CN104679495B - software identification method and device - Google Patents

software identification method and device Download PDF

Info

Publication number
CN104679495B
CN104679495B CN201310632296.4A CN201310632296A CN104679495B CN 104679495 B CN104679495 B CN 104679495B CN 201310632296 A CN201310632296 A CN 201310632296A CN 104679495 B CN104679495 B CN 104679495B
Authority
CN
China
Prior art keywords
function
user
dis
executable file
assembling
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201310632296.4A
Other languages
Chinese (zh)
Other versions
CN104679495A (en
Inventor
王鑫
姚辉
刘桂峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhuhai Seal Fun Technology Co., Ltd.
Original Assignee
Beijing Liebao Network Technology Co Ltd
Beijing Cheetah Mobile Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Liebao Network Technology Co Ltd, Beijing Cheetah Mobile Technology Co Ltd filed Critical Beijing Liebao Network Technology Co Ltd
Priority to CN201310632296.4A priority Critical patent/CN104679495B/en
Publication of CN104679495A publication Critical patent/CN104679495A/en
Application granted granted Critical
Publication of CN104679495B publication Critical patent/CN104679495B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Abstract

The embodiment of the invention discloses a kind of software identification method and device.The software identification method includes:The executable file of software to be identified is subjected to dis-assembling processing;Determine the type for the compiler that the executable file after dis-assembling processing is utilized;According to the type of compiler, the user-defined function in executable file after extraction dis-assembling processing;Generate the corresponding characteristic value to be identified of user-defined function;Determine characteristic value to be identified and the number of matches of the characteristic value stored in feature database, wherein, feature database is stored with the characteristic value corresponding to the user-defined function extracted from Malware, and the characteristic value stored in feature database has identical data length with the characteristic value to be identified;The ratio of foundation number of matches and the total quantity of the characteristic value to be identified, determines the attribute of software to be identified.Relative to the prior art, the mode of this programme extraction characteristic value make it that characteristic is stronger, so as to improve the accuracy of identification software.

Description

Software identification method and device
Technical field
The present invention relates to software to identify field, more particularly to a kind of software identification method and device.
Background technology
With the high speed development of science and technology, the influence that numerous and complicated numerous electronic equipment works people and lives is increasingly Greatly.Meanwhile the increasingly huge and cumbersome division of labor of software size causes the quality of software product to be often difficult to be guaranteed, from And bring the software security potential problem of getting worse.Therefore, for identifying that the software of normal software and Malware identifies Method is always what is received much concern.
Existing software identification method is that the executable file after dis-assembling is handled is divided into some code segments, from generation Extract characteristic value in code section, and matched with the characteristic value in the advance feature database according to constructed by Malware, according to Recognition result is determined with result.
But in existing software identification method, characteristic functional type is relatively low, causes versatility poor.Meanwhile Malware system The person of making can change code segment by carrying out the mode such as shell adding plus colored, out of order or modification entrance to executable file, with right Resist existing software identification method;Even, Malware producer only need to arbitrarily add some new functions on the basis of original code, originally Feature will disappear, ultimately resulting in the Malware can not be identified.
In conclusion the accuracy that existing software identification method identifies software is not high.
The content of the invention
Based on the above problem, the embodiment of the invention discloses a kind of software identification method and device, to improve identification software Accuracy.Technical solution is as follows:
In a first aspect, an embodiment of the present invention provides a kind of software identification method, including:
The executable file of software to be identified is subjected to dis-assembling processing;
Determine the type for the compiler that the executable file after the dis-assembling processing is utilized;
According to the type of the compiler, the user extracted in the executable file after the dis-assembling processing defines letter Number;
Generate the corresponding characteristic value to be identified of the user-defined function;
Determine the characteristic value to be identified and the number of matches of the characteristic value stored in feature database, wherein, the feature Stock contains the characteristic value corresponding to the user-defined function extracted from Malware, and the spy stored in the feature database Value indicative has identical data length with the characteristic value to be identified;
According to the ratio of the number of matches and the total quantity of the characteristic value to be identified, the software to be identified is determined Attribute.
Optionally, the corresponding characteristic value to be identified of the generation user-defined function, including:
The user-defined function is compiled at least once, obtains the corresponding order sequence of the user-defined function Row;
The address for the first function that the user-defined function is called is determined from the command sequence, wherein, institute Stating first function includes:Built-in function and/or api function;
By the address of the first function, the title of the first function is determined;
The address of first function in the command sequence is replaced with to the title of corresponding first function;
The command sequence for the title for replacing with corresponding first function to the address of first function uses default calculation Method, to form the corresponding characteristic value to be identified of the user-defined function.
Optionally, extraction procedure entrance function or PE are passed through(Portable Executable, portable can perform)Byte The mode of table, determines the type for the compiler that the executable file after the dis-assembling processing is utilized.
Optionally, the attribute of the software to be identified includes:Normal software, Malware, inclined normal software or inclined malice Software.
Optionally, the compiler that the executable file after dis-assembling processing is determined is utilized is MFC types When, the type according to the compiler, the user extracted in the executable file after the dis-assembling processing defines letter Number, including:
Determine the rdata sections in the executable file after the dis-assembling processing;
Determine the empty table in the rdata sections;
From the corresponding Virtual Function of empty table, the MFC class Virtual Functions of rewriting are removed;
The user-defined function in executable file after remaining Virtual Function is handled as dis-assembling.
Optionally, the type according to the compiler, is extracted in the executable file after the dis-assembling processing User-defined function, further include:
Determine the message loop list in rdata sections;
According to the message loop list, determine that message loop handles function structure body, so according to message loop at Function structure body is managed, extracts message loop processing function;
After the MFC class Virtual Functions of rewriting from the corresponding Virtual Function of empty table, are removed, the message loop processing is traveled through Function and remaining Virtual Function, obtain called function;
It is described using remaining Virtual Function as dis-assembling handle after executable file in user-defined function, bag Include:
The use in executable file after the called function and remaining Virtual Function are handled as dis-assembling Family defined function.
Optionally, the compiler that the executable file after dis-assembling processing is determined is utilized is VB types When, the type according to the compiler, the user extracted in the executable file after the dis-assembling processing defines letter Number, including:
The program entry code of executable file after being handled according to the dis-assembling, determines file header structure;
The file header structure is parsed, determines the event handling function of the executable file after the dis-assembling processing Structure;
According to the event handling function structure, extract at the event in the executable file after the dis-assembling processing Manage function;
The event handling function is traveled through, obtains called function;
The user in executable file after acquired called function is handled as the dis-assembling defines letter Number.
Optionally, the compiler that the executable file after dis-assembling processing is determined is utilized is Delphi classes During type, the type according to the compiler, extracts user's definition in the executable file after the dis-assembling processing Function, including:
Determine first section table of the executable file after the dis-assembling processing;
Scanned at first section table, to determine file header structure;
The file header structure is parsed, determines event handling function structure;
According to the event handling function structure, extract at the event in the executable file after the dis-assembling processing Manage function;
The event handling function is traveled through, obtains called function;
The user in executable file after acquired called function is handled as the dis-assembling defines letter Number.
Optionally, the compiler that the executable file after dis-assembling processing is determined is utilized is e language class During type, the type according to the compiler, extracts user's definition in the executable file after the dis-assembling processing Function, including:
Determine the on-link mode (OLM) for belonging to the compiler of e language type;
When it is static linkage to determine the on-link mode (OLM), swept in the address realm of start address to end address Retouch, determine the starting point of event handling function;According to the starting point, the executable file after the dis-assembling processing is determined In event handling function;The event handling function is traveled through, obtains called function;Using the called function as The user-defined function in executable file after dis-assembling processing;Wherein, after the start address is dis-assembling processing The entry code of executable file save land location, the end address is the address where the second sequence;
When it is dynamic link to determine the on-link mode (OLM), specific operation, the specific behaviour are performed to each code section Work includes:By predetermined feature code, entrance structure body is determined;Entrance structure body is parsed, pointed by the entrance structure body Scanned in start address to the address realm of the end addresses of current code section, determine the starting point of event handling function;Foundation The starting point, determines the event handling function in the executable file after the dis-assembling processing;Travel through at the event Function is managed, obtains called function;The use in executable file after the called function is handled as dis-assembling Family defined function;Wherein, to code section institute when the predetermined feature code is determines that the on-link mode (OLM) is dynamic link mode The mark done.
Optionally, the compiler that the executable file after dis-assembling processing is determined is utilized is non-frame clsss During type, the type according to the compiler, extracts user's definition in the executable file after the dis-assembling processing Function, including:
Since the entry code section of the executable file after dis-assembling processing, following behaviour is performed to each code section Make:
Scan the function in the code section;Wherein, when the function scanned is exports function, described lead is continued to scan on Go out the function that function is called;
From the function scanned, the function for belonging to built-in function is removed, and remaining function is determined as the anti-remittance The user-defined function in executable file after volume processing.
Second aspect, the embodiment of the present invention additionally provide a kind of software identification device, including:
Dis-assembling module, for the executable file of software to be identified to be carried out dis-assembling processing;
Determination type module, the class of the compiler utilized for determining the executable file after dis-assembling processing Type;
User-defined function extraction module, for the type according to the compiler, after extracting the dis-assembling processing Executable file in user-defined function;
Characteristic value generation module, for generating the corresponding characteristic value to be identified of the user-defined function;
Number of matches determining module, for determining the characteristic value to be identified and of the characteristic value stored in feature database With quantity, wherein, the feature database is stored with the characteristic value corresponding to the user-defined function extracted from Malware, and institute State the characteristic value stored in feature database has identical data length with the characteristic value to be identified;
Attribute determination module, for the ratio according to the number of matches and the total quantity of the characteristic value to be identified, really The attribute of the fixed software to be identified.
Optionally, the characteristic value generation module, including:
Command sequence obtaining unit, for being compiled at least once to the user-defined function, obtains the user The corresponding command sequence of defined function;
First function address determination unit, for determining that the user-defined function is called from the command sequence First function address, wherein, the first function includes:Built-in function and/or api function;
First function title determination unit, for the address by the first function, determines the name of the first function Claim;
Replacement unit, for the address of the first function in the command sequence to be replaced with to the name of corresponding first function Claim;
Characteristic value generation unit, the life of the title for replacing with corresponding first function to the address of first function Sequence is made to use default algorithm, to form the corresponding feature to be identified with preset data length of the user-defined function Value.
Optionally, the determination type module, including:
First kind determination unit, after by way of extraction procedure entrance function, determining the dis-assembling processing The type of compiler that is utilized of executable file;
Alternatively,
Second Type determination unit, for by way of extracting PE table of bytes, determine after dis-assembling processing can Perform the type for the compiler that file is utilized.
Optionally, the user-defined function extraction module, including:First corresponding to the compiler of MFC types uses Family defined function extracting sub-module;
Wherein, the first user-defined function extracting sub-module, including:
Rdata saves determination unit, for determining the rdata sections in the executable file after dis-assembling processing;
Empty table determination unit, for determining the empty table in the rdata sections;
Virtual Function removal unit, for from the corresponding Virtual Function of empty table, removing the MFC class Virtual Functions of rewriting;
User-defined function determination unit, for the executable file after remaining Virtual Function is handled as dis-assembling In user-defined function.
Optionally, the first user-defined function extracting sub-module, further includes:
Message loop list determination unit, for determining the message loop list in rdata sections;
Message loop handles function extraction unit, for according to the message loop list, determining that message loop is handled Function structure body, and then function structure body is handled according to message loop, extract message loop processing function;
Called function extraction unit, for from the corresponding Virtual Function of empty table, removing the MFC class Virtual Functions of rewriting Afterwards, the message loop processing function and remaining Virtual Function are traveled through, obtains called function;
The user-defined function determination unit, for using the called function and remaining Virtual Function as anti- The user-defined function in executable file after compilation process.
Optionally, the user-defined function extraction module, including:Second user corresponding to the compiler of VB types Defined function extracting sub-module;
Wherein, the second user defined function extracting sub-module, including:
File header structure determination unit, the program entry generation for the executable file after being handled according to the dis-assembling Code, determines file header structure;
Event handling function structure determination unit, for parsing the file header structure, determines the dis-assembling The event handling function structure of executable file after processing;
Event handling function extraction unit, for according to the event handling function structure, extracting at the dis-assembling The event handling function in executable file after reason;
Called function acquiring unit, for traveling through the event handling function, obtains called function;
User-defined function determination unit, after acquired called function is handled as the dis-assembling User-defined function in executable file.
Optionally, the user-defined function extraction module, including:The 3rd corresponding to the compiler of Delphi types User-defined function extracting sub-module;
Wherein, the 3rd user-defined function extracting sub-module, including:
First section table determination unit, for determining first section table of the executable file after dis-assembling processing;
File header structure determination unit, for scanning at first section table, to determine file header structure Body;
Event handling function structure determination unit, for parsing the file header structure, determines event handling function Structure;
Event handling function extraction unit, for according to the event handling function structure, extracting at the dis-assembling The event handling function in executable file after reason;
Called function acquiring unit, for traveling through the event handling function, obtains called function;
User-defined function determination unit, after acquired called function is handled as the dis-assembling User-defined function in executable file.
Optionally, the user-defined function extraction module, including:The 4th corresponding to the compiler of e language type User-defined function extracting sub-module;
Wherein, the fourth user defined function extracting sub-module, including:
On-link mode (OLM) determination unit, the on-link mode (OLM) of the compiler for determining to belong to e language type, when determining When the on-link mode (OLM) is static linkage, the first user-defined function determination unit is triggered;When determining that the on-link mode (OLM) is During dynamic link, second user defined function determination unit is triggered;
The first user-defined function determination unit, for being swept in the address realm of start address to end address Retouch, determine the starting point of event handling function;According to the starting point, the executable file after the dis-assembling processing is determined In event handling function;The event handling function is traveled through, obtains called function;Using the called function as The user-defined function in executable file after dis-assembling processing;Wherein, after the start address is dis-assembling processing The entry code of executable file save land location, the end address is the address where the second sequence;
The second user defined function determination unit, for performing specific operation, the specific behaviour to each code section Work includes:By predetermined feature code, entrance structure body is determined;Entrance structure body is parsed, pointed by the entrance structure body Scanned in start address to the address realm of the end addresses of current code section, determine the starting point of event handling function;Foundation The starting point, determines the event handling function in the executable file after the dis-assembling processing;Travel through at the event Function is managed, obtains called function;The use in executable file after the called function is handled as dis-assembling Family defined function;Wherein, to code section institute when the predetermined feature code is determines that the on-link mode (OLM) is dynamic link mode The mark done.
Optionally, the user-defined function extraction module, including:The 5th corresponding to the compiler of non-framework type User-defined function extracting sub-module;
Wherein, the 5th user-defined function extracting sub-module, for the executable text after being handled from the dis-assembling The entry code section of part starts, and following operation is performed to each code section:
Scan the function in the code section;Wherein, when the function scanned is exports function, described lead is continued to scan on Go out the function that function is called;
From the function scanned, the function for belonging to built-in function is removed, and remaining function is determined as the anti-remittance The user-defined function in executable file after volume processing.
In the embodiment of the present invention, the executable file of software to be identified is subjected to dis-assembling processing;Determine that dis-assembling is handled The type for the compiler that executable file afterwards is utilized;According to the type of compiler, after extraction dis-assembling processing can Perform the user-defined function in file;Generate the corresponding characteristic value to be identified of user-defined function;Determine characteristic value to be identified Number of matches with the characteristic value stored in feature database;Ratio according to the number of matches and the total quantity of characteristic value to be identified Value, determines the attribute of software to be identified.Relative to the prior art, the mode of this programme extraction characteristic value make it that characteristic is stronger, So as to improve the accuracy of identification software.
Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing There is attached drawing needed in technology description to be briefly described, it should be apparent that, drawings in the following description are only this Some embodiments of invention, for those of ordinary skill in the art, without creative efforts, can be with Other attached drawings are obtained according to these attached drawings.
A kind of the first flow chart for software identification method that Fig. 1 is provided by the embodiment of the present invention;
A kind of second of flow chart of software identification method that Fig. 2 is provided by the embodiment of the present invention;
A kind of the third flow chart for software identification method that Fig. 3 is provided by the embodiment of the present invention;
A kind of 4th kind of flow chart of software identification method that Fig. 4 is provided by the embodiment of the present invention;
A kind of 5th kind of flow chart of software identification method that Fig. 5 is provided by the embodiment of the present invention;
A kind of 6th kind of flow chart of software identification method that Fig. 6 is provided by the embodiment of the present invention;
A kind of 7th kind of flow chart of software identification method that Fig. 7 is provided by the embodiment of the present invention;
A kind of the first structure diagram for software identification device that Fig. 8 is provided by the embodiment of the present invention;
A kind of second of structure diagram of software identification device that Fig. 9 is provided by the embodiment of the present invention;
A kind of the third structure diagram for software identification device that Figure 10 is provided by the embodiment of the present invention;
A kind of 4th kind of structure diagram of software identification device that Figure 11 is provided by the embodiment of the present invention;
A kind of 5th kind of structure diagram of software identification device that Figure 12 is provided by the embodiment of the present invention;
A kind of 6th kind of structure diagram of software identification device that Figure 13 is provided by the embodiment of the present invention;
A kind of 7th kind of structure diagram of software identification device that Figure 14 is provided by the embodiment of the present invention.
Embodiment
Below in conjunction with the attached drawing in the embodiment of the present invention, the technical solution in the embodiment of the present invention is carried out clear, complete Site preparation describes, it is clear that described embodiment is only part of the embodiment of the present invention, instead of all the embodiments.It is based on Embodiment in the present invention, those of ordinary skill in the art are obtained every other without creative efforts Embodiment, belongs to the scope of protection of the invention.
In order to improve the accuracy of identification software, an embodiment of the present invention provides a kind of software identification method and device.
A kind of software identification method provided first below the embodiment of the present invention is introduced.
It should be noted that a kind of software identification method that the embodiment of the present invention is provided is suitable for electronic equipment.Wherein, In practical applications, which can be:Mobile phone, tablet computer or laptop etc..
As shown in Figure 1, a kind of software identification method, can include:
S101, dis-assembling processing is carried out by the executable file of software to be identified;
In an embodiment of the present invention,, can after the executable file of software to be identified is obtained when needing identification software The executable file to be identified is carried out dis-assembling processing, so as to carry out follow-up processing.
It will be appreciated by persons skilled in the art that utilized when writing program such as the high-level language such as C, pascal, Ran Houzai The file that can be directly performed by operating system by compiler generation, you can perform file;And dis-assembling refers to this A little executable file decompilings are reduced into assembler language or other high-level languages.
S102, determines the type for the compiler that the executable file after dis-assembling processing is utilized;
Optionally, determine the type of compiler that the executable file after dis-assembling processing is utilized mode include but It is not limited to:
Extraction procedure entrance function, or extraction PE(Portable Executable, portable can perform)Table of bytes, really The type for the compiler that executable file after fixed dis-assembling processing is utilized.
S103, according to the type of the compiler, extracts user's definition in the executable file after dis-assembling processing Function;
Not only include framework function/built-in function in Malware, but also including the user beyond framework function/built-in function Defined function, and the malicious of software is usually embodied by user-defined function, therefore, in order to improve the accurate of identification software Property, identification software by the way of characteristic value is extracted from user-defined function of the embodiment of the present invention.
Wherein, since executable file can be compiled by different types of compiler, and different types of compiling journey The executable file that sequence compiles out has different code characteristics, therefore, the user corresponding to different types of compiler Defined function extracting mode is different.In this regard, it will subsequently be described in detail.
S104, the corresponding characteristic value to be identified of generation user-defined function;
Wherein, after user-defined function is obtained, the corresponding characteristic value to be identified of user-defined function can be generated, i.e.,: Characteristic value is extracted from user-defined function.
S105, determines characteristic value to be identified and the number of matches of the characteristic value stored in feature database;
In an embodiment of the present invention, this feature stock contains the user-defined function institute extracted in advance from Malware Corresponding characteristic value, wherein, the characteristic value stored in this feature storehouse has identical data length with characteristic value to be identified.Its In, the process in structure this feature storehouse can include:In advance using the multiple Malwares obtained as sample, from Malware User-defined function is extracted, and generates the extracted corresponding characteristic value of user-defined function, so as to build features described above storehouse.
Wherein, from the Malware as sample extract user-defined function mode with it is above-mentioned from software to be identified The mode of extraction user-defined function is identical, and therefore not to repeat here;It is also identical to generate the mode of characteristic value, does not also go to live in the household of one's in-laws on getting married herein State.
S106, according to the ratio of the number of matches and the total quantity of characteristic value to be identified, determines the attribute of software to be identified.
Wherein, the attribute of software to be identified can include:Normal software, Malware, inclined normal software or partially maliciously soft Part.It is understood that under different application scenarios, the attribute of software to be identified is can be customized, for example, to be identified The attribute of software can be:Normal software or Malware;Can also be:Inclined normal software or inclined Malware.
Optionally, in an embodiment of the present invention, can be the corresponding numerical intervals of attribute setting of software to be identified, when When the ratio of number of matches and the total quantity of characteristic value to be identified falls into some numerical intervals, you can be identified to determine accordingly The attribute of software.It is understood that under different application scenarios, the attribute of software to be identified is corresponding with numerical intervals to close System is also can be customized.
Further, after the corresponding attribute of the software to be identified is determined, the category of the software to be identified can be shown Property;Wherein, specific display format can include textual form or graphic form etc..Also, showing the software to be identified Attribute when, can only show recognition result, can also show the other information for prompting user certainly, this is all reasonable 's.Such as:When it is Malware or inclined Malware to determine the software to be identified, may be used also while recognition result is shown To provide the link for deleting the software to be identified to the user, alternatively, providing a user warning letter while recognition result is shown Breath, the problem of may being brought after the software to be identified is mounted with alerting, is not limited thereto certainly;And work as and determine that this waits to know When other software is normal software or inclined normal software, recognition result can be shown to user, to inform that user can be safe to use The software to be identified, is not limited thereto certainly.
Optionally, as shown in Fig. 2, above-mentioned S104 can include:
S201, compiles user-defined function at least once, obtains the corresponding command sequence of user-defined function;
Wherein, for the processor architecture with 32 memory address and 32 data operands, Ke Yigen According to IA-32(IntelArchitecture 32-bit, intel32 bit frameworks)Opcode(Operation Code, operation Code)Characteristic, user-defined function is compiled at least once, by the data content to change remove, so as to retain use The corresponding command sequence of family defined function.
S202, determines the address for the first function that user-defined function is called from command sequence;
Wherein, which can include:Built-in function and/or api function.
S203, by the address of first function, determines the title of first function;
The address of first function in command sequence, is replaced with the title of corresponding first function by S204;
S205, the command sequence for the title for replacing with corresponding first function to the address of first function use default calculation Method, to form the corresponding characteristic value to be identified of user-defined function.
Optionally, in practical applications, which can be hash algorithm, be not limited thereto certainly, for example, It can also be the algorithm voluntarily write;And, it is understood that the default algorithm that formation characteristic value to be identified is utilized It is identical with the algorithm that the characteristic value in construction feature storehouse is utilized, to ensure that characteristic value to be identified has with the characteristic value in feature database There is identical data length, and be comparable.
It should be noted that the generation user-defined function given by the embodiment of the present invention is corresponding with preset data length The mode of the characteristic value to be identified of degree is merely exemplary, should not form the restriction to the embodiment of the present invention.
In the embodiment of the present invention, the executable file of software to be identified is subjected to dis-assembling processing;Determine that dis-assembling is handled The type for the compiler that executable file afterwards is utilized;According to the type of compiler, after extraction dis-assembling processing can Perform the user-defined function in file;Generate the corresponding characteristic value to be identified of user-defined function;Determine characteristic value to be identified Number of matches with the characteristic value stored in feature database;Ratio according to the number of matches and the total quantity of characteristic value to be identified Value, determines the attribute of software to be identified.Relative to the prior art, the mode of this programme extraction characteristic value make it that characteristic is stronger, So as to improve the accuracy of identification software.
The extracting method of the user-defined function corresponding to the compiler of several types is described below., wherein it is desired to say Bright, the extracting method of the user-defined function corresponding to the compiler for each type that the embodiment of the present invention is provided is only Only as an example, should not form the restriction to the embodiment of the present invention.
The first, MFC(Microsoft Foundation Classes)Type:
When the compiler that the executable file after determining dis-assembling processing is utilized is MFC types, such as Fig. 3 institutes Show, above-mentioned S103 can include:
S301, determines the rdata sections in the executable file after dis-assembling processing;
Wherein, the function that the code that the compiler of MFC types compiles out is included mainly includes message loop and handles Function, the MFC classes Virtual Function rewritten and the Virtual Function voluntarily write, can be obtained by data analysis, message loop processing Function and MFC classes Virtual Function and the empty table for the Virtual Function voluntarily write for indicating to rewrite have been placed in rdata sections.
S302, determines the empty table in rdata sections;
S303, from the corresponding Virtual Function of empty table, removes the MFC class Virtual Functions of rewriting;
In an embodiment of the present invention, the MFC classes Virtual Function of rewriting can be the empty letter started with getruntimeclass Number.Therefore, it is necessary to be gone divided by Virtual Function that getruntimeclass starts from the corresponding Virtual Function of empty table, so that surplus Remaining Virtual Function is the Virtual Function voluntarily write.
S304, the user-defined function in executable file after remaining Virtual Function is handled as dis-assembling.
In the embodiment of the present invention, the executable file after the Virtual Function voluntarily write in empty table is handled as dis-assembling In user-defined function, so as to complete the extraction of user-defined function.
Further, since the called function in the presence of message loop processing function and remaining function may The function voluntarily write for user, it is therefore, anti-according to the type of compiler, extraction for the integrality of user-defined function The process of the user-defined function in executable file after compilation process can also include:Determine that the message in rdata sections is followed Circular row table, according to message loop list, determines that message loop handles function structure body, and then handle function according to message loop Structure, extracts message loop processing function;Message loop processing function and remaining Virtual Function is traveled through, present in acquisition Called function;And then the executable file after handling called function and remaining Virtual Function as dis-assembling In user-defined function.
Second, VB types:
When the compiler that the executable file after determining dis-assembling processing is utilized is VB types, as shown in figure 4, Above-mentioned S103 can include:
S401, according to the program entry code of the executable file after dis-assembling processing, determines file header structure;
S402, resolution file header structure body, determine dis-assembling processing after executable file event handling function knot Structure body;
S403, according to event handling function structure, the event handling in executable file after extraction dis-assembling processing Function;
S404, travels through event handling function, obtains called function;
S405, the user in executable file after acquired called function is handled as dis-assembling define letter Number.
Wherein, the called function in the presence of event handling function is usually the function that user voluntarily writes, therefore, Event handling function can be traveled through after event handling function is got, be converged using accessed called function as anti- The user-defined function in executable file after volume processing, so as to complete the extraction of user-defined function.
The third, Delphi types:
When the compiler that the executable file after determining dis-assembling processing is utilized is Delphi types, such as Fig. 5 Shown, above-mentioned S103 can include:
S501, determines first section table of the executable file after dis-assembling processing;
S502, at first section table scan, to determine file header structure;
S503, resolution file header structure body, determines event handling function structure;
S504, according to event handling function structure, the event handling in executable file after extraction dis-assembling processing Function;
S505, travels through event handling function, obtains called function;
S506, the user in executable file after acquired called function is handled as dis-assembling define letter Number.
Wherein, the called function in the presence of event handling function is usually the function that user voluntarily writes, therefore, can With after event handling function is got, travel through event handling function, using accessed called function as dis-assembling at The user-defined function in executable file after reason, so as to complete the extraction of user-defined function.
4th kind, e language type:
When the compiler that the executable file after determining dis-assembling processing is utilized is e language type, such as Fig. 6 Shown, above-mentioned S103 can include:
S601, determines the on-link mode (OLM) for belonging to the compiler of e language type, when determining that on-link mode (OLM) is static chain When connecing, S602 is performed;When it is dynamic link to determine on-link mode (OLM), S603 is performed;
Wherein, if the initial position sequence of specific section is First ray, the compiler of the e language type is determined On-link mode (OLM) is static linkage;If the first two byte of each code section is predetermined code, the volume of the e language type is determined The on-link mode (OLM) of translator program is dynamic link mode, and by the predetermined characteristic code labeling code section, to pass through the predetermined characteristic The definite port structure body of code.
For example, above-mentioned specific section can be that .test is saved, and above-mentioned First ray can be:0x33,0xC0,0xC3, 0x90 or 0x2B, 0xC0,0xC3,0xC3 etc.;Above-mentioned predetermined code can be " WJ " or " WTNE ", be not limited thereto certainly, Above-mentioned predetermined feature code can be FneCodeSec, be not limited thereto certainly.
S602, is scanned in the address realm of start address to end address, determines the starting point of event handling function;According to According to starting point, the event handling function in the executable file after dis-assembling processing is determined;Event handling function is traveled through, is obtained Called function;The user-defined function in executable file after called function is handled as dis-assembling;
The location specifically, entry code that the start address is the executable file after dis-assembling processing saves land, this terminates ground Location is the address where the second sequence.
For example, for static linkage, which can be:0xFF,0x25,0x90,0x90,0x90, 0x90,0xFF, 0x25, are not limited thereto certainly;The starting point of event handling function can be push ebp;mov ebp, Esp (0x55 0x8B 0xEC), is not limited thereto certainly.
S603, performs specific operation, which includes to each code section:By the predetermined feature code, determine into Mouth structure body;Entrance structure body is parsed, in the end addresses of the start address pointed by entrance structure body to current code section Scanning in address realm, determines the starting point of event handling function;According to starting point, determine executable after dis-assembling processing Event handling function in file;Event handling function is traveled through, obtains called function;Converged using called function as anti- The user-defined function in executable file after volume processing.
For example, for dynamic link, the starting point of event handling function can be x55,0x8B, 0xEC, when So it is not limited thereto.
Optionally,, can be according to the actual finger of entrance structure body when parsing entrance structure body for dynamic link Draw, it is determined whether correct the start address pointed by parsed entrance structure body.
5th kind, non-framework type:
When the compiler that the executable file after determining dis-assembling processing is utilized is non-framework type, such as Fig. 7 Shown, above-mentioned S103 can include:
Since the entry code section of the executable file after dis-assembling processing, following operation is performed to each code section:
S701, the function in scan code section;Wherein, when the function scanned is exports function, continue to scan on this and lead Go out the function that function is called;
S702, from the function scanned, removes the function for belonging to built-in function, and remaining function is determined as counter converge The user-defined function in executable file after volume processing.
Wherein, for the compiler of non-framework type, the letter that includes in the executable file after dis-assembling processing Number includes built-in function and user-defined function, therefore, after scanning to some functions, can remove the function for belonging to built-in function, And remaining function is determined as user-defined function, so as to extract user's definition of current code section in the executable file Function.
Corresponding to above method embodiment, the embodiment of the present invention additionally provides a kind of software identification device, as shown in figure 8, It can include:
Dis-assembling module 810, for the executable file of software to be identified to be carried out dis-assembling processing;
Determination type module 820, the compiler utilized for determining the executable file after dis-assembling processing Type;
User-defined function extraction module 830, for the type according to the compiler, extracts the dis-assembling processing The user-defined function in executable file afterwards;
Characteristic value generation module 840, for generating the corresponding characteristic value to be identified of the user-defined function;
Number of matches determining module 850, for the characteristic value for determining the characteristic value to be identified with being stored in feature database Number of matches, wherein, the feature database is stored with the characteristic value corresponding to the user-defined function extracted from Malware, And the characteristic value stored in the feature database has identical data length with the characteristic value to be identified;
Attribute determination module 860, for the ratio according to the number of matches and the total quantity of the characteristic value to be identified, Determine the attribute of the software to be identified.
In the embodiment of the present invention, the executable file of software to be identified is subjected to dis-assembling processing;Determine that dis-assembling is handled The type for the compiler that executable file afterwards is utilized;According to the type of compiler, after extraction dis-assembling processing can Perform the user-defined function in file;Generate the corresponding characteristic value to be identified of user-defined function;Determine characteristic value to be identified Number of matches with the characteristic value stored in feature database;Ratio according to the number of matches and the total quantity of characteristic value to be identified Value, determines the attribute of software to be identified.Relative to the prior art, the mode of this programme extraction characteristic value make it that characteristic is stronger, So as to improve the accuracy of identification software.
Optionally, as shown in figure 9, the characteristic value generation module 840, can include:
Command sequence obtaining unit 841, for being compiled at least once to the user-defined function, obtains the use The corresponding command sequence of family defined function;
First function address determination unit 842, for determining the user-defined function institute from the command sequence The address of the first function of calling, wherein, the first function includes:Built-in function and/or api function;
First function title determination unit 843, for the address by the first function, determines the first function Title;
Replacement unit 844, for the address of the first function in the command sequence to be replaced with corresponding first function Title;
Characteristic value generation unit 845, the institute of the title for replacing with corresponding first function to the address of first function State command sequence and use default algorithm, it is corresponding to be identified with preset data length to form the user-defined function Characteristic value.
Optionally, the determination type module 820, can include:
First kind determination unit, after by way of extraction procedure entrance function, determining the dis-assembling processing The type of compiler that is utilized of executable file;
Alternatively,
Second Type determination unit, for by way of extracting PE table of bytes, determine after dis-assembling processing can Perform the type for the compiler that file is utilized.
Optionally, as shown in Figure 10, the user-defined function extraction module 830, can include:The compiling of MFC types The first user-defined function extracting sub-module 831 corresponding to program;
Wherein, the first user-defined function extracting sub-module 831, including:
Rdata saves determination unit 8311, for determining the rdata sections in the executable file after dis-assembling processing;
Empty table determination unit 8312, for determining the empty table in the rdata sections;
Virtual Function removal unit 8313, for from the corresponding Virtual Function of empty table, removing the MFC class Virtual Functions of rewriting;
User-defined function determination unit 8314, for executable after remaining Virtual Function is handled as dis-assembling User-defined function in file.
Optionally, the first user-defined function extracting sub-module 831, can also include:
Message loop list determination unit, for determining the message loop list in rdata sections;
Message loop handles function extraction unit, for according to the message loop list, determining that message loop is handled Function structure body, and then function structure body is handled according to message loop, extract message loop processing function;
Called function extraction unit, for from the corresponding Virtual Function of empty table, removing the MFC class Virtual Functions of rewriting Afterwards, the message loop processing function and remaining Virtual Function are traveled through, obtains called function;
The user-defined function determination unit 8314, for the called function and remaining Virtual Function to be made The user-defined function in executable file after being handled for dis-assembling.
Optionally, as shown in figure 11, the user-defined function extraction module 830, including:The compiler institute of VB types Corresponding second user defined function extracting sub-module 832;
Wherein, the second user defined function extracting sub-module 832, can include:
File header structure determination unit 8321, the program for the executable file after being handled according to the dis-assembling enter Mouth code, determines file header structure;
Event handling function structure determination unit 8322, for parsing the file header structure, is determined described anti- The event handling function structure of executable file after compilation process;
Event handling function extraction unit 8323, for according to the event handling function structure, extracting the anti-remittance The event handling function in executable file after volume processing;
Called function acquiring unit 8324, for traveling through the event handling function, obtains called function;
User-defined function determination unit 8325, for acquired called function to be handled as the dis-assembling The user-defined function in executable file afterwards.
Optionally, as shown in figure 12, the user-defined function extraction module 830, including:The compiling journey of Delphi types The 3rd user-defined function extracting sub-module 833 corresponding to sequence;
Wherein, the 3rd user-defined function extracting sub-module 833, including:
First section table determination unit 8331, for determining first section of the executable file after the dis-assembling processing Table;
File header structure determination unit 8332, for scanning at first section table, to determine file header Structure;
Event handling function structure determination unit 8333, for parsing the file header structure, determines event handling Function structure body;
Event handling function extraction unit 8334, for according to the event handling function structure, extracting the anti-remittance The event handling function in executable file after volume processing;
Called function acquiring unit 8335, for traveling through the event handling function, obtains called function;
User-defined function determination unit 8336, for acquired called function to be handled as the dis-assembling The user-defined function in executable file afterwards.
Optionally, as shown in figure 13, the user-defined function extraction module 830, can include:The volume of e language type Fourth user defined function extracting sub-module 834 corresponding to translator program;
Wherein, the fourth user defined function extracting sub-module 834, can include:
On-link mode (OLM) determination unit 8341, the on-link mode (OLM) of the compiler for determining to belong to e language type, when true When to make the on-link mode (OLM) be static linkage, the first user-defined function determination unit 8342 is triggered;When determining the chain When to connect mode be dynamic link, triggering second user defined function determination unit 8343;
The first user-defined function determination unit 8342, in the address realm of start address to end address Scanning, determines the starting point of event handling function;According to the starting point, the executable text after the dis-assembling processing is determined Event handling function in part;The event handling function is traveled through, obtains called function;The called function is made The user-defined function in executable file after being handled for dis-assembling;Wherein, the start address is handled for the dis-assembling The entry code of executable file afterwards saves land location, and the end address is the address where the second sequence;
The second user defined function determination unit 8343, for performing specific operation, the spy to each code section Fixed operation includes:By predetermined feature code, entrance structure body is determined;Entrance structure body is parsed, it is signified in the entrance structure body To start address to the address realm of the end addresses of current code section in scan, determine the starting point of event handling function; According to the starting point, the event handling function in the executable file after the dis-assembling processing is determined;Travel through the thing Part handles function, obtains called function;In executable file after the called function is handled as dis-assembling User-defined function;Wherein, the predetermined feature code is to determine when the on-link mode (OLM) is dynamic link mode to code The done mark of section.
Optionally, as shown in figure 14, the user-defined function extraction module 830, can include:The volume of non-framework type The 5th user-defined function extracting sub-module 835 corresponding to translator program;
Wherein, the 5th user-defined function extracting sub-module 835, for executable after being handled from the dis-assembling The entry code section of file starts, and following operation is performed to each code section:
Scan the function in the code section;Wherein, when the function scanned is exports function, described lead is continued to scan on Go out the function that function is called;
From the function scanned, the function for belonging to built-in function is removed, and remaining function is determined as the anti-remittance The user-defined function in executable file after volume processing.
It should be noted that herein, relational terms such as first and second and the like are used merely to a reality Body or operation are distinguished with another entity or operation, are deposited without necessarily requiring or implying between these entities or operation In any this actual relation or order.Moreover, term " comprising ", "comprising" or its any other variant are intended to Non-exclusive inclusion, so that process, method, article or equipment including a series of elements not only will including those Element, but also including other elements that are not explicitly listed, or further include as this process, method, article or equipment Intrinsic key element.In the absence of more restrictions, the key element limited by sentence "including a ...", it is not excluded that Also there are other identical element in process, method, article or equipment including the key element.
Can one of ordinary skill in the art will appreciate that realizing that all or part of step in above method embodiment is To instruct relevant hardware to complete by program, the program can be stored in computer read/write memory medium, The storage medium designated herein obtained, such as:ROM/RAM, magnetic disc, CD etc..
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the scope of the present invention.It is all Any modification, equivalent replacement, improvement and so within the spirit and principles in the present invention, are all contained in protection scope of the present invention It is interior.

Claims (19)

  1. A kind of 1. software identification method, it is characterised in that including:
    The executable file of software to be identified is subjected to dis-assembling processing;
    Determine the type for the compiler that the executable file after the dis-assembling processing is utilized;
    According to the type of the compiler, the user-defined function in the executable file after the dis-assembling processing is extracted;
    Generate the corresponding characteristic value to be identified of the user-defined function;
    Determine the characteristic value to be identified and the number of matches of the characteristic value stored in feature database, wherein, the feature stock Contain the characteristic value corresponding to the user-defined function extracted from Malware, and the characteristic value stored in the feature database There is identical data length with the characteristic value to be identified;
    According to the ratio of the number of matches and the total quantity of the characteristic value to be identified, the category of the software to be identified is determined Property.
  2. 2. according to the method described in claim 1, it is characterized in that, the generation user-defined function is corresponding to be identified Characteristic value, including:
    The user-defined function is compiled at least once, obtains the corresponding command sequence of the user-defined function;
    The address for the first function that the user-defined function is called is determined from the command sequence, wherein, described One function includes:Built-in function and/or api function;
    By the address of the first function, the title of the first function is determined;
    The address of first function in the command sequence is replaced with to the title of corresponding first function;
    The command sequence for the title for replacing with corresponding first function to the address of first function uses default algorithm, with Form the corresponding characteristic value to be identified of the user-defined function.
  3. 3. according to the method described in claim 1, it is characterized in that, pass through extraction procedure entrance function or PE (Portable Executable, portable can perform) mode of table of bytes, determine what the executable file after the dis-assembling processing was utilized The type of compiler.
  4. 4. according to the method described in claim 1, it is characterized in that, the attribute of the software to be identified includes:Normal software, evil Meaning software, inclined normal software or inclined Malware.
  5. 5. according to the method described in claim 1-4 any one, it is characterised in that after the dis-assembling processing is determined When the compiler that executable file is utilized is MFC types, the type according to the compiler, extracts the anti-remittance The user-defined function in executable file after volume processing, including:
    Determine the rdata sections in the executable file after the dis-assembling processing;
    Determine the empty table in the rdata sections;
    From the corresponding Virtual Function of empty table, the MFC class Virtual Functions of rewriting are removed;
    The user-defined function in executable file after remaining Virtual Function is handled as dis-assembling.
  6. 6. according to the method described in claim 5, it is characterized in that, the type according to the compiler, described in extraction The user-defined function in executable file after dis-assembling processing, further includes:
    Determine the message loop list in rdata sections;
    According to the message loop list, determine that message loop handles function structure body, and then letter is handled according to message loop Table structure body, extracts message loop processing function;
    After the MFC class Virtual Functions of rewriting from the corresponding Virtual Function of empty table, are removed, the message loop processing function is traveled through With remaining Virtual Function, called function is obtained;
    It is described using remaining Virtual Function as dis-assembling handle after executable file in user-defined function, including:
    The user in executable file after the called function and remaining Virtual Function are handled as dis-assembling determines Adopted function.
  7. 7. according to the method described in claim 1-4 any one, it is characterised in that after the dis-assembling processing is determined When the compiler that executable file is utilized is VB types, the type according to the compiler, extracts the anti-remittance The user-defined function in executable file after volume processing, including:
    The program entry code of executable file after being handled according to the dis-assembling, determines file header structure;
    The file header structure is parsed, determines the event handling function structure of the executable file after the dis-assembling processing Body;
    According to the event handling function structure, the event handling letter in the executable file after the dis-assembling processing is extracted Number;
    The event handling function is traveled through, obtains called function;
    The user-defined function in executable file after acquired called function is handled as the dis-assembling.
  8. 8. according to the method described in claim 1-4 any one, it is characterised in that after the dis-assembling processing is determined When the compiler that executable file is utilized is Delphi types, the type according to the compiler, described in extraction The user-defined function in executable file after dis-assembling processing, including:
    Determine first section table of the executable file after the dis-assembling processing;
    Scanned at first section table, to determine file header structure;
    The file header structure is parsed, determines event handling function structure;
    According to the event handling function structure, the event handling letter in the executable file after the dis-assembling processing is extracted Number;
    The event handling function is traveled through, obtains called function;
    The user-defined function in executable file after acquired called function is handled as the dis-assembling.
  9. 9. according to the method described in claim 1-4 any one, it is characterised in that after the dis-assembling processing is determined When the compiler that executable file is utilized is e language type, the type according to the compiler, described in extraction The user-defined function in executable file after dis-assembling processing, including:
    Determine the on-link mode (OLM) for belonging to the compiler of e language type;
    When it is static linkage to determine the on-link mode (OLM), scanned in the address realm of start address to end address, really Determine the starting point of event handling function;According to the starting point, determine in the executable file after the dis-assembling processing Event handling function;The event handling function is traveled through, obtains called function;Converged using the called function as anti- The user-defined function in executable file after volume processing;Wherein, the start address for the dis-assembling processing after can The entry code for performing file saves land location, and the end address is the address where the second sequence;
    When it is dynamic link to determine the on-link mode (OLM), specific operation, the specific operation bag are performed to each code section Include:By predetermined feature code, entrance structure body is determined;Entrance structure body is parsed, in the beginning pointed by the entrance structure body Scanned in address to the address realm of the end addresses of current code section, determine the starting point of event handling function;According to described in Starting point, determines the event handling function in the executable file after the dis-assembling processing;Travel through the event handling letter Number, obtains called function;The user in executable file after the called function is handled as dis-assembling determines Adopted function;Wherein, the predetermined feature code determines the on-link mode (OLM) by being done during dynamic link mode to code section Mark.
  10. 10. according to the method described in claim 1-4 any one, it is characterised in that after the dis-assembling processing is determined The compiler that is utilized of executable file when being non-framework type, the type according to the compiler, extracts institute The user-defined function in the executable file after dis-assembling processing is stated, including:
    Since the entry code section of the executable file after dis-assembling processing, following operation is performed to each code section:
    Scan the function in the code section;Wherein, when the function scanned is exports function, the export letter is continued to scan on Several called functions;
    From the function scanned, the function for belonging to built-in function is removed, and remaining function is determined as at the dis-assembling The user-defined function in executable file after reason.
  11. A kind of 11. software identification device, it is characterised in that including:
    Dis-assembling module, for the executable file of software to be identified to be carried out dis-assembling processing;
    Determination type module, the type of the compiler utilized for determining the executable file after dis-assembling processing;
    User-defined function extraction module, for the type according to the compiler, extract after the dis-assembling processing can Perform the user-defined function in file;
    Characteristic value generation module, for generating the corresponding characteristic value to be identified of the user-defined function;
    Number of matches determining module, for determining the characteristic value to be identified and the coupling number of the characteristic value stored in feature database Amount, wherein, the feature database is stored with the characteristic value corresponding to the user-defined function extracted from Malware, and the spy The characteristic value stored in sign storehouse has identical data length with the characteristic value to be identified;
    Attribute determination module, for the ratio according to the number of matches and the total quantity of the characteristic value to be identified, determines institute State the attribute of software to be identified.
  12. 12. according to the devices described in claim 11, it is characterised in that the characteristic value generation module, including:
    Command sequence obtaining unit, for being compiled at least once to the user-defined function, obtains user's definition The corresponding command sequence of function;
    First function address determination unit, called for determining the user-defined function from the command sequence The address of one function, wherein, the first function includes:Built-in function and/or api function;
    First function title determination unit, for the address by the first function, determines the title of the first function;
    Replacement unit, for the address of the first function in the command sequence to be replaced with to the title of corresponding first function;
    Characteristic value generation unit, the order sequence of the title for replacing with corresponding first function to the address of first function Row use default algorithm, to form the corresponding characteristic value to be identified with preset data length of the user-defined function.
  13. 13. according to the devices described in claim 11, it is characterised in that the determination type module, including:
    First kind determination unit, for by way of extraction procedure entrance function, determine after dis-assembling processing can Perform the type for the compiler that file is utilized;
    Alternatively,
    Second Type determination unit, it is executable after dis-assembling processing for by way of extracting PE table of bytes, determining The type for the compiler that file is utilized.
  14. 14. according to the device described in claim 11-13 any one, it is characterised in that the user-defined function extracts mould Block, including:The first user-defined function extracting sub-module corresponding to the compiler of MFC types;
    Wherein, the first user-defined function extracting sub-module, including:
    Rdata saves determination unit, for determining the rdata sections in the executable file after dis-assembling processing;
    Empty table determination unit, for determining the empty table in the rdata sections;
    Virtual Function removal unit, for from the corresponding Virtual Function of empty table, removing the MFC class Virtual Functions of rewriting;
    User-defined function determination unit, in the executable file after remaining Virtual Function is handled as dis-assembling User-defined function.
  15. 15. device according to claim 14, it is characterised in that the first user-defined function extracting sub-module, also Including:
    Message loop list determination unit, for determining the message loop list in rdata sections;
    Message loop handles function extraction unit, for according to the message loop list, determining that message loop handles function Structure, and then function structure body is handled according to message loop, extract message loop processing function;
    Called function extraction unit, for from the corresponding Virtual Function of empty table, remove rewriting MFC classes Virtual Function it Afterwards, the message loop processing function and remaining Virtual Function are traveled through, obtains called function;
    The user-defined function determination unit, for using the called function and remaining Virtual Function as dis-assembling The user-defined function in executable file after processing.
  16. 16. according to the device described in claim 11-13 any one, it is characterised in that the user-defined function extracts mould Block, including:Second user defined function extracting sub-module corresponding to the compiler of VB types;
    Wherein, the second user defined function extracting sub-module, including:
    File header structure determination unit, for according to the dis-assembling handle after executable file program entry code, Determine file header structure;
    Event handling function structure determination unit, for parsing the file header structure, determines the dis-assembling processing The event handling function structure of executable file afterwards;
    Event handling function extraction unit, after according to the event handling function structure, extracting the dis-assembling processing Executable file in event handling function;
    Called function acquiring unit, for traveling through the event handling function, obtains called function;
    User-defined function determination unit, for holding after acquired called function is handled as the dis-assembling User-defined function in style of writing part.
  17. 17. according to the device described in claim 11-13 any one, it is characterised in that the user-defined function extracts mould Block, including:The 3rd user-defined function extracting sub-module corresponding to the compiler of Delphi types;
    Wherein, the 3rd user-defined function extracting sub-module, including:
    First section table determination unit, for determining first section table of the executable file after dis-assembling processing;
    File header structure determination unit, for scanning at first section table, to determine file header structure;
    Event handling function structure determination unit, for parsing the file header structure, determines event handling function structure Body;
    Event handling function extraction unit, after according to the event handling function structure, extracting the dis-assembling processing Executable file in event handling function;
    Called function acquiring unit, for traveling through the event handling function, obtains called function;
    User-defined function determination unit, for holding after acquired called function is handled as the dis-assembling User-defined function in style of writing part.
  18. 18. according to the device described in claim 11-13 any one, it is characterised in that the user-defined function extracts mould Block, including:Fourth user defined function extracting sub-module corresponding to the compiler of e language type;
    Wherein, the fourth user defined function extracting sub-module, including:
    On-link mode (OLM) determination unit, the on-link mode (OLM) of the compiler for determining to belong to e language type are described when determining When on-link mode (OLM) is static linkage, the first user-defined function determination unit is triggered;When determine the on-link mode (OLM) for dynamic During link, second user defined function determination unit is triggered;
    The first user-defined function determination unit, for being scanned in the address realm of start address to end address, really Determine the starting point of event handling function;According to the starting point, determine in the executable file after the dis-assembling processing Event handling function;The event handling function is traveled through, obtains called function;Converged using the called function as anti- The user-defined function in executable file after volume processing;Wherein, the start address for the dis-assembling processing after can The entry code for performing file saves land location, and the end address is the address where the second sequence;
    The second user defined function determination unit, for performing specific operation, the specific operation bag to each code section Include:By predetermined feature code, entrance structure body is determined;Entrance structure body is parsed, in the beginning pointed by the entrance structure body Scanned in address to the address realm of the end addresses of current code section, determine the starting point of event handling function;According to described in Starting point, determines the event handling function in the executable file after the dis-assembling processing;Travel through the event handling letter Number, obtains called function;The user in executable file after the called function is handled as dis-assembling determines Adopted function;Wherein, the predetermined feature code determines the on-link mode (OLM) by being done during dynamic link mode to code section Mark.
  19. 19. according to the device described in claim 11-13 any one, it is characterised in that the user-defined function extracts mould Block, including:The 5th user-defined function extracting sub-module corresponding to the compiler of non-framework type;
    Wherein, the 5th user-defined function extracting sub-module, for the executable file after being handled from the dis-assembling Entry code section starts, and following operation is performed to each code section:
    Scan the function in the code section;Wherein, when the function scanned is exports function, the export letter is continued to scan on Several called functions;
    From the function scanned, the function for belonging to built-in function is removed, and remaining function is determined as at the dis-assembling The user-defined function in executable file after reason.
CN201310632296.4A 2013-12-02 2013-12-02 software identification method and device Active CN104679495B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310632296.4A CN104679495B (en) 2013-12-02 2013-12-02 software identification method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310632296.4A CN104679495B (en) 2013-12-02 2013-12-02 software identification method and device

Publications (2)

Publication Number Publication Date
CN104679495A CN104679495A (en) 2015-06-03
CN104679495B true CN104679495B (en) 2018-04-27

Family

ID=53314613

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310632296.4A Active CN104679495B (en) 2013-12-02 2013-12-02 software identification method and device

Country Status (1)

Country Link
CN (1) CN104679495B (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107305495A (en) * 2016-04-19 2017-10-31 华为技术有限公司 Realize the method and terminal of software installation packet function modification
CN109558731B (en) * 2017-09-26 2022-04-08 腾讯科技(深圳)有限公司 Feature code processing method, device and storage medium
CN109977976B (en) * 2017-12-28 2023-04-07 腾讯科技(深圳)有限公司 Executable file similarity detection method and device and computer equipment
CN111368296A (en) * 2019-06-27 2020-07-03 北京关键科技股份有限公司 Source code file matching rate analysis method
CN111522699B (en) * 2020-04-14 2023-05-23 杭州斯凯数据科技集团有限公司 Detection method for target memory change caused by VMP instruction
CN114047929B (en) * 2022-01-12 2022-05-03 广东省科技基础条件平台中心 Knowledge enhancement-based user defined function identification method, device and medium
CN114741131B (en) * 2022-04-02 2023-08-15 深圳软牛科技有限公司 Hiding method, device, equipment and storage medium for dynamic library derived symbol

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1818863A (en) * 2006-03-13 2006-08-16 浙江大学 Static library decompiling recognition of built-in software
CN102708320A (en) * 2012-05-04 2012-10-03 奇智软件(北京)有限公司 Method and device for recognition of virus APK (android package)
CN102799493A (en) * 2012-06-21 2012-11-28 北京伸得纬科技有限公司 Method for intercepting target progress with self-protection
CN103268445A (en) * 2012-12-27 2013-08-28 武汉安天信息技术有限责任公司 Android malicious code detection method based on OpCode and system thereof
JP5325072B2 (en) * 2009-10-22 2013-10-23 日本電信電話株式会社 Matrix decomposition apparatus, matrix decomposition method and program

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1818863A (en) * 2006-03-13 2006-08-16 浙江大学 Static library decompiling recognition of built-in software
JP5325072B2 (en) * 2009-10-22 2013-10-23 日本電信電話株式会社 Matrix decomposition apparatus, matrix decomposition method and program
CN102708320A (en) * 2012-05-04 2012-10-03 奇智软件(北京)有限公司 Method and device for recognition of virus APK (android package)
CN102799493A (en) * 2012-06-21 2012-11-28 北京伸得纬科技有限公司 Method for intercepting target progress with self-protection
CN103268445A (en) * 2012-12-27 2013-08-28 武汉安天信息技术有限责任公司 Android malicious code detection method based on OpCode and system thereof

Also Published As

Publication number Publication date
CN104679495A (en) 2015-06-03

Similar Documents

Publication Publication Date Title
CN104679495B (en) software identification method and device
US10929449B2 (en) Generating a structured document guiding view
CN104267947B (en) A kind of editor's method of pop-up picture and pop-up picture editor's device
CN102831121B (en) Method and system for extracting webpage information
CN103415848B (en) The method and system of the seamless backup and recovery of application program is carried out using metadata
CN109299258B (en) Public opinion event detection method, device and equipment
CN103902653B (en) A kind of method and apparatus for building data warehouse table genetic connection figure
CN106897361B (en) Label page grouping management system and method based on tree structure
CN104899016B (en) Allocating stack Relation acquisition method and device
CN106776584A (en) Character displaying method, translation table generating method, document translation method and device
CN106970820A (en) Code storage method and code storage
CN107291476A (en) Canvas code generating methods, device, electronic equipment and storage medium
CN104268473B (en) Method and device for detecting application programs
CN103020207B (en) Browser label page grouping management method and device
CN105653949B (en) A kind of malware detection methods and device
CN105511843A (en) Application program interface generation method and device
CN110007906B (en) Script file processing method and device and server
CN104516727A (en) Method and system for changing resource in resource file
CN109460220A (en) The predefined code generating method of message, device, electronic equipment and storage medium
CN108804469A (en) A kind of web page identification method and electronic equipment
CN105247533B (en) Information processor and determination method
CN110046637A (en) A kind of training method, device and the equipment of contract paragraph marking model
CN107330009A (en) Descriptor disaggregated model creation method, creating device and storage medium
CN1987775A (en) Method and apparatus for resolving events
CN103235757B (en) Several apparatus and method that input domain tested object is tested are made based on robotization

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information
CB02 Change of applicant information

Address after: 100041 Beijing, Shijingshan District Xing Xing street, building 30, No. 3, building 2, A-0071

Applicant after: Beijing cheetah Mobile Technology Co., Ltd.

Applicant after: BEIJING LIEBAO NETWORK TECHNOLOGY CO., LTD.

Address before: 100041 Beijing city Shijingshan District Badachu high tech Park West Wells Road No. 3 Building No. 3 1100A

Applicant before: SHELL INTERNET (BEIJING) SECURITY TECHNOLOGY CO., LTD.

Applicant before: Beijing Kingsoft Internet Science and Technology Co., Ltd.

GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20181218

Address after: Room 105-53967, No. 6 Baohua Road, Hengqin New District, Zhuhai City, Guangdong Province

Patentee after: Zhuhai Seal Fun Technology Co., Ltd.

Address before: 100041 A-0071 2, 3 building, 30 Shixing street, Shijingshan District, Beijing.

Co-patentee before: BEIJING LIEBAO NETWORK TECHNOLOGY CO., LTD.

Patentee before: Beijing cheetah Mobile Technology Co., Ltd.