compression, and such as, installation kit APK in android system have employed Zip compression algorithm and formed.In the afterbody paging of described compressed file, generally comprise the fileinfo of each package-in file of compressed file, described fileinfo comprises, and such as file divides footers, is used to indicate the information such as the file mark position of file name and type.The afterbody paging of described acquisition compressed file can be obtained by instruments such as winhex, but is not only confined to this.
202, travel through described afterbody paging, from described afterbody paging, select the fileinfo of package-in file according to preset rules successively.
When obtaining afterbody paging, also may get other pagings of compressed file, these other pagings before described afterbody paging, therefore travel through described afterbody paging time, described preset rules can be travel through from the afterbody of afterbody paging to head, thus selects the fileinfo of package-in file successively.
203, judge in the fileinfo of described package-in file with or without point footers preset.If there is default point footers in the fileinfo of described package-in file, perform step 204; If point footers of Non-precondition, returns and performs step 202 in the fileinfo of described package-in file.
Described default paging mark represents that the fileinfo of this package-in file belongs to afterbody paging, and when obtaining afterbody paging, this point footers preset can divide footers for file, also can be portion footers.Described file paging mark represents that the data recorded thereafter are the fileinfo of package-in file, and described portion footers represents this portion footers data below equal data portion page, and described portion footers is the opening flag of afterbody paging.Such as, represent with 16 binary data, pre-set portion footers for " 504B0708 ", pre-set file paging to be masked as " 504B0102 ", if do not have " 504B " in point footers of other pagings, if then have " 504B " in fileinfo, then can confirm in this fileinfo, there is default point footers.
204, judge whether a described point footers is that file divides footers.If described paging is masked as described file divide footers, perform step 205; If described point of footers is not that described file divides footers, perform step 206.
205, judge whether there is described file mark position in the fileinfo of described package-in file.If there is described file mark position in the fileinfo of described package-in file, perform step 207.If there is no described file mark position in the fileinfo of described package-in file, return and perform step 202.
Determine paging be masked as file divide footers time, also need to judge whether package-in file is executable file to be measured, concrete judgment mode is whether have described file mark position in the fileinfo judging described package-in file, and described file mark position is used to indicate title and the file type of the package-in file of its correspondence.In addition the fileinfo of described package-in file also have recorded the information such as the storing path of this package-in file.
206, judge whether a described point footers is portion footers.If described paging is masked as portion footers, perform step 210; If described point of footers is not portion footers, returns and perform step 202.
207, determine to judge whether described number of times is greater than a predetermined threshold by the number of times that described file mark position occurs in the fileinfo of described each package-in file.If described number of times is greater than a predetermined threshold, then perform step 208.If described number of times is not more than a predetermined threshold, then perform step 209.
208, determine that described executable file is malicious file.
If the number of times that described file mark position occurs in the fileinfo of described each package-in file is greater than a predetermined threshold, such as described predetermined threshold is 1, then represent in each package-in file, there is the executable file that at least two titles are identical.In compressed file, such as, in Zip compressed file, if there is the executable file that at least two titles are identical, can confirm that this executable file exists risk, belong to malicious file.Such as shown in Figure 3, in this APK file, there are two classes.dex files, then there is risk in described classes.dex, and one of them classes.dex belongs to malicious file.
209, determine that described executable file is not malicious file.
210, stop the detection of compressed file, and determine there is no malicious file in each package-in file of described compressed file.
Concrete, when determining that described paging is masked as portion footers, due to the opening flag that portion footers is whole afterbody paging, and when the described afterbody paging of the traversal of step 202, general employing be travel through from the afterbody of afterbody paging to head, if therefore determine described paging to be masked as portion footers, then determine to have traveled through, will the detection of compressed file be stopped.
What deserves to be explained is, the executive agent of the embodiment of the present invention is a kind of pick-up unit of compressed file, can run in the application programs such as antivirus software, but not only be confined to this.Or the pick-up unit of described compressed file self as application program, can run in the equipment such as smart mobile phone, computing machine.
The detection method of the compressed file that further embodiment of this invention provides, obtains the afterbody paging of compressed file, travels through described afterbody paging, and judges the information with or without executable file to be measured in the fileinfo of the package-in file in compressed file; When having the information of described executable file in the fileinfo of described package-in file, by determining the number of times that described executable file information occurs in the fileinfo of described each package-in file, judge whether described executable file is malicious file, like this without the need to opening compressed file, when avoiding carrying out the operations such as file verification, file addressing, document classification, the security can carrying out compressed file detects.And in prior art, in the detection mode of Zip compressed file, all need to open Zip compressed file, to carry out the operations such as file verification, file addressing, document classification, cause the whole testing process time longer.Therefore, the present invention is when avoiding carrying out the operations such as file verification, file addressing, document classification, and the security can carrying out compressed file detects, and the whole testing process time is shorter.
Corresponding to the detection method of the compressed file described in above-mentioned Fig. 1 and Fig. 2, enumerate the embodiment of the pick-up unit of compressed file below, as shown in Figure 4, the pick-up unit of the compressed file that the embodiment of the present invention provides, comprising:
Acquiring unit 31, for obtaining the afterbody paging of compressed file.Described compressed file comprises each package-in file, and described afterbody paging comprises the fileinfo of each package-in file.
Traversal Unit 32, for traveling through the afterbody paging that described acquiring unit 31 obtains, selects the fileinfo of package-in file successively from described afterbody paging according to preset rules.
Judging unit 33, for judge the described package-in file that described Traversal Unit 32 is selected fileinfo in or without the information of executable file to be measured.
Determining unit 34, for determining at described judging unit 33 information having described executable file in the fileinfo of described package-in file, determines the number of times that described executable file information occurs in the fileinfo of described each package-in file.
Described determining unit 34, if the number of times also occurred in the fileinfo of described each package-in file for described executable file information is greater than a predetermined threshold, then determines that described executable file is malicious file.
Further, as shown in Figure 5, described judging unit 33, also for:
Judge in the fileinfo of the described package-in file that described Traversal Unit 32 is selected with or without point footers preset.
Further, described judging unit 33, also for:
There is described default point footers if determine in the fileinfo of described package-in file, judge whether a described point footers is that file divides footers.
Concrete, the information of described executable file comprises file mark position, described judging unit 33, for:
If determining a described point footers is that described file divides footers, judge in the fileinfo of described package-in file, whether there is described file mark position.
Described determining unit 34, for:
There is described file mark position if determine in the fileinfo of described package-in file, determine the number of times that described file mark position occurs in the fileinfo of described each package-in file.
If the number of times that described file mark position occurs in the fileinfo of described each package-in file is greater than a predetermined threshold, then determine that described executable file is malicious file.
As shown in Figure 5, described judging unit 33, also for:
If determining a described point footers is not that described file divides footers, judge whether a described point footers is portion footers.
As shown in Figure 5, the pick-up unit of described compressed file, also comprises:
Stop unit 35, if determine described paging for described judging unit 33 to be masked as portion footers, stop the detection of compressed file.
Described determining unit 34, also for determine described compressed file each package-in file in there is no malicious file.
What deserves to be explained is that the pick-up unit of the compressed file of the embodiment of the present invention can run in the application programs such as antivirus software, but not only be confined to this.Or the pick-up unit of described compressed file self as application program, can run in the equipment such as smart mobile phone, computing machine.
The pick-up unit of the compressed file that the embodiment of the present invention provides, obtains the afterbody paging of compressed file, travels through described afterbody paging, and judges the information with or without executable file to be measured in the fileinfo of the package-in file in compressed file; When having the information of described executable file in the fileinfo of described package-in file, by determining the number of times that described executable file information occurs in the fileinfo of described each package-in file, judge whether described executable file is malicious file, like this without the need to opening compressed file, when avoiding carrying out the operations such as file verification, file addressing, document classification, the security can carrying out compressed file detects.And in prior art, in the detection mode of Zip compressed file, all need to open Zip compressed file, to carry out the operations such as file verification, file addressing, document classification, cause the whole testing process time longer.Therefore, the present invention is when avoiding carrying out the operations such as file verification, file addressing, document classification, and the security can carrying out compressed file detects, and the whole testing process time is shorter.
Through the above description of the embodiments, those skilled in the art can be well understood to the mode that the present invention can add required common hardware by software and realize, and can certainly pass through hardware, but in a lot of situation, the former is better embodiment.Based on such understanding, technical scheme of the present invention can embody with the form of software product the part that prior art contributes in essence in other words, this computer software product is stored in the storage medium that can read, as the floppy disk of computing machine, hard disk or CD etc., comprise some instructions and perform method described in each embodiment of the present invention in order to make a computer equipment (can be personal computer, server, or the network equipment etc.).
The above; be only the specific embodiment of the present invention, but protection scope of the present invention is not limited thereto, is anyly familiar with those skilled in the art in the technical scope that the present invention discloses; change can be expected easily or replace, all should be encompassed within protection scope of the present invention.Therefore, protection scope of the present invention should described be as the criterion with the protection domain of claim.
Claims (14)
1. a detection method for compressed file, is characterized in that, comprising:
Obtain the afterbody paging of compressed file; Described compressed file comprises each package-in file, and described afterbody paging comprises the fileinfo of each package-in file;
Travel through described afterbody paging, from described afterbody paging, select the fileinfo of package-in file according to preset rules successively;
Judge the information with or without executable file to be measured in the fileinfo of described package-in file;
If there is the information of described executable file in the fileinfo of described package-in file, determine the number of times that described executable file information occurs in the fileinfo of described each package-in file;
If the number of times that described executable file information occurs in the fileinfo of described each package-in file is greater than a predetermined threshold, then determine that described executable file is malicious file.
2. the detection method of compressed file according to claim 1, is characterized in that, with or without before the information of executable file to be measured in the fileinfo judging described package-in file, comprising:
Judge in the fileinfo of described package-in file with or without point footers preset.
3. the detection method of compressed file according to claim 2, is characterized in that, with or without after point footers preset in the fileinfo of the described package-in file of described judgement, comprising:
There is described default point footers if determine in the fileinfo of described package-in file, judge whether a described point footers is that file divides footers.
4. the detection method of compressed file according to claim 3, is characterized in that, the information of described executable file comprises file mark position;
With or without the information of executable file to be measured in the fileinfo of the described package-in file of described judgement, comprising:
If determining a described point footers is that described file divides footers, judge in the fileinfo of described package-in file, whether there is described file mark position.
5. the detection method of compressed file according to claim 4, it is characterized in that, if there is the information of described executable file in the fileinfo of described package-in file, determine to comprise the number of times that described executable file information occurs in the fileinfo of described each package-in file:
There is described file mark position if determine in the fileinfo of described package-in file, determine the number of times that described file mark position occurs in the fileinfo of described each package-in file;
If the number of times that described executable file information occurs in the fileinfo of described each package-in file is greater than a predetermined threshold, then determines that described executable file is malicious file, comprising:
If the number of times that described file mark position occurs in the fileinfo of described each package-in file is greater than a predetermined threshold, then determine that described executable file is malicious file.
6. whether the detection method of compressed file according to claim 3, is characterized in that, be, after file divides footers, comprising at a point footers described in described judgement:
If determining a described point footers is not that described file divides footers, judge whether a described point footers is portion footers.
7. the detection method of compressed file according to claim 6, is characterized in that, after whether the described point footers of judgement is portion footers, comprising:
If determine described paging to be masked as portion footers, stop the detection of compressed file, and determine there is no malicious file in each package-in file of described compressed file.
8. a pick-up unit for compressed file, is characterized in that, comprising:
Acquiring unit, for obtaining the afterbody paging of compressed file; Described compressed file comprises each package-in file, and described afterbody paging comprises the fileinfo of each package-in file;
Traversal Unit, for traveling through the afterbody paging that described acquiring unit obtains, selects the fileinfo of package-in file successively from described afterbody paging according to preset rules;
Judging unit, for judge the described package-in file that described Traversal Unit is selected fileinfo in or without the information of executable file to be measured;
Determining unit, for determine described package-in file at described judging unit fileinfo in have the information of described executable file, determine the number of times that described executable file information occurs in the fileinfo of described each package-in file;
Described determining unit, if the number of times also occurred in the fileinfo of described each package-in file for described executable file information is greater than a predetermined threshold, then determines that described executable file is malicious file.
9. the pick-up unit of compressed file according to claim 8, is characterized in that, described judging unit, also for:
Judge in the fileinfo of the described package-in file that described Traversal Unit is selected with or without point footers preset.
10. the pick-up unit of compressed file according to claim 9, is characterized in that, described judging unit, also for:
There is described default point footers if determine in the fileinfo of described package-in file, judge whether a described point footers is that file divides footers.
The pick-up unit of 11. compressed files according to claim 10, is characterized in that, the information of described executable file comprises file mark position;
Described judging unit, for:
If determining a described point footers is that described file divides footers, judge in the fileinfo of described package-in file, whether there is described file mark position.
The pick-up unit of 12. compressed files according to claim 11, is characterized in that, described determining unit, for:
There is described file mark position if determine in the fileinfo of described package-in file, determine the number of times that described file mark position occurs in the fileinfo of described each package-in file;
If the number of times that described file mark position occurs in the fileinfo of described each package-in file is greater than a predetermined threshold, then determine that described executable file is malicious file.
The pick-up unit of 13. compressed files according to claim 10, is characterized in that, described judging unit, also for:
If determining a described point footers is not that described file divides footers, judge whether a described point footers is portion footers.
The pick-up unit of 14. compressed files according to claim 13, is characterized in that, also comprise:
Stop unit, if determine described paging for described judging unit to be masked as portion footers, stop the detection of compressed file;
Described determining unit, also for determine described compressed file each package-in file in there is no malicious file.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310521658.2A CN104573514B (en) | 2013-10-29 | 2013-10-29 | The detection method and device of compressed file |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310521658.2A CN104573514B (en) | 2013-10-29 | 2013-10-29 | The detection method and device of compressed file |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104573514A true CN104573514A (en) | 2015-04-29 |
| CN104573514B CN104573514B (en) | 2018-09-04 |
Family
ID=53089552
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310521658.2A Active CN104573514B (en) | 2013-10-29 | 2013-10-29 | The detection method and device of compressed file |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104573514B (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106610971A (en) * | 2015-10-21 | 2017-05-03 | 腾讯科技(深圳)有限公司 | Identifier determination method and apparatus for ZIP files |
| CN107292171A (en) * | 2016-04-13 | 2017-10-24 | 阿里巴巴集团控股有限公司 | Method, method for detecting virus and device for recognizing compressed file subtype |
| WO2017206897A1 (en) * | 2016-05-31 | 2017-12-07 | 广东欧珀移动通信有限公司 | File identification method and related device |
| CN111352912A (en) * | 2020-03-10 | 2020-06-30 | Oppo广东移动通信有限公司 | Compressed file processing method, device, storage medium, terminal and server |
| CN112580057A (en) * | 2020-12-17 | 2021-03-30 | 光通天下网络科技股份有限公司 | Attack vulnerability detection method, device, equipment and medium for ZIP encrypted compressed packet |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070240217A1 (en) * | 2006-04-06 | 2007-10-11 | George Tuvell | Malware Modeling Detection System And Method for Mobile Platforms |
| KR20100073126A (en) * | 2008-12-22 | 2010-07-01 | 한국전자통신연구원 | Apparatus and method for detecting malicious code using packed file properties |
| CN102594809A (en) * | 2012-02-07 | 2012-07-18 | 奇智软件(北京)有限公司 | Method and system for rapidly scanning files |
| CN103294953A (en) * | 2012-12-27 | 2013-09-11 | 武汉安天信息技术有限责任公司 | Detection method and system of mobile phone malicious code |
-
2013
- 2013-10-29 CN CN201310521658.2A patent/CN104573514B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070240217A1 (en) * | 2006-04-06 | 2007-10-11 | George Tuvell | Malware Modeling Detection System And Method for Mobile Platforms |
| KR20100073126A (en) * | 2008-12-22 | 2010-07-01 | 한국전자통신연구원 | Apparatus and method for detecting malicious code using packed file properties |
| CN102594809A (en) * | 2012-02-07 | 2012-07-18 | 奇智软件(北京)有限公司 | Method and system for rapidly scanning files |
| CN103294953A (en) * | 2012-12-27 | 2013-09-11 | 武汉安天信息技术有限责任公司 | Detection method and system of mobile phone malicious code |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106610971A (en) * | 2015-10-21 | 2017-05-03 | 腾讯科技(深圳)有限公司 | Identifier determination method and apparatus for ZIP files |
| CN106610971B (en) * | 2015-10-21 | 2020-04-07 | 腾讯科技(深圳)有限公司 | ZIP compressed file identification determination method and device |
| CN107292171A (en) * | 2016-04-13 | 2017-10-24 | 阿里巴巴集团控股有限公司 | Method, method for detecting virus and device for recognizing compressed file subtype |
| WO2017206897A1 (en) * | 2016-05-31 | 2017-12-07 | 广东欧珀移动通信有限公司 | File identification method and related device |
| US10452376B2 (en) | 2016-05-31 | 2019-10-22 | Guangdong Oppo Mobile Telecommunications Corp., Ltd. | Method for identifying file and mobile terminal |
| US10599413B2 (en) | 2016-05-31 | 2020-03-24 | Guangdong Oppo Mobile Telecommunications Corp., Ltd. | Method and device for identifying file |
| CN111352912A (en) * | 2020-03-10 | 2020-06-30 | Oppo广东移动通信有限公司 | Compressed file processing method, device, storage medium, terminal and server |
| CN111352912B (en) * | 2020-03-10 | 2024-04-12 | Oppo广东移动通信有限公司 | Compressed file processing method, device, storage medium, terminal and server |
| CN112580057A (en) * | 2020-12-17 | 2021-03-30 | 光通天下网络科技股份有限公司 | Attack vulnerability detection method, device, equipment and medium for ZIP encrypted compressed packet |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104573514B (en) | 2018-09-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104573514A (en) | Compressed file detecting method and device | |
| US9804948B2 (en) | System, method, and computer program product for simulating at least one of a virtual environment and a debugging environment to prevent unwanted code from executing | |
| CN105446864B (en) | Method and device for verifying influence of deletion of cache file and mobile terminal | |
| CN102054149A (en) | Method for extracting malicious code behavior characteristic | |
| CN103530221B (en) | A kind of android system Program behavior and interface operation mapping method | |
| US9690946B2 (en) | Security analysis using relational abstraction of data structures | |
| CN105809035A (en) | Android application real-time behavior based malicious software detection method and system | |
| CN103902255A (en) | Generating method and system of function relationship call tree | |
| CN109189405A (en) | A kind of method and system of proving program Flash data consistency | |
| CN108197476B (en) | Vulnerability detection method and device for intelligent terminal equipment | |
| CN110688658B (en) | Unknown virus infection tracing method, device and system | |
| CN101751530A (en) | Method for detecting loophole aggressive behavior and device | |
| KR102151318B1 (en) | Method and apparatus for malicious detection based on heterogeneous information network | |
| CN106528430A (en) | Application program detection method and device and electronic equipment | |
| WO2019047442A1 (en) | Method and system for bypassing function call chain detection in ios application | |
| CN105653949A (en) | Malicious program detection method and device | |
| KR20200039912A (en) | System and method for automatically analysing android malware by artificial intelligence | |
| CN107577944A (en) | Website malicious code detecting method and device based on code syntax analyzer | |
| CN112925524A (en) | Method and device for detecting unsafe direct memory access in driver | |
| CN110287700B (en) | iOS application security analysis method and device | |
| CN103914377B (en) | Interface test method and device | |
| CN107798244A (en) | A kind of method and device for detecting Remote Code Execution Vulnerability | |
| CN102789417B (en) | Program detecting system and method based on directional symbol execution on mobile intelligent terminal | |
| CN105373488A (en) | A detection method and device for legitimate memory access | |
| CN114610577A (en) | Target resource locking method, device, equipment and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |