CN104573514B - The detection method and device of compressed file - Google Patents

The detection method and device of compressed file Download PDF

Info

Publication number
CN104573514B
CN104573514B CN201310521658.2A CN201310521658A CN104573514B CN 104573514 B CN104573514 B CN 104573514B CN 201310521658 A CN201310521658 A CN 201310521658A CN 104573514 B CN104573514 B CN 104573514B
Authority
CN
China
Prior art keywords
file
package
fileinfo
paging
compressed
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201310521658.2A
Other languages
Chinese (zh)
Other versions
CN104573514A (en
Inventor
王爽
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN201310521658.2A priority Critical patent/CN104573514B/en
Publication of CN104573514A publication Critical patent/CN104573514A/en
Application granted granted Critical
Publication of CN104573514B publication Critical patent/CN104573514B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Virology (AREA)
  • Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Telephone Function (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The embodiment of the invention discloses a kind of detection method and device of compressed file, are related to field of computer technology, in the detection mode for solving current Zip compressed files, entire detection process time longer problem.Method includes:Obtain the tail portion paging of compressed file;Compressed file includes each package-in file, and tail portion paging includes the fileinfo of each package-in file;Tail portion paging is traversed, selects the fileinfo of package-in file successively according to preset rules from the paging of tail portion;Judge that whether there is or not the information of executable file to be measured in the fileinfo of package-in file;If there is the information of executable file in the fileinfo of package-in file, the number that executable file information occurs in the fileinfo of each package-in file is determined;If the number that executable file information occurs in the fileinfo of each package-in file is more than a predetermined threshold, it is determined that the executable file is malicious file.The safety detection for the file that the present invention is suitable for being compressed by Zip compression algorithms.

Description

The detection method and device of compressed file
Technical field
The present invention relates to field of computer technology more particularly to a kind of detection method and device of compressed file.
Background technology
Currently, with the development of file compression techniques, Zip compression algorithms are applicable due to higher compression ratio The advantages such as platform is more, have been widely recognized.File can be compressed by Zip compression algorithms to be formed using journey Android installation kits (Android Package, abbreviation APK) in sequence Android packet etc., such as Android (Android) system are just Use the formation of Zip compression algorithms.
Currently, there are loopholes by the APK formed by Zip compression algorithm compressed files.For example, in android system, The executable file (such as executing file classes.dex) of some malice is compressed in APK, and the malice is executable File puts in order before legal executable file, when android system sets up signature verification File Mapping table It waits, can miss and override legal executable file, Installation Validation link can be bypassed to the executable file of malice.Finally APK after being installed can be using the malice executable file as running example, such as after malice executable file operation, will be with The Internetbank of one forgery logins the interface original Internetbank of replacement and logins interface, so as to cause the leakage of user's Internetbank information. As it can be seen that determining in Zip compressed files has harmless executable file particularly important.Determine at present in Zip compressed files whether there is or not The method of the executable file of malice generally requires and first opens the Zip compressed files, such as opens the APK in android system, It needs to carry out the operations such as file verification, file addressing, document classification, needs to be traversed for each file in the APK later, to judge With the presence or absence of the executable file repeated.
In the detection mode of current Zip compressed files, it is required to open Zip compressed files, to carry out file verification, text The operations such as part addressing, document classification cause the entire detection process time longer.
Invention content
The embodiment of the present invention provides a kind of detection method and device of compressed file, can solve in the prior art due to The detection process time longer problem of the detection mode of current Zip compressed files.
In order to achieve the above objectives, the present invention adopts the following technical scheme that:
A kind of detection method of compressed file, including:
Obtain the tail portion paging of compressed file;The compressed file includes each package-in file, is wrapped in the tail portion paging Include the fileinfo of each package-in file;
The tail portion paging is traversed, selects the file of package-in file to believe successively according to preset rules from the tail portion paging Breath;
Judge that whether there is or not the information of executable file to be measured in the fileinfo of the package-in file;
If there is the information of the executable file in the fileinfo of the package-in file, the executable file letter is determined Cease the number occurred in the fileinfo of each package-in file;
If it is predetermined that the number that the executable file information occurs in the fileinfo of each package-in file is more than one Threshold value, it is determined that the executable file is malicious file.
A kind of detection device of compressed file, including:
Acquiring unit, the tail portion paging for obtaining compressed file;The compressed file includes each package-in file, described Tail portion paging includes the fileinfo of each package-in file;
Traversal Unit, the tail portion paging obtained for traversing the acquiring unit, according to default from the tail portion paging Rule selects the fileinfo of package-in file successively;
Judging unit, for judge Traversal Unit selection the package-in file fileinfo in whether there is or not to be measured The information of executable file;
Determination unit, it is described executable for having in the fileinfo that the judging unit determines the package-in file The information of file determines the number that the executable file information occurs in the fileinfo of each package-in file;
The determination unit goes out if being additionally operable to the executable file information in the fileinfo of each package-in file Existing number is more than a predetermined threshold, it is determined that the executable file is malicious file.
The detection method and device of compressed file provided in an embodiment of the present invention obtain the tail portion paging of compressed file, The tail portion paging is traversed, and judges that whether there is or not executable files to be measured in the fileinfo of the package-in file in compressed file Information;When having the information of the executable file in the fileinfo of the package-in file, pass through the determination executable text The number that part information occurs in the fileinfo of each package-in file, to judge whether the executable file is malice text Part is not necessarily to open compressed file in this way, in the case where avoiding carrying out the operations such as file verification, file addressing, document classification, energy Enough carry out the safety detection of compressed file.And in the prior art, in the detection mode of Zip compressed files, it is required to open Zip Compressed file causes the entire detection process time longer to carry out the operations such as file verification, file addressing, document classification.Cause This, the present invention can carry out compressed file in the case where avoiding carrying out the operations such as file verification, file addressing, document classification Safety detection, the entire detection process time is shorter.
Description of the drawings
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below There is attached drawing needed in technology description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this Some embodiments of invention for those of ordinary skill in the art without creative efforts, can be with Obtain other attached drawings according to these attached drawings.
Fig. 1 is the flow chart of the detection method of compressed file provided in an embodiment of the present invention;
Fig. 2 is the flow chart of the detection method for the compressed file that further embodiment of this invention provides;
Fig. 3 is the schematic diagram of the executable file duplicated in the embodiment of the present invention;
Fig. 4 is the structural schematic diagram one of the detection device of compressed file provided in an embodiment of the present invention;
Fig. 5 is the structural schematic diagram two of the detection device of compressed file provided in an embodiment of the present invention.
Specific implementation mode
Following will be combined with the drawings in the embodiments of the present invention, and technical solution in the embodiment of the present invention carries out clear, complete Site preparation describes, it is clear that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.It is based on Embodiment in the present invention, those of ordinary skill in the art are obtained every other without creative efforts Embodiment shall fall within the protection scope of the present invention.
The advantages of to make technical solution of the present invention, is clearer, makees specifically to the present invention with reference to the accompanying drawings and examples It is bright.
As shown in Figure 1, the detection method of compressed file provided in an embodiment of the present invention, including:
101, the tail portion paging of compressed file is obtained.
The compressed file includes each package-in file, and the tail portion paging includes the fileinfo of each package-in file. The compressed file is generally the file of Zip compression algorithms compression, such as the installation kit in Android (Android) system (Android Package, abbreviation APK) is exactly to use the formation of Zip compression algorithms.In the tail portion paging of the compressed file In, the fileinfo of each package-in file of compressed file is generally comprised, the fileinfo includes, such as file paging mark The information such as will, the file mark bit for being used to indicate file name and type.
The tail portion paging for obtaining compressed file can be obtained by tools such as winhex, but be not only limited to this.
102, the tail portion paging is traversed, selects the text of package-in file successively according to preset rules from the tail portion paging Part information.
When obtaining tail portion paging, it is also possible to get other pagings of compressed file, other pagings are in the tail portion Before paging, therefore when traversing the tail portion paging, the preset rules can be from the tail portion of tail portion paging to head time It goes through, to select the fileinfo of package-in file successively.
103, judge that whether there is or not the information of executable file to be measured in the fileinfo of the package-in file.
Before detecting compressed file, needing to predefine needs executable file to be tested, i.e., executable text to be measured Part, such as the classes.dex files in android system APK.Since classes.dex is as executable file, wherein Code may be changed, therefore the classes.dex can be used as executable file to be measured, but be not only limited to this.
If 104, there is the information of the executable file in the fileinfo of the package-in file, the executable text is determined The number that part information occurs in the fileinfo of each package-in file.
The information of the executable file includes at least the file mark bit and the executable file of the executable file Paging mark etc..
If 105, the number that the executable file information occurs in the fileinfo of each package-in file is more than one Predetermined threshold, it is determined that the executable file is malicious file.
If it is predetermined that the number that the executable file information occurs in the fileinfo of each package-in file is more than one Threshold value, such as the predetermined threshold are 1, then it represents that in each package-in file, there are the identical executable texts of at least two titles Part.In compressed file, such as in Zip compressed files, if there is the identical executable file of at least two titles, you can really Recognizing the executable file, there are risks, belong to malicious file.
It is worth noting that the executive agent of the embodiment of the present invention is a kind of detection device of compressed file, can run In the application programs such as antivirus software, but it is not only limited to this.Or the detection device of the compressed file itself can conduct Application program is run in the equipment such as smart mobile phone, computer.
The detection method of compressed file provided in an embodiment of the present invention obtains the tail portion paging of compressed file, traverses institute Tail portion paging is stated, and judges that whether there is or not the information of executable file to be measured in the fileinfo of the package-in file in compressed file; When having the information of the executable file in the fileinfo of the package-in file, pass through the determination executable file information The number occurred in the fileinfo of each package-in file, to judge whether the executable file is malicious file, this Sample is without opening compressed file, in the case where avoiding carrying out the operations such as file verification, file addressing, document classification, Neng Goujin The safety detection of row compressed file.And in the prior art, in the detection mode of Zip compressed files, it is required to open Zip compressions File causes the entire detection process time longer to carry out the operations such as file verification, file addressing, document classification.Therefore, originally Invention can carry out the safety of compressed file in the case where avoiding carrying out the operations such as file verification, file addressing, document classification Property detection, the entire detection process time is shorter.
A more specifically embodiment is set forth below, as shown in Fig. 2, the compressed file that further embodiment of this invention provides Detection method, including:
201, the tail portion paging of compressed file is obtained.
The compressed file includes each package-in file, and the tail portion paging includes the fileinfo of each package-in file. The compressed file is generally the file of Zip compression algorithms compression, such as installation kit APK in android system is exactly to use What Zip compression algorithms were formed.In the tail portion paging of the compressed file, each package-in file of compressed file is generally comprised Fileinfo, the fileinfo include, such as file paging mark, the file mark for being used to indicate file name and type The information such as position.The tail portion paging for obtaining compressed file can be obtained by tools such as winhex, but be not only limited to this.
202, the tail portion paging is traversed, selects the text of package-in file successively according to preset rules from the tail portion paging Part information.
When obtaining tail portion paging, it is also possible to get other pagings of compressed file, other pagings are in the tail portion Before paging, therefore when traversing the tail portion paging, the preset rules can be from the tail portion of tail portion paging to head time It goes through, to select the fileinfo of package-in file successively.
203, judge that whether there is or not preset paging marks in the fileinfo of the package-in file.If the text of the package-in file There is preset paging mark in part information, executes step 204;If the paging of Non-precondition in the fileinfo of the package-in file Mark, returns to step 202.
The preset paging mark indicates that the fileinfo of the package-in file belongs to tail portion paging, is obtaining tail portion paging When, which can be file paging mark, or portion footers.The file paging mark table Show that the data recorded thereafter are the fileinfo of package-in file, the portion footers indicate that the portion footers are subsequent The equal data portion page of data, the portion footers are the opening flag of tail portion paging.For example, with 16 binary data tables Show, it is " 50 4B 07 08 " to pre-set portion footers, and it is " 50 4B 01 02 " to pre-set file paging mark, if There is no " 50 4B " in the paging mark of other pagings, if then there is " 50 4B " in fileinfo, this document information can be confirmed In have preset paging mark.
204, judge whether the paging mark is file paging mark.If the paging mark is the file paging mark Will executes step 205;If the paging mark is not the file paging mark, step 206 is executed.
205, judge whether there is the file mark bit in the fileinfo of the package-in file.If the package-in file There is the file mark bit in fileinfo, executes step 207.If there is no the file in the fileinfo of the package-in file Flag bit returns to step 202.
When it is file paging mark to determine paging mark, it is also necessary to judge whether package-in file is to be measured can perform File, specific judgment mode are whether to have the file mark bit, the text in the fileinfo for judge the package-in file Part flag bit is used to indicate the title and file type of its corresponding package-in file.In addition the fileinfo of the package-in file It is also recorded for the information such as the storing path of the package-in file.
206, judge whether the paging mark is portion footers.If the paging mark is portion footers, Execute step 210;If the paging mark is not portion footers, 202 are returned to step.
207, the number that the file mark bit occurs in the fileinfo of each package-in file is determined, described in judgement Whether number is more than a predetermined threshold.If the number is more than a predetermined threshold, 208 are thened follow the steps.If the number is little In a predetermined threshold, 209 are thened follow the steps.
208, determine that the executable file is malicious file.
If the number that the file mark bit occurs in the fileinfo of each package-in file is more than a predetermined threshold, Such as the predetermined threshold is 1, then it represents that in each package-in file, there are the identical executable files of at least two titles. In compressed file, such as in Zip compressed files, if there is the identical executable file of at least two titles, you can confirming should There are risks for executable file, belong to malicious file.Such as shown in figure 3, in the APK file, there are two Classes.dex files, then there are risks, one of classes.dex to belong to malicious file by the classes.dex.
209, it is malicious file to determine the executable file not.
210, the detection of compressed file is terminated, and determines in each package-in file of the compressed file do not have malicious file.
Specifically, when it is portion footers to determine the paging mark, since portion footers are entire tail portions The opening flag of paging, and in the tail portion paging of the traversal of step 202, be generally adopted by from the tail portion of tail portion paging to Head traverse, if therefore determine the paging mark be portion footers, it is determined that have stepped through completions, by terminate compression The detection of file.
It is worth noting that the executive agent of the embodiment of the present invention is a kind of detection device of compressed file, can run In the application programs such as antivirus software, but it is not only limited to this.Or the detection device of the compressed file itself can conduct Application program is run in the equipment such as smart mobile phone, computer.
The detection method for the compressed file that further embodiment of this invention provides, obtains the tail portion paging of compressed file, time The tail portion paging is gone through, and judges that whether there is or not the letters of executable file to be measured in the fileinfo of the package-in file in compressed file Breath;When having the information of the executable file in the fileinfo of the package-in file, pass through the determination executable file The number that information occurs in the fileinfo of each package-in file, to judge whether the executable file is malice text Part is not necessarily to open compressed file in this way, in the case where avoiding carrying out the operations such as file verification, file addressing, document classification, energy Enough carry out the safety detection of compressed file.And in the prior art, in the detection mode of Zip compressed files, it is required to open Zip Compressed file causes the entire detection process time longer to carry out the operations such as file verification, file addressing, document classification.Cause This, the present invention can carry out compressed file in the case where avoiding carrying out the operations such as file verification, file addressing, document classification Safety detection, the entire detection process time is shorter.
Corresponding to the detection method of the compressed file described in above-mentioned Fig. 1 and Fig. 2, the detection device of compressed file is set forth below Embodiment, as shown in figure 4, the detection device of compressed file provided in an embodiment of the present invention, including:
Acquiring unit 31, the tail portion paging for obtaining compressed file.The compressed file includes each package-in file, institute State the fileinfo that tail portion paging includes each package-in file.
Traversal Unit 32, for traverse the acquiring unit 31 acquisition tail portion paging, from the tail portion paging according to Preset rules select the fileinfo of package-in file successively.
Judging unit 33, for judge the Traversal Unit 32 select the package-in file fileinfo in whether there is or not wait for The information of the executable file of survey.
Determination unit 34, for have in the fileinfo that the judging unit 33 determines the package-in file it is described can The information for executing file, determines the number that the executable file information occurs in the fileinfo of each package-in file.
The determination unit 34, if being additionally operable to the executable file information in the fileinfo of each package-in file The number of appearance is more than a predetermined threshold, it is determined that the executable file is malicious file.
Further, as shown in figure 5, the judging unit 33, is additionally operable to:
Judge that whether there is or not preset paging marks in the fileinfo for the package-in file that the Traversal Unit 32 selects.
Further, the judging unit 33, is additionally operable to:
If determining has the preset paging mark in the fileinfo of the package-in file, the paging mark is judged Whether it is file paging mark.
Specifically, the information of the executable file includes file mark bit, the judging unit 33 is used for:
If it is the file paging mark to determine the paging mark, judge be in the fileinfo of the package-in file It is no to have the file mark bit.
The determination unit 34, is used for:
If determining has the file mark bit in the fileinfo of the package-in file, determine that the file mark bit exists The number occurred in the fileinfo of each package-in file.
If the number that the file mark bit occurs in the fileinfo of each package-in file is more than a predetermined threshold, Then determine that the executable file is malicious file.
As shown in figure 5, the judging unit 33, is additionally operable to:
If it is not the file paging mark to determine the paging mark, judge whether the paging mark is portion Footers.
As shown in figure 5, the detection device of the compressed file, further includes:
Unit 35 is terminated, if it is portion footers to determine the paging mark for the judging unit 33, is terminated The detection of compressed file.
The determination unit 34 is additionally operable to do not have malicious file in each package-in file for determining the compressed file.
It is worth noting that the detection device of the compressed file of the embodiment of the present invention, can run on antivirus software etc. and answer With in program, but it is not only limited to this.Or the detection device of the compressed file itself can be used as application program, run on In the equipment such as smart mobile phone, computer.
The detection device of compressed file provided in an embodiment of the present invention obtains the tail portion paging of compressed file, traverses institute Tail portion paging is stated, and judges that whether there is or not the information of executable file to be measured in the fileinfo of the package-in file in compressed file; When having the information of the executable file in the fileinfo of the package-in file, pass through the determination executable file information The number occurred in the fileinfo of each package-in file, to judge whether the executable file is malicious file, this Sample is without opening compressed file, in the case where avoiding carrying out the operations such as file verification, file addressing, document classification, Neng Goujin The safety detection of row compressed file.And in the prior art, in the detection mode of Zip compressed files, it is required to open Zip compressions File causes the entire detection process time longer to carry out the operations such as file verification, file addressing, document classification.Therefore, originally Invention can carry out the safety of compressed file in the case where avoiding carrying out the operations such as file verification, file addressing, document classification Property detection, the entire detection process time is shorter.
Through the above description of the embodiments, it is apparent to those skilled in the art that the present invention can borrow Help software that the mode of required common hardware is added to realize, naturally it is also possible to which by hardware, but the former is more preferably in many cases Embodiment.Based on this understanding, the portion that technical scheme of the present invention substantially in other words contributes to the prior art Dividing can be expressed in the form of software products, which is stored in the storage medium that can be read, and such as count The floppy disk of calculation machine, hard disk or CD etc., including some instructions are used so that computer equipment (can be personal computer, Server or the network equipment etc.) execute method described in each embodiment of the present invention.
The above description is merely a specific embodiment, but scope of protection of the present invention is not limited thereto, any Those familiar with the art in the technical scope disclosed by the present invention, can easily think of the change or the replacement, and should all contain Lid is within protection scope of the present invention.Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (14)

1. a kind of detection method of compressed file, which is characterized in that including:
Obtain the tail portion paging of compressed file;The compressed file includes each package-in file, and the tail portion paging includes each The fileinfo of package-in file;
The tail portion paging is traversed, selects the fileinfo of package-in file successively according to preset rules from the tail portion paging;
Judge that whether there is or not the information of executable file to be measured in the fileinfo of the package-in file;
If there is the information of the executable file in the fileinfo of the package-in file, determine that the executable file information exists The number occurred in the fileinfo of each package-in file;
If the number that the executable file information occurs in the fileinfo of each package-in file is more than a predetermined threshold, Then determine that the executable file is malicious file.
2. the detection method of compressed file according to claim 1, which is characterized in that in the text for judging the package-in file In part information whether there is or not the information of executable file to be measured before, including:
Judge that whether there is or not preset paging marks in the fileinfo of the package-in file.
3. the detection method of compressed file according to claim 2, which is characterized in that judge the package-in file described Fileinfo in whether there is or not preset paging mark after, including:
If determining has the preset paging mark in the fileinfo of the package-in file, whether the paging mark is judged For file paging mark.
4. the detection method of compressed file according to claim 3, which is characterized in that the packet of the executable file Include file mark bit;
Whether there is or not the information of executable file to be measured in the fileinfo for judging the package-in file, including:
If it is the file paging mark to determine the paging mark, judge whether have in the fileinfo of the package-in file The file mark bit.
5. the detection method of compressed file according to claim 4, which is characterized in that if the text of the package-in file The information for having the executable file in part information determines that the executable file information is believed in the file of each package-in file The number occurred in breath, including:
If determining has the file mark bit in the fileinfo of the package-in file, determine the file mark bit described The number occurred in the fileinfo of each package-in file;
If it is predetermined that the number that the executable file information occurs in the fileinfo of each package-in file is more than one Threshold value, it is determined that the executable file is malicious file, including:
If the number that the file mark bit occurs in the fileinfo of each package-in file is more than a predetermined threshold, really The fixed executable file is malicious file.
6. the detection method of compressed file according to claim 3, which is characterized in that judge the paging mark described After whether being file paging mark, including:
If it is not the file paging mark to determine the paging mark, judge whether the paging mark is tail portion paging mark Will.
7. the detection method of compressed file according to claim 6, which is characterized in that whether judging the paging mark After portion footers, including:
If it is portion footers to determine the paging mark, the detection of compressed file is terminated, and determine the compressed file Each package-in file in there is no malicious file.
8. a kind of detection device of compressed file, which is characterized in that including:
Acquiring unit, the tail portion paging for obtaining compressed file;The compressed file includes each package-in file, the tail portion Paging includes the fileinfo of each package-in file;
Traversal Unit, the tail portion paging obtained for traversing the acquiring unit, according to preset rules from the tail portion paging The fileinfo of package-in file is selected successively;
Judging unit, for judge Traversal Unit selection the package-in file fileinfo in whether there is or not to be measured to hold The information of style of writing part;
Determination unit, for there is the executable file in the fileinfo that the judging unit determines the package-in file Information, determine the number that the executable file information occurs in the fileinfo of each package-in file;
The determination unit, if being additionally operable to what the executable file information occurred in the fileinfo of each package-in file Number is more than a predetermined threshold, it is determined that the executable file is malicious file.
9. the detection device of compressed file according to claim 8, which is characterized in that the judging unit is additionally operable to:
Judge that whether there is or not preset paging marks in the fileinfo of the package-in file of the Traversal Unit selection.
10. the detection device of compressed file according to claim 9, which is characterized in that the judging unit is additionally operable to:
If determining has the preset paging mark in the fileinfo of the package-in file, whether the paging mark is judged For file paging mark.
11. the detection device of compressed file according to claim 10, which is characterized in that the information of the executable file Including file mark bit;
The judging unit, is used for:
If it is the file paging mark to determine the paging mark, judge whether have in the fileinfo of the package-in file The file mark bit.
12. the detection device of compressed file according to claim 11, which is characterized in that the determination unit is used for:
If determining has the file mark bit in the fileinfo of the package-in file, determine the file mark bit described The number occurred in the fileinfo of each package-in file;
If the number that the file mark bit occurs in the fileinfo of each package-in file is more than a predetermined threshold, really The fixed executable file is malicious file.
13. the detection device of compressed file according to claim 10, which is characterized in that the judging unit is additionally operable to:
If it is not the file paging mark to determine the paging mark, judge whether the paging mark is tail portion paging mark Will.
14. the detection device of compressed file according to claim 13, which is characterized in that further include:
Unit is terminated, if it is portion footers to determine the paging mark for the judging unit, terminates compressed file Detection;
The determination unit is additionally operable to do not have malicious file in each package-in file for determining the compressed file.
CN201310521658.2A 2013-10-29 2013-10-29 The detection method and device of compressed file Active CN104573514B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310521658.2A CN104573514B (en) 2013-10-29 2013-10-29 The detection method and device of compressed file

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310521658.2A CN104573514B (en) 2013-10-29 2013-10-29 The detection method and device of compressed file

Publications (2)

Publication Number Publication Date
CN104573514A CN104573514A (en) 2015-04-29
CN104573514B true CN104573514B (en) 2018-09-04

Family

ID=53089552

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310521658.2A Active CN104573514B (en) 2013-10-29 2013-10-29 The detection method and device of compressed file

Country Status (1)

Country Link
CN (1) CN104573514B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106610971B (en) * 2015-10-21 2020-04-07 腾讯科技(深圳)有限公司 ZIP compressed file identification determination method and device
CN107292171A (en) * 2016-04-13 2017-10-24 阿里巴巴集团控股有限公司 Method, method for detecting virus and device for recognizing compressed file subtype
CN106055363B (en) 2016-05-31 2017-11-14 广东欧珀移动通信有限公司 A kind of method and mobile terminal for identifying file
CN111352912B (en) * 2020-03-10 2024-04-12 Oppo广东移动通信有限公司 Compressed file processing method, device, storage medium, terminal and server
CN112580057A (en) * 2020-12-17 2021-03-30 光通天下网络科技股份有限公司 Attack vulnerability detection method, device, equipment and medium for ZIP encrypted compressed packet
CN114003907A (en) * 2021-11-05 2022-02-01 安天科技集团股份有限公司 Malicious file detection method and device, computing equipment and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20100073126A (en) * 2008-12-22 2010-07-01 한국전자통신연구원 Apparatus and method for detecting malicious code using packed file properties
CN102594809A (en) * 2012-02-07 2012-07-18 奇智软件(北京)有限公司 Method and system for rapidly scanning files
CN103294953A (en) * 2012-12-27 2013-09-11 武汉安天信息技术有限责任公司 Detection method and system of mobile phone malicious code

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2007117636A2 (en) * 2006-04-06 2007-10-18 Smobile Systems, Inc. Malware detection system and method for comprssed data on mobile platforms

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20100073126A (en) * 2008-12-22 2010-07-01 한국전자통신연구원 Apparatus and method for detecting malicious code using packed file properties
CN102594809A (en) * 2012-02-07 2012-07-18 奇智软件(北京)有限公司 Method and system for rapidly scanning files
CN103294953A (en) * 2012-12-27 2013-09-11 武汉安天信息技术有限责任公司 Detection method and system of mobile phone malicious code

Also Published As

Publication number Publication date
CN104573514A (en) 2015-04-29

Similar Documents

Publication Publication Date Title
CN104573514B (en) The detection method and device of compressed file
CN104834859B (en) The dynamic testing method of malicious act in a kind of Android applications
US10705748B2 (en) Method and device for file name identification and file cleaning
JP5460887B2 (en) Classification rule generation device and classification rule generation program
CN103019937A (en) Human-machine interaction interface traverse test method
CN106295337A (en) For detecting the malice method of leak file, device and terminal
CN107665306B (en) A kind of method, apparatus, client and the server of the injection of detection illegal file
US10409987B2 (en) System and method for adaptive modification of antivirus databases
CN103136471A (en) Method and system for testing malicious Android application programs
CN103500307A (en) Mobile internet malignant application software detection method based on behavior model
CN104123496B (en) The hold-up interception method and device of a kind of rogue software, terminal
CN104268473B (en) Method and device for detecting application programs
CN106919624B (en) Method and device for improving webpage loading speed
CN102801706A (en) Terminal and security processing method for information contents
CN106559555A (en) A kind of construction method of address list, device
CN107577944A (en) Website malicious code detecting method and device based on code syntax analyzer
CN107992402A (en) Blog management method and log management apparatus
CN105550573B (en) The method and apparatus for intercepting bundled software
CN105718793A (en) Method and system for preventing malicious code from identifying sandbox on the basis of sandbox environment modification
CN110188578A (en) A kind of method and apparatus of automatic shield information
CN110162472A (en) A kind of method for generating test case based on fuzzing test
CN111125704B (en) Webpage Trojan horse recognition method and system
CN105278929A (en) Application program audit data processing method, device and system
CN106326086A (en) Method and device for extracting key operation log
KR20110129020A (en) Malicious code prevention system using code analysis technique and method for operating the system

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant