CN104679495B - software identification method and device - Google Patents
software identification method and device Download PDFInfo
- Publication number
- CN104679495B CN104679495B CN201310632296.4A CN201310632296A CN104679495B CN 104679495 B CN104679495 B CN 104679495B CN 201310632296 A CN201310632296 A CN 201310632296A CN 104679495 B CN104679495 B CN 104679495B
- Authority
- CN
- China
- Prior art keywords
- function
- user
- dis
- executable file
- assembling
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Abstract
Description
Claims (19)
- A kind of 1. software identification method, it is characterised in that including:The executable file of software to be identified is subjected to dis-assembling processing;Determine the type for the compiler that the executable file after the dis-assembling processing is utilized;According to the type of the compiler, the user-defined function in the executable file after the dis-assembling processing is extracted;Generate the corresponding characteristic value to be identified of the user-defined function;Determine the characteristic value to be identified and the number of matches of the characteristic value stored in feature database, wherein, the feature stock Contain the characteristic value corresponding to the user-defined function extracted from Malware, and the characteristic value stored in the feature database There is identical data length with the characteristic value to be identified;According to the ratio of the number of matches and the total quantity of the characteristic value to be identified, the category of the software to be identified is determined Property.
- 2. according to the method described in claim 1, it is characterized in that, the generation user-defined function is corresponding to be identified Characteristic value, including:The user-defined function is compiled at least once, obtains the corresponding command sequence of the user-defined function;The address for the first function that the user-defined function is called is determined from the command sequence, wherein, described One function includes:Built-in function and/or api function;By the address of the first function, the title of the first function is determined;The address of first function in the command sequence is replaced with to the title of corresponding first function;The command sequence for the title for replacing with corresponding first function to the address of first function uses default algorithm, with Form the corresponding characteristic value to be identified of the user-defined function.
- 3. according to the method described in claim 1, it is characterized in that, pass through extraction procedure entrance function or PE (Portable Executable, portable can perform) mode of table of bytes, determine what the executable file after the dis-assembling processing was utilized The type of compiler.
- 4. according to the method described in claim 1, it is characterized in that, the attribute of the software to be identified includes:Normal software, evil Meaning software, inclined normal software or inclined Malware.
- 5. according to the method described in claim 1-4 any one, it is characterised in that after the dis-assembling processing is determined When the compiler that executable file is utilized is MFC types, the type according to the compiler, extracts the anti-remittance The user-defined function in executable file after volume processing, including:Determine the rdata sections in the executable file after the dis-assembling processing;Determine the empty table in the rdata sections;From the corresponding Virtual Function of empty table, the MFC class Virtual Functions of rewriting are removed;The user-defined function in executable file after remaining Virtual Function is handled as dis-assembling.
- 6. according to the method described in claim 5, it is characterized in that, the type according to the compiler, described in extraction The user-defined function in executable file after dis-assembling processing, further includes:Determine the message loop list in rdata sections;According to the message loop list, determine that message loop handles function structure body, and then letter is handled according to message loop Table structure body, extracts message loop processing function;After the MFC class Virtual Functions of rewriting from the corresponding Virtual Function of empty table, are removed, the message loop processing function is traveled through With remaining Virtual Function, called function is obtained;It is described using remaining Virtual Function as dis-assembling handle after executable file in user-defined function, including:The user in executable file after the called function and remaining Virtual Function are handled as dis-assembling determines Adopted function.
- 7. according to the method described in claim 1-4 any one, it is characterised in that after the dis-assembling processing is determined When the compiler that executable file is utilized is VB types, the type according to the compiler, extracts the anti-remittance The user-defined function in executable file after volume processing, including:The program entry code of executable file after being handled according to the dis-assembling, determines file header structure;The file header structure is parsed, determines the event handling function structure of the executable file after the dis-assembling processing Body;According to the event handling function structure, the event handling letter in the executable file after the dis-assembling processing is extracted Number;The event handling function is traveled through, obtains called function;The user-defined function in executable file after acquired called function is handled as the dis-assembling.
- 8. according to the method described in claim 1-4 any one, it is characterised in that after the dis-assembling processing is determined When the compiler that executable file is utilized is Delphi types, the type according to the compiler, described in extraction The user-defined function in executable file after dis-assembling processing, including:Determine first section table of the executable file after the dis-assembling processing;Scanned at first section table, to determine file header structure;The file header structure is parsed, determines event handling function structure;According to the event handling function structure, the event handling letter in the executable file after the dis-assembling processing is extracted Number;The event handling function is traveled through, obtains called function;The user-defined function in executable file after acquired called function is handled as the dis-assembling.
- 9. according to the method described in claim 1-4 any one, it is characterised in that after the dis-assembling processing is determined When the compiler that executable file is utilized is e language type, the type according to the compiler, described in extraction The user-defined function in executable file after dis-assembling processing, including:Determine the on-link mode (OLM) for belonging to the compiler of e language type;When it is static linkage to determine the on-link mode (OLM), scanned in the address realm of start address to end address, really Determine the starting point of event handling function;According to the starting point, determine in the executable file after the dis-assembling processing Event handling function;The event handling function is traveled through, obtains called function;Converged using the called function as anti- The user-defined function in executable file after volume processing;Wherein, the start address for the dis-assembling processing after can The entry code for performing file saves land location, and the end address is the address where the second sequence;When it is dynamic link to determine the on-link mode (OLM), specific operation, the specific operation bag are performed to each code section Include:By predetermined feature code, entrance structure body is determined;Entrance structure body is parsed, in the beginning pointed by the entrance structure body Scanned in address to the address realm of the end addresses of current code section, determine the starting point of event handling function;According to described in Starting point, determines the event handling function in the executable file after the dis-assembling processing;Travel through the event handling letter Number, obtains called function;The user in executable file after the called function is handled as dis-assembling determines Adopted function;Wherein, the predetermined feature code determines the on-link mode (OLM) by being done during dynamic link mode to code section Mark.
- 10. according to the method described in claim 1-4 any one, it is characterised in that after the dis-assembling processing is determined The compiler that is utilized of executable file when being non-framework type, the type according to the compiler, extracts institute The user-defined function in the executable file after dis-assembling processing is stated, including:Since the entry code section of the executable file after dis-assembling processing, following operation is performed to each code section:Scan the function in the code section;Wherein, when the function scanned is exports function, the export letter is continued to scan on Several called functions;From the function scanned, the function for belonging to built-in function is removed, and remaining function is determined as at the dis-assembling The user-defined function in executable file after reason.
- A kind of 11. software identification device, it is characterised in that including:Dis-assembling module, for the executable file of software to be identified to be carried out dis-assembling processing;Determination type module, the type of the compiler utilized for determining the executable file after dis-assembling processing;User-defined function extraction module, for the type according to the compiler, extract after the dis-assembling processing can Perform the user-defined function in file;Characteristic value generation module, for generating the corresponding characteristic value to be identified of the user-defined function;Number of matches determining module, for determining the characteristic value to be identified and the coupling number of the characteristic value stored in feature database Amount, wherein, the feature database is stored with the characteristic value corresponding to the user-defined function extracted from Malware, and the spy The characteristic value stored in sign storehouse has identical data length with the characteristic value to be identified;Attribute determination module, for the ratio according to the number of matches and the total quantity of the characteristic value to be identified, determines institute State the attribute of software to be identified.
- 12. according to the devices described in claim 11, it is characterised in that the characteristic value generation module, including:Command sequence obtaining unit, for being compiled at least once to the user-defined function, obtains user's definition The corresponding command sequence of function;First function address determination unit, called for determining the user-defined function from the command sequence The address of one function, wherein, the first function includes:Built-in function and/or api function;First function title determination unit, for the address by the first function, determines the title of the first function;Replacement unit, for the address of the first function in the command sequence to be replaced with to the title of corresponding first function;Characteristic value generation unit, the order sequence of the title for replacing with corresponding first function to the address of first function Row use default algorithm, to form the corresponding characteristic value to be identified with preset data length of the user-defined function.
- 13. according to the devices described in claim 11, it is characterised in that the determination type module, including:First kind determination unit, for by way of extraction procedure entrance function, determine after dis-assembling processing can Perform the type for the compiler that file is utilized;Alternatively,Second Type determination unit, it is executable after dis-assembling processing for by way of extracting PE table of bytes, determining The type for the compiler that file is utilized.
- 14. according to the device described in claim 11-13 any one, it is characterised in that the user-defined function extracts mould Block, including:The first user-defined function extracting sub-module corresponding to the compiler of MFC types;Wherein, the first user-defined function extracting sub-module, including:Rdata saves determination unit, for determining the rdata sections in the executable file after dis-assembling processing;Empty table determination unit, for determining the empty table in the rdata sections;Virtual Function removal unit, for from the corresponding Virtual Function of empty table, removing the MFC class Virtual Functions of rewriting;User-defined function determination unit, in the executable file after remaining Virtual Function is handled as dis-assembling User-defined function.
- 15. device according to claim 14, it is characterised in that the first user-defined function extracting sub-module, also Including:Message loop list determination unit, for determining the message loop list in rdata sections;Message loop handles function extraction unit, for according to the message loop list, determining that message loop handles function Structure, and then function structure body is handled according to message loop, extract message loop processing function;Called function extraction unit, for from the corresponding Virtual Function of empty table, remove rewriting MFC classes Virtual Function it Afterwards, the message loop processing function and remaining Virtual Function are traveled through, obtains called function;The user-defined function determination unit, for using the called function and remaining Virtual Function as dis-assembling The user-defined function in executable file after processing.
- 16. according to the device described in claim 11-13 any one, it is characterised in that the user-defined function extracts mould Block, including:Second user defined function extracting sub-module corresponding to the compiler of VB types;Wherein, the second user defined function extracting sub-module, including:File header structure determination unit, for according to the dis-assembling handle after executable file program entry code, Determine file header structure;Event handling function structure determination unit, for parsing the file header structure, determines the dis-assembling processing The event handling function structure of executable file afterwards;Event handling function extraction unit, after according to the event handling function structure, extracting the dis-assembling processing Executable file in event handling function;Called function acquiring unit, for traveling through the event handling function, obtains called function;User-defined function determination unit, for holding after acquired called function is handled as the dis-assembling User-defined function in style of writing part.
- 17. according to the device described in claim 11-13 any one, it is characterised in that the user-defined function extracts mould Block, including:The 3rd user-defined function extracting sub-module corresponding to the compiler of Delphi types;Wherein, the 3rd user-defined function extracting sub-module, including:First section table determination unit, for determining first section table of the executable file after dis-assembling processing;File header structure determination unit, for scanning at first section table, to determine file header structure;Event handling function structure determination unit, for parsing the file header structure, determines event handling function structure Body;Event handling function extraction unit, after according to the event handling function structure, extracting the dis-assembling processing Executable file in event handling function;Called function acquiring unit, for traveling through the event handling function, obtains called function;User-defined function determination unit, for holding after acquired called function is handled as the dis-assembling User-defined function in style of writing part.
- 18. according to the device described in claim 11-13 any one, it is characterised in that the user-defined function extracts mould Block, including:Fourth user defined function extracting sub-module corresponding to the compiler of e language type;Wherein, the fourth user defined function extracting sub-module, including:On-link mode (OLM) determination unit, the on-link mode (OLM) of the compiler for determining to belong to e language type are described when determining When on-link mode (OLM) is static linkage, the first user-defined function determination unit is triggered;When determine the on-link mode (OLM) for dynamic During link, second user defined function determination unit is triggered;The first user-defined function determination unit, for being scanned in the address realm of start address to end address, really Determine the starting point of event handling function;According to the starting point, determine in the executable file after the dis-assembling processing Event handling function;The event handling function is traveled through, obtains called function;Converged using the called function as anti- The user-defined function in executable file after volume processing;Wherein, the start address for the dis-assembling processing after can The entry code for performing file saves land location, and the end address is the address where the second sequence;The second user defined function determination unit, for performing specific operation, the specific operation bag to each code section Include:By predetermined feature code, entrance structure body is determined;Entrance structure body is parsed, in the beginning pointed by the entrance structure body Scanned in address to the address realm of the end addresses of current code section, determine the starting point of event handling function;According to described in Starting point, determines the event handling function in the executable file after the dis-assembling processing;Travel through the event handling letter Number, obtains called function;The user in executable file after the called function is handled as dis-assembling determines Adopted function;Wherein, the predetermined feature code determines the on-link mode (OLM) by being done during dynamic link mode to code section Mark.
- 19. according to the device described in claim 11-13 any one, it is characterised in that the user-defined function extracts mould Block, including:The 5th user-defined function extracting sub-module corresponding to the compiler of non-framework type;Wherein, the 5th user-defined function extracting sub-module, for the executable file after being handled from the dis-assembling Entry code section starts, and following operation is performed to each code section:Scan the function in the code section;Wherein, when the function scanned is exports function, the export letter is continued to scan on Several called functions;From the function scanned, the function for belonging to built-in function is removed, and remaining function is determined as at the dis-assembling The user-defined function in executable file after reason.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310632296.4A CN104679495B (en) | 2013-12-02 | 2013-12-02 | software identification method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310632296.4A CN104679495B (en) | 2013-12-02 | 2013-12-02 | software identification method and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN104679495A CN104679495A (en) | 2015-06-03 |
CN104679495B true CN104679495B (en) | 2018-04-27 |
Family
ID=53314613
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201310632296.4A Active CN104679495B (en) | 2013-12-02 | 2013-12-02 | software identification method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN104679495B (en) |
Families Citing this family (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107305495A (en) * | 2016-04-19 | 2017-10-31 | 华为技术有限公司 | Realize the method and terminal of software installation packet function modification |
CN109558731B (en) * | 2017-09-26 | 2022-04-08 | 腾讯科技(深圳)有限公司 | Feature code processing method, device and storage medium |
CN109977976B (en) * | 2017-12-28 | 2023-04-07 | 腾讯科技(深圳)有限公司 | Executable file similarity detection method and device and computer equipment |
CN111368296A (en) * | 2019-06-27 | 2020-07-03 | 北京关键科技股份有限公司 | Source code file matching rate analysis method |
CN111522699B (en) * | 2020-04-14 | 2023-05-23 | 杭州斯凯数据科技集团有限公司 | Detection method for target memory change caused by VMP instruction |
CN114047929B (en) * | 2022-01-12 | 2022-05-03 | 广东省科技基础条件平台中心 | Knowledge enhancement-based user defined function identification method, device and medium |
CN114741131B (en) * | 2022-04-02 | 2023-08-15 | 深圳软牛科技有限公司 | Hiding method, device, equipment and storage medium for dynamic library derived symbol |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1818863A (en) * | 2006-03-13 | 2006-08-16 | 浙江大学 | Static library decompiling recognition of built-in software |
CN102708320A (en) * | 2012-05-04 | 2012-10-03 | 奇智软件(北京)有限公司 | Method and device for recognition of virus APK (android package) |
CN102799493A (en) * | 2012-06-21 | 2012-11-28 | 北京伸得纬科技有限公司 | Method for intercepting target progress with self-protection |
CN103268445A (en) * | 2012-12-27 | 2013-08-28 | 武汉安天信息技术有限责任公司 | Android malicious code detection method based on OpCode and system thereof |
JP5325072B2 (en) * | 2009-10-22 | 2013-10-23 | 日本電信電話株式会社 | Matrix decomposition apparatus, matrix decomposition method and program |
-
2013
- 2013-12-02 CN CN201310632296.4A patent/CN104679495B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1818863A (en) * | 2006-03-13 | 2006-08-16 | 浙江大学 | Static library decompiling recognition of built-in software |
JP5325072B2 (en) * | 2009-10-22 | 2013-10-23 | 日本電信電話株式会社 | Matrix decomposition apparatus, matrix decomposition method and program |
CN102708320A (en) * | 2012-05-04 | 2012-10-03 | 奇智软件(北京)有限公司 | Method and device for recognition of virus APK (android package) |
CN102799493A (en) * | 2012-06-21 | 2012-11-28 | 北京伸得纬科技有限公司 | Method for intercepting target progress with self-protection |
CN103268445A (en) * | 2012-12-27 | 2013-08-28 | 武汉安天信息技术有限责任公司 | Android malicious code detection method based on OpCode and system thereof |
Also Published As
Publication number | Publication date |
---|---|
CN104679495A (en) | 2015-06-03 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN104679495B (en) | software identification method and device | |
US10929449B2 (en) | Generating a structured document guiding view | |
CN104267947B (en) | A kind of editor's method of pop-up picture and pop-up picture editor's device | |
CN102831121B (en) | Method and system for extracting webpage information | |
CN103415848B (en) | The method and system of the seamless backup and recovery of application program is carried out using metadata | |
CN109299258B (en) | Public opinion event detection method, device and equipment | |
CN103902653B (en) | A kind of method and apparatus for building data warehouse table genetic connection figure | |
CN106897361B (en) | Label page grouping management system and method based on tree structure | |
CN104899016B (en) | Allocating stack Relation acquisition method and device | |
CN106776584A (en) | Character displaying method, translation table generating method, document translation method and device | |
CN106970820A (en) | Code storage method and code storage | |
CN107291476A (en) | Canvas code generating methods, device, electronic equipment and storage medium | |
CN104268473B (en) | Method and device for detecting application programs | |
CN103020207B (en) | Browser label page grouping management method and device | |
CN105653949B (en) | A kind of malware detection methods and device | |
CN105511843A (en) | Application program interface generation method and device | |
CN110007906B (en) | Script file processing method and device and server | |
CN104516727A (en) | Method and system for changing resource in resource file | |
CN109460220A (en) | The predefined code generating method of message, device, electronic equipment and storage medium | |
CN108804469A (en) | A kind of web page identification method and electronic equipment | |
CN105247533B (en) | Information processor and determination method | |
CN110046637A (en) | A kind of training method, device and the equipment of contract paragraph marking model | |
CN107330009A (en) | Descriptor disaggregated model creation method, creating device and storage medium | |
CN1987775A (en) | Method and apparatus for resolving events | |
CN103235757B (en) | Several apparatus and method that input domain tested object is tested are made based on robotization |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
CB02 | Change of applicant information | ||
CB02 | Change of applicant information |
Address after: 100041 Beijing, Shijingshan District Xing Xing street, building 30, No. 3, building 2, A-0071 Applicant after: Beijing cheetah Mobile Technology Co., Ltd. Applicant after: BEIJING LIEBAO NETWORK TECHNOLOGY CO., LTD. Address before: 100041 Beijing city Shijingshan District Badachu high tech Park West Wells Road No. 3 Building No. 3 1100A Applicant before: SHELL INTERNET (BEIJING) SECURITY TECHNOLOGY CO., LTD. Applicant before: Beijing Kingsoft Internet Science and Technology Co., Ltd. |
|
GR01 | Patent grant | ||
GR01 | Patent grant | ||
TR01 | Transfer of patent right | ||
TR01 | Transfer of patent right |
Effective date of registration: 20181218 Address after: Room 105-53967, No. 6 Baohua Road, Hengqin New District, Zhuhai City, Guangdong Province Patentee after: Zhuhai Seal Fun Technology Co., Ltd. Address before: 100041 A-0071 2, 3 building, 30 Shixing street, Shijingshan District, Beijing. Co-patentee before: BEIJING LIEBAO NETWORK TECHNOLOGY CO., LTD. Patentee before: Beijing cheetah Mobile Technology Co., Ltd. |