CN106599730A - File detection method, apparatus and system - Google Patents
File detection method, apparatus and system Download PDFInfo
- Publication number
- CN106599730A CN106599730A CN201611197029.9A CN201611197029A CN106599730A CN 106599730 A CN106599730 A CN 106599730A CN 201611197029 A CN201611197029 A CN 201611197029A CN 106599730 A CN106599730 A CN 106599730A
- Authority
- CN
- China
- Prior art keywords
- file
- measured
- function
- mobile terminal
- integrity
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 174
- 230000006870 function Effects 0.000 claims description 339
- 238000012360 testing method Methods 0.000 claims description 43
- 238000005259 measurement Methods 0.000 claims description 42
- 238000000034 method Methods 0.000 claims description 26
- 238000010998 test method Methods 0.000 claims description 18
- 230000005540 biological transmission Effects 0.000 claims description 7
- 235000013399 edible fruits Nutrition 0.000 claims description 3
- 238000012986 modification Methods 0.000 abstract description 7
- 230000004048 modification Effects 0.000 abstract description 7
- 238000004891 communication Methods 0.000 abstract description 3
- 230000008569 process Effects 0.000 description 13
- 230000005055 memory storage Effects 0.000 description 8
- 239000011800 void material Substances 0.000 description 8
- 230000005856 abnormality Effects 0.000 description 5
- KANJSNBRCNMZMV-ABRZTLGGSA-N fondaparinux Chemical compound O[C@@H]1[C@@H](NS(O)(=O)=O)[C@@H](OC)O[C@H](COS(O)(=O)=O)[C@H]1O[C@H]1[C@H](OS(O)(=O)=O)[C@@H](O)[C@H](O[C@@H]2[C@@H]([C@@H](OS(O)(=O)=O)[C@H](O[C@H]3[C@@H]([C@@H](O)[C@H](O[C@@H]4[C@@H]([C@@H](O)[C@H](O)[C@@H](COS(O)(=O)=O)O4)NS(O)(=O)=O)[C@H](O3)C(O)=O)O)[C@@H](COS(O)(=O)=O)O2)NS(O)(=O)=O)[C@H](C(O)=O)O1 KANJSNBRCNMZMV-ABRZTLGGSA-N 0.000 description 5
- 238000007689 inspection Methods 0.000 description 5
- 230000001568 sexual effect Effects 0.000 description 5
- 230000002159 abnormal effect Effects 0.000 description 4
- 229940104697 arixtra Drugs 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 230000003993 interaction Effects 0.000 description 4
- 238000012544 monitoring process Methods 0.000 description 4
- 238000004364 calculation method Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000011016 integrity testing Methods 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 1
- 230000018109 developmental process Effects 0.000 description 1
- 238000002474 experimental method Methods 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Bioethics (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- Telephone Function (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
Embodiments of the invention provide a file detection method, apparatus and system, which is applied to the technical field of wireless communication. The file detection method comprises the steps of obtaining a detection instruction sent by a server, wherein the detection instruction comprises a file name of a to-be-detected file, and a function name and a function length of a to-be-detected function in the to-be-detected file, and the to-be-detected file is a file in dynamic link library files; and obtaining an integrity detection result of the to-be-detected file according to the file name of the to-be-detected file, and the function name and the function length of the to-be-detected function in the to-be-detected file, sending the integrity detection result to the server, thereby enabling the server to judge whether the integrity of the to-be-detected file is normal or not. The integrity of the dynamic link library files in a mobile terminal is monitored in time, so that the influence on normal use of applications after file modification is avoided and the security and legality of the applications in the mobile terminal are ensured.
Description
Technical field
The present invention relates to wireless communication technology field, in particular to file test method, device and system.
Background technology
At present, all it is mostly program of being developed using JAVA language for Android application developments, and JAVA languages
Speech is a kind of semi analytic type language, it is easy to source code file is taken after being disassembled, so for the sake of security, great majority
Important function can be write and (be provided using Android by Android application developers using C language or C Plus Plus
A series of instrument NDK developing, the function that C language or C++ are developed is programmed in into a DLL for Speed Measurement file (i.e.
For the SO files of Android system) in, then NDK instruments can together be bundled to DLL for Speed Measurement file in APK file), so may be used
Significantly to improve the safety of program.Further, when Android application programs are operated in mobile phone, can be making
The DLL for Speed Measurement file used is loaded in the internal memory of mobile phone, once being loaded into after internal memory, then can use DLL for Speed Measurement file
In power function.But, the function of the DLL for Speed Measurement file in memory file is easily modified to realize some illegal functions,
Affect normally using for application.
The content of the invention
File test method, device and system that the present invention is provided, it is intended to improve the problems referred to above.
In a first aspect, a kind of file test method provided in an embodiment of the present invention, is applied to mobile terminal, move for detecting
The DLL for Speed Measurement file of Android system in dynamic terminal.Methods described includes:The detection instruction that server sends is obtained, wherein, institute
State the function name and function length for detecting the function to be measured that instruction is included in filename, the file to be measured of file to be measured, institute
It is the file in the DLL for Speed Measurement file to state file to be measured.In filename, the file to be measured according to the file to be measured
Function to be measured function name and function length, the integrity detection result of the file to be measured is obtained, by integrity inspection
Survey result to send to the server, so that the server judges whether the integrity of the file to be measured is normal.
A kind of second aspect, file test method provided in an embodiment of the present invention is applied to file detecting system, the text
Part detecting system includes mobile terminal and server, for detecting the dynamic chain library text of the Android system on the mobile terminal
Part.Methods described includes:The server sends detection instruction to mobile terminal, wherein, the detection instruction includes text to be measured
The function name and function length of the function to be measured in the filename of part, the file to be measured, the file to be measured is the dynamic
File in chain library file.To be measured letter of the mobile terminal in filename, the file to be measured of the file to be measured
Several function name and function length, obtain the integrity detection result of the file to be measured, and the server is according to described complete
Property testing result, judges whether the integrity of the file to be measured is normal.
A kind of third aspect, file detection means provided in an embodiment of the present invention, is applied to mobile terminal, moves for detecting
The DLL for Speed Measurement file of Android system in dynamic terminal.The file detection means includes:Detection instruction acquisition module, for obtaining
The detection instruction that server sends, wherein, the detection instruction includes treating in filename, the file to be measured of file to be measured
The function name and function length of function are surveyed, the file to be measured is the file in the DLL for Speed Measurement file.Testing result is obtained
Module, for the function name and function length of the function to be measured in the filename of the file to be measured, the file to be measured,
Obtain the integrity detection result of the file to be measured.Testing result sending module, for the integrity detection result to be sent out
The server is delivered to, so that the server judges whether the integrity of the file to be measured is normal.
Fourth aspect, a kind of file detecting system provided in an embodiment of the present invention, including server and mobile terminal, are used for
Detect the DLL for Speed Measurement file of the Android system on the mobile terminal.The server is used for transmission detection and instructs to movement eventually
End, wherein, the detection instruction includes the function name and letter of the function to be measured in filename, the file to be measured of file to be measured
Number length, the file to be measured is the file in the DLL for Speed Measurement file.The mobile terminal is used for according to the text to be measured
The function name and function length of the function to be measured in the filename of part, the file to be measured, obtains the complete of the file to be measured
Property testing result.The server is used for according to the integrity detection result, whether judges the integrity of the file to be measured
Normally.
File test method provided in an embodiment of the present invention, device and system, for detecting Android system in mobile terminal
DLL for Speed Measurement file.Server is sent out when whether the function for needing to monitor in mobile terminal in DLL for Speed Measurement file is changed
Censorship surveys instruction to mobile terminal, and the detection instruction contains the file to be measured in the DLL for Speed Measurement file of the Android system
Filename, the file to be measured in function to be measured function name and function length.By the server according to described to be measured
The filename of file, the function name of function to be measured and function length calculate the integrity detection result of the file to be measured, and will
The result for being obtained is sent to server.The integrity inspection that server feeds back according to default judgment rule and the mobile terminal
Result is surveyed, judges whether the integrity of the file to be measured is normal, so as to the code in the file to be measured for inferring the mobile terminal
Whether changed, the safety that ensure that mobile terminal application of high degree and legitimacy.
Description of the drawings
In order to be illustrated more clearly that the technical scheme of the embodiment of the present invention, below will be attached to what is used needed for embodiment
Figure is briefly described, it will be appreciated that the following drawings illustrate only certain embodiments of the present invention, thus be not construed as it is right
The restriction of scope, for those of ordinary skill in the art, on the premise of not paying creative work, can be with according to this
A little accompanying drawings obtain other related accompanying drawings.
Fig. 1 is the interaction figure of the server in file detecting system provided in an embodiment of the present invention and mobile terminal;
The step of Fig. 2 is the file test method of first embodiment of the invention offer flow chart;
The sub-step flow chart of the step of Fig. 3 is the file test method of first embodiment of the invention offer S202;
The step of Fig. 4 is the file test method of second embodiment of the invention offer flow chart;
The sub-step flow chart of the step of Fig. 5 is the file test method of second embodiment of the invention offer S402;
Fig. 6 is the functional block diagram of the file detection means that third embodiment of the invention is provided.
Specific embodiment
In consideration of it, the designer of the present invention is by long-term exploration and trial, and multiple experiment and effort, constantly
Reform and innovation, draw file test method and device shown in this programme and using response method and device.
As shown in figure 1, being the schematic diagram that mobile terminal 1 provided in an embodiment of the present invention 00 and server 200 are interacted.
The server 200 is communicatively coupled by network with one or more mobile terminal 1s 00, to enter row data communication or friendship
Mutually.The server 200 can be the webserver, database server etc..The mobile terminal 1 00 can be PC
(personal computer, PC), panel computer, smart mobile phone, personal digital assistant (personal digital
Assistant, PDA) etc..The mobile terminal 1 00 can be browser or other application terminal, and the browser is referred to can
To show web page server, and allow the various softwares of user and these file interactions.
Fig. 2 is referred to, the flow chart the step of file test method provided for first embodiment of the invention is applied to movement
Terminal 100, for detecting the DLL for Speed Measurement file of Android system in mobile terminal 1 00.The step shown in Fig. 2 will be carried out below
Specific explanations.
Step S201, obtains the detection instruction that server sends.
Mobile terminal 1 00 is connected with server 200, the file detection operation that the reception server 200 is actively initiated, to detect
The DLL for Speed Measurement file of the Android system in the mobile terminal 1 00, in particular, mainly for detection of peace in mobile terminal 1 00
The integrity of the DLL for Speed Measurement file of tall and erect system.Whether the integrity of file, the function code in associated with is changed.If
Function code is changed, then the complete sexual abnormality of file.Preset in the server 200 and need in DLL for Speed Measurement file detection
The corresponding configuration file of file, the configuration file can include:Treating in the filename of file to be measured, the file to be measured
The function name of function and the function length of the function to be measured etc. are surveyed for indicating the information of the file to be measured.The configuration text
The corresponding standard testing result of function to be measured in file to be measured can also be prestored in part, the standard testing result is described
According to the calculated result of standard code of function to be measured in the file to be measured.The standard testing result can also be institute
Server 200 is stated when file detection operation is initiated, is calculated temporarily according to the standard code of function to be measured in file to be measured
Result.
The form of the configuration file of the memory storage of the server 200 can be:
" name "=" Test ";
" FUNC "=" func1 ", " func2 ";
" FuncLen "=" N1 ", " N2 ";
" result "=" xxx1 ", " xxx2 ";
Wherein, Test is the filename of DLL for Speed Measurement file, and func1 and func2 is function name, and N1 is function func1
Function length, N2 is the function length of function func2.
Server 200 generates inspection when file detection operation is initiated according to the information of correspondence file to be measured in configuration file
Instruction is surveyed, the detection for being generated instruction is sent to mobile terminal 1 00, so that the mobile terminal 1 00 receives the detection and refers to
The triggering of order, performs file detection operation.The detection instruction can include treating in filename, the file to be measured of file to be measured
Survey the function name and function length of function.
Step S202, the function name of the function to be measured in filename, the file to be measured according to the file to be measured and
Function length, obtains the integrity detection result of the file to be measured.
The mobile terminal 1 00 receive the end of server 200 transmission detection instruction after, according to detection instruction in treating
The filename for surveying file finds the file to be measured, the function name and function length of the function to be measured in the file to be measured
The code segment of function to be measured is obtained, and the integrity detection result of the file to be measured is calculated according to default computation rule.
In a kind of embodiment, the integrity detection result can be the hashed value of function to be measured in the file to be measured, calculate institute
Stating the default computation rule of the integrity detection result of file to be measured can calculate function, such as MD5 etc. for hashed value.
Step S203, the integrity detection result is sent to the server, so that the server judges described
Whether the integrity of file to be measured is normal.
The mobile terminal 1 00 obtains the integrity of file to be measured in the detection instruction sent according to the server 200
After testing result, the integrity detection result is sent to server 200.The configuration file memory storage of server 200 needs
Survey the standard testing result of the function to be measured of file.The server 200 is receiving the to be measured of the transmission of the mobile terminal 1 00
After the integrity detection result of file, in the standard detection knot to the file to be measured should be obtained in the configuration file of file to be measured
Really, judge whether the integrity detection result is consistent with the standard testing result.If the integrity detection result with
The standard testing result is consistent, and the server 200 judges that the integrity of the file to be measured is normal, i.e., described file to be measured
Code do not changed, the user of mobile terminal 1 00 be normal users.If the integrity detection result is examined with said standard
Survey result is inconsistent, judges the complete sexual abnormality of the file to be measured, and the code of as described file to be measured is changed, should
The user of mobile terminal 1 00 is abnormal user.
In one embodiment, it is contemplated that the acceptable of function to be measured is changed in file to be measured in mobile terminal 1 00,
Can be with according to the acceptable modification situation of function to be measured setting matching degree threshold value.Such as the integrity detection of the file to be measured
As a result it is more than or equal to matching degree threshold value with the matching degree of standard testing result, that is, is judging the integrity of the file to be measured just
Often.If the integrity result of the file to be measured is less than matching degree threshold value with the matching degree of standard testing result, institute is judged
State the complete sexual abnormality of file to be measured.
In other embodiments, the integrity detection of correspondence file to be measured is the abnormal user of mobile terminal 1 00, service
Device 200 can perform corresponding punitive measures to the user.For example, the letter of certain charging function in DLL for Speed Measurement file is changed
Number, by Modification growth function to whether the judgement paid, so as to realize that charging function is used in the case where not paying, have impact on should
Normally use.Server 200 can perform title, envelope after detecting that the function is changed to the mobile terminal 1 00 user
Prohibit the punitive measures such as several days, to ensure the normal operating specification of application.
On the basis of above-described embodiment, the mobile terminal 1 00 can realize text to be measured by calling local function
The calculating of the integrity detection result of part.Below in conjunction with Fig. 3 being embodied as to step S202 described in first embodiment
Journey is specifically addressed.
Step S301, according to the filename of the file to be measured and the first function for obtaining file handle are obtained
The file handle of file to be measured.
During detection file, it is necessary first to first find this document, this document can be searched by file handle.It is described mobile whole
100 memory storages are held to have the first function for obtaining file handle.The text of the file to be measured in the detection instruction is received
During part name, the first function is called, the first function of file handle is obtained according to the filename of the file to be measured.Described
One function can be the system function dlopen functions of ARIXTRA.The dlopen functions, can open what is specified with designated mode
DLL for Speed Measurement file, and return the file handle of correspondence filename.
In one embodiment, the code of realizing of acquisition file handle can be:
Void*dlopen (const char*pathname, int mode);
Wherein, const char*pathname are the filenames of the DLL for Speed Measurement for needing to open, and intmode is then inserting
Opening, return value is then the handle of DLL for Speed Measurement file to the mode of RTLD_NOW.
Step S302, function name, the file handle of the file to be measured according to the function to be measured and for obtaining letter
The second function of number address, obtains the initial address of the function to be measured.
After obtaining the handle of this document, the file to be measured can be found according to the file handle, and it is to be measured to search this
Function to be measured in file.The memory storage of the mobile terminal 1 00 has the second function for obtaining function address.Receiving
When stating the function name for detecting the function to be measured in instruction, according to the file of the file handle indication, the second function is called,
The function address of the function to be measured is obtained according to the function name of the function to be measured.The second function can be Android system
Interior dlsym functions.The handle that the dlsym functions can be returned according to the dlopen functions finds the weight for needing detection
The memory address of function, the memory address is wanted to be generally the initial address of the function to be measured, sensing needs to carry out integrity
The function of detection.
In one embodiment, the code of realizing of acquisition function address can be:
Void*dlsym (void*pHandle, char*symbol);
Wherein, void*pHandle is then the file handle of DLL for Speed Measurement file, is exactly the file sentence that previous step is obtained
Handle.Char*symbol is then specific function name, and return value is then initial address of the function in internal memory.
Step S303, treats according to the initial address of the function to be measured and the function length of the function to be measured are obtained
Survey the code of function.
The initial address of function to be measured is obtained by above-mentioned steps, according to function to be measured included in the detection instruction
Function length, obtain the code of the function to be measured.
Step S304, according to the code of the function to be measured and the 3rd function for calculating function hashed value are obtained
The hashed value of function to be measured, using the hashed value as the integrity detection result.
Acquisition is needed after the code of the function to be measured for carrying out integrity detection, is used for according to default in mobile terminal 1 00
3rd function of calculation of integrity testing result calculates the integrity detection result of the function to be measured.In one embodiment,
Integrity inner side result is the hashed value of function code.3rd function can be MD5 functions (Message Digest
Algorithm MD5, Message Digest Algorithm 5).After obtaining the memory address of the function to be measured, the MD5 letters are called
Several function codes to the memory address carry out hashed value calculating, will calculate gained hashed value and tie as the integrity detection
Really.In one embodiment, the code of realizing of acquisition function address can be:
FuncMd5=MD5.calcMd5 (FuncStartAddr, FuncLen);
Wherein, MD5.calcMd5 is then the power function for calculating MD5, and wherein FuncStartAddr is then function in internal memory
In initial address, FuncLen is then the length of function, and FuncMd5 is then the MD5 results of function.
On the basis of above-described embodiment, in order to further improve file detection process in safety, can also increase
The ciphering process of integrity detection result.The integrity detection result that the mobile terminal 1 00 is obtained is encrypted, will
Integrity detection result after encryption is sent to server 200.Integrity detection knot of the server 200 after the encryption is obtained
After fruit, process is decrypted first, the integrity detection result after decryption processing is matched with standard testing result, obtain
Corresponding judged result.In one embodiment, it is preferred to use symmetric encipherment algorithm des encryption algorithm carrying out to data plus
Close, server 200 also uses corresponding des encryption algorithm, decrypts clear data, carries out follow-up judgement flow process.
The file test method that the embodiments of the present invention are provided, according to the detection instruction that server sends, calls ARIXTRA
Function to be measured in the file to be measured that the system function of system is indicated detection instruction carries out integrity detection, and will be acquired
Server is transferred to judge the integrity state of file to be measured after integrity detection result encryption.In time in monitoring mobile terminal
DLL for Speed Measurement file integrity, it is to avoid file affects normally using for application after being changed, it is ensured that mobile terminal should
Safety and legitimacy.
Refer to Fig. 4, be second embodiment of the invention provide file test method the step of flow chart, file inspection
Survey method is applied to the file detecting system shown in Fig. 1, for detecting the dynamic chain of the Android system in the mobile terminal 1 00
Library file.The file detecting system includes mobile terminal 1 00 and server 200, the mobile terminal 1 00 and the server
200 connections.Specific explanations will be carried out to the step shown in Fig. 4 below.
Step S401, the server sends detection instruction to mobile terminal.
The server 200 initiates file detection operation, firstly generates detection instruction, and the detection instruction for generating is sent extremely
Mobile terminal 1 00.The corresponding configuration file of file for needing to detect in DLL for Speed Measurement file is preset in the server 200,
The configuration file can include:The function name of the function to be measured in the filename of file to be measured, the file to be measured and described
Function length of function to be measured etc. is for indicating the information of the file to be measured.Can also prestore in the configuration file and treat
Survey the corresponding standard testing result of function to be measured in file, the standard testing result is for described according to treating in the file to be measured
Survey the calculated result of standard code of function.The standard testing result can also initiate text for the server 200
During part detection operation, according to the interim calculated result of standard code of function to be measured in file to be measured.
The form of the configuration file of the memory storage of the server 200 can be:
" name "=" Test ";
" FUNC "=" func1 ", " func2 ";
" FuncLen "=" N1 ", " N2 ";
" result "=" xxx1 ", " xxx2 ";
Wherein, Test is the filename of DLL for Speed Measurement file, and func1 and func2 is function name, and N1 is function func1
Function length, N2 is the function length of function func2.
Server 200 generates inspection when file detection operation is initiated according to the information of correspondence file to be measured in configuration file
Instruction is surveyed, the detection for being generated instruction is sent to mobile terminal 1 00, so that the mobile terminal 1 00 receives the detection and refers to
The triggering of order, performs file detection operation.The detection instruction can include treating in filename, the file to be measured of file to be measured
Survey the function name and function length of function.
Step S402, to be measured letter of the mobile terminal in filename, the file to be measured of the file to be measured
Several function name and function length, obtain the integrity detection result of the file to be measured.
The mobile terminal 1 00 receive the end of server 200 transmission detection instruction after, according to detection instruction in treating
The filename for surveying file finds the file to be measured, the function name and function length of the function to be measured in the file to be measured
The code segment of function to be measured is obtained, and the integrity detection result of the file to be measured is calculated according to default computation rule.
In a kind of embodiment, the integrity detection result can be the hashed value of function to be measured in the file to be measured, calculate institute
Stating the default computation rule of the integrity detection result of file to be measured can calculate function, such as MD5 etc. for hashed value.
Step S403, the server judges the integrity detection result with mark according to the integrity detection result
Whether quasi- testing result matches.
If the integrity detection result is matched with the standard testing result, execution step, server described in S404
Judge that the integrity of the file to be measured is normal.
If the integrity detection result is mismatched with the standard testing result, execution step S405, the service
Device judges the complete sexual abnormality of the file to be measured.
The configuration file memory storage of server 200 has the standard testing result of the function to be measured of file to be measured.The service
Device 200 after the integrity detection result of file to be measured of the transmission of the mobile terminal 1 00 is received, to should file to be measured
Configuration file in obtain the file to be measured standard testing result, judge the integrity detection result and the standard detection
As a result it is whether consistent.If the integrity detection result is consistent with the standard testing result, the server 200 judges institute
The integrity for stating file to be measured is normal, i.e., the code of described file to be measured is not changed, and the user of mobile terminal 1 00 is just to commonly use
Family.If the integrity detection result is inconsistent with said standard testing result, judge that the integrity of the file to be measured is different
Often, the code of as described file to be measured is changed, and the user of mobile terminal 1 00 is abnormal user.
In one embodiment, it is contemplated that the acceptable of function to be measured is changed in file to be measured in mobile terminal 1 00,
Can be with according to the acceptable modification situation of function to be measured setting matching degree threshold value.Such as the integrity detection of the file to be measured
As a result it is more than or equal to matching degree threshold value with the matching degree of standard testing result, that is, is judging the integrity of the file to be measured just
Often.If the integrity result of the file to be measured is less than matching degree threshold value with the matching degree of standard testing result, institute is judged
State the complete sexual abnormality of file to be measured.
In other embodiments, the integrity detection of correspondence file to be measured is the abnormal user of mobile terminal 1 00, service
Device 200 can perform corresponding punitive measures to the user.For example, the letter of certain charging function in DLL for Speed Measurement file is changed
Number, by Modification growth function to whether the judgement paid, so as to realize that charging function is used in the case where not paying, have impact on should
Normally use.Server 200 can perform title, envelope after detecting that the function is changed to the mobile terminal 1 00 user
Prohibit the punitive measures such as several days, to ensure the normal operating specification of application.
On the basis of above-described embodiment, the mobile terminal 1 00 can realize text to be measured by calling local function
The calculating of the integrity detection result of part.Below in conjunction with Fig. 5, the tool of S402 the step of to described in second embodiment of the invention
Body implementation process carries out specific explanations.
Step S501, the mobile terminal according to the filename of the file to be measured and for obtaining file handle first
Function obtains the file handle of the file to be measured.
The mobile terminal 1 00 is when file is detected, it is necessary first to first finds this document, can be searched by file handle
This document.The memory storage of the mobile terminal 1 00 has the first function for obtaining file handle.Receiving the detection instruction
In file to be measured filename when, call the first function, according to the filename of the file to be measured obtain file handle
First function.The first function can be the system function dlopen functions of ARIXTRA.The dlopen functions, can be with finger
Mould-fixed opens the DLL for Speed Measurement file specified, and returns the file handle of correspondence filename.
In one embodiment, the code of realizing of acquisition file handle can be:
Void*dlopen (const char*pathname, int mode);
Wherein, const char*pathname are the filenames of the DLL for Speed Measurement for needing to open, and intmode is then inserted
Opening, return value is then the handle of DLL for Speed Measurement file to the mode of RTLD_NOW.
Step S502, the mobile terminal is according to the function name of the function to be measured, the file handle of the file to be measured
With for obtaining the second function of function address, the initial address of the function to be measured is obtained.
After obtaining the handle of this document, the file to be measured can be found according to the file handle, and it is to be measured to search this
Function to be measured in file.The memory storage of the mobile terminal 1 00 has the second function for obtaining function address.Receiving
When stating the function name for detecting the function to be measured in instruction, according to the file of the file handle indication, the second function is called,
The function address of the function to be measured is obtained according to the function name of the function to be measured.The second function can be Android system
Interior dlsym functions.The handle that the dlsym functions can be returned according to the dlopen functions finds the weight for needing detection
The memory address of function, the memory address is wanted to be generally the initial address of the function to be measured, sensing needs to carry out integrity
The function of detection.
In one embodiment, the code of realizing of acquisition function address can be:
Void*dlsym (void*pHandle, char*symbol);
Wherein, void*pHandle is then the file handle of DLL for Speed Measurement file, is exactly the file sentence that previous step is obtained
Handle.Char*symbol is then specific function name, and return value is then initial address of the function in internal memory.
Step S503, the mobile terminal is long according to the initial address of the function to be measured and the function of the function to be measured
Degree obtains the code of the function to be measured.
The initial address of function to be measured is obtained by above-mentioned steps, according to function to be measured included in the detection instruction
Function length, obtain the code of the function to be measured.
Step S504, the mobile terminal according to the code of the function to be measured and for calculating function hashed value the 3rd
Function obtains the hashed value of the function to be measured, using the hashed value as the integrity detection result.
Acquisition is needed after the code of the function to be measured for carrying out integrity detection, is used for according to default in mobile terminal 1 00
3rd function of calculation of integrity testing result calculates the integrity detection result of the function to be measured.In one embodiment,
Integrity inner side result is the hashed value of function code.3rd function can be MD5 functions (Message Digest
Algorithm MD5, Message Digest Algorithm 5).After obtaining the memory address of the function to be measured, the MD5 letters are called
Several function codes to the memory address carry out hashed value calculating, will calculate gained hashed value and tie as the integrity detection
Really.In one embodiment, the code of realizing of acquisition function address can be:
FuncMd5=MD5.calcMd5 (FuncStartAddr, FuncLen);
Wherein, MD5.calcMd5 is then the power function for calculating MD5, and wherein FuncStartAddr is then function in internal memory
In initial address, FuncLen is then the length of function, and FuncMd5 is then the MD5 results of function.
On the basis of above-described embodiment, in order to further improve file detection process in safety, can also increase
The ciphering process of integrity detection result.The integrity detection result that the mobile terminal 1 00 is obtained is encrypted, will
Integrity detection result after encryption is sent to server 200.Integrity detection knot of the server 200 after the encryption is obtained
After fruit, process is decrypted first, the integrity detection result after decryption processing is matched with standard testing result, obtain
Corresponding judged result.In one embodiment, it is preferred to use symmetric encipherment algorithm des encryption algorithm carrying out to data plus
Close, server 200 also uses corresponding des encryption algorithm, decrypts clear data, carries out follow-up judgement flow process.
The file test method that the embodiments of the present invention are provided, the server and movement by the file detecting system is whole
End interaction completes the file detection operation of mobile terminal.Mobile terminal is instructed according to the detection that server sends, and calls ARIXTRA system
Function to be measured in the file to be measured that the system function of system is indicated detection instruction carries out integrity detection, and will be acquired complete
Server is transferred to judge the integrity state of file to be measured after whole property testing result encryption.In time in monitoring mobile terminal
The integrity of DLL for Speed Measurement file, it is to avoid file affects normally using for application after being changed, it is ensured that mobile terminal application
Safety and legitimacy.
Fig. 6 is referred to, the functional block diagram of the file detection means 600 provided for third embodiment of the invention.The text
Part detection means 600 includes:Detection instruction acquisition module 601, testing result acquisition module 602 and testing result sending module
603。
The detection instruction acquisition module 601, for obtaining the detection instruction of the transmission of server 200.Wherein, the detection
Instruction includes the function name and function length of the function to be measured in filename, the file to be measured of file to be measured, described to be measured
File is the file in the DLL for Speed Measurement file.
The testing result acquisition module 602, for according in the filename of the file to be measured, the file to be measured
The function name and function length of function to be measured, obtains the integrity detection result of the file to be measured.
The testing result sending module 603, for the integrity detection result to be sent to the server 200,
So that the server 200 judges whether the integrity of the file to be measured is normal.
On the basis of above-described embodiment, the testing result acquisition module can be used for:
The file to be measured is obtained according to the filename of the file to be measured and the first function for obtaining file handle
File handle;
Function name, the file handle of the file to be measured according to the function to be measured and for obtaining function address
Two functions, obtain the initial address of the function to be measured;
The function to be measured is obtained according to the initial address of the function to be measured and the function length of the function to be measured
Code;
The function to be measured is obtained according to the code of the function to be measured and the 3rd function for calculating function hashed value
Hashed value, using the hashed value as the integrity detection result.
On the basis of above-described embodiment, the first function is dlopen functions, and the second function is dlsym letters
Number, the 3rd function is MD5 functions.
On the basis of above-described embodiment, the file detection means 600 can also include encrypting module, the encryption mould
After block is used to be encrypted the integrity detection result, send to the server 200, so that the server 200 will
After encryption integrity detection result decryption, and according to decryption after the integrity detection result judge the file to be measured
Whether integrity is normal.
File detection means provided in an embodiment of the present invention, according to the detection instruction that server sends, calls Android system
System function file to be measured that detection instruction is indicated in function to be measured carry out integrity detection, and will be acquired complete
Server is transferred to judge the integrity state of file to be measured after property testing result encryption.It is dynamic in monitoring mobile terminal in time
The integrity of state chain library file, it is to avoid file affects normally using for application after being changed, it is ensured that mobile terminal application
Safety and legitimacy.The specific implementation process of file detection means provided in an embodiment of the present invention refers to file test method
Concrete real-time process, this is no longer going to repeat them.
Continuing with referring to Fig. 1, the interactive schematic diagram of the file detecting system provided for fourth embodiment of the invention.The text
Part detecting system includes server 200 and mobile terminal 1 00, for detecting the dynamic of the Android system in the mobile terminal 1 00
State chain library file.
The server 200 is used to send detection instruction to mobile terminal 1 00, wherein, the detection instruction includes to be measured
The function name and function length of the function to be measured in the filename of file, the file to be measured, the file to be measured is described dynamic
File in state chain library file;
The mobile terminal 1 00 is used for the function to be measured in filename, the file to be measured of the file to be measured
Function name and function length, obtain the integrity detection result of the file to be measured;
The server 200 is used for according to the integrity detection result, whether judges the integrity of the file to be measured
Normally.
On the basis of above-described embodiment, the mobile terminal 1 00 specifically for:
The file to be measured is obtained according to the filename of the file to be measured and the first function for obtaining file handle
File handle;
Function name, the file handle of the file to be measured according to the function to be measured and for obtaining function address
Two functions, obtain the initial address of the function to be measured;
The function to be measured is obtained according to the initial address of the function to be measured and the function length of the function to be measured
Code;
The function to be measured is obtained according to the code of the function to be measured and the 3rd function for calculating function hashed value
Hashed value, using the hashed value as the integrity detection result.
The file detecting system that the embodiments of the present invention are provided, the server and movement by the file detecting system is whole
End interaction completes the file detection operation of mobile terminal.Mobile terminal is instructed according to the detection that server sends, and calls ARIXTRA system
Function to be measured in the file to be measured that the system function of system is indicated detection instruction carries out integrity detection, and will be acquired complete
Server is transferred to judge the integrity state of file to be measured after whole property testing result encryption.In time in monitoring mobile terminal
The integrity of DLL for Speed Measurement file, it is to avoid file affects normally using for application after being changed, it is ensured that mobile terminal application
Safety and legitimacy.The specific implementation process of file detecting system provided in an embodiment of the present invention refers to file detection side
The concrete real-time process of method, this is no longer going to repeat them.
The preferred embodiments of the present invention are these are only, the restriction present invention is not used in, for those skilled in the art
For, there can be various modifications and variations.All any modifications within the spirit and principles in the present invention, made, equivalent,
Improve etc., should be included within the scope of the present invention.
Claims (10)
1. a kind of file test method, it is characterised in that mobile terminal is applied to, for detecting Android system in mobile terminal
DLL for Speed Measurement file, methods described includes:
The detection instruction that server sends is obtained, wherein, the detection instruction includes the filename of file to be measured, the text to be measured
The function name and function length of the function to be measured in part, the file to be measured is the file in the DLL for Speed Measurement file;
The function name and function length of the function to be measured in filename, the file to be measured according to the file to be measured, obtains
The integrity detection result of the file to be measured;
The integrity detection result is sent to the server, so that the server judges the complete of the file to be measured
Whether property is normal.
2. method according to claim 1, it is characterised in that the filename, the text to be measured according to the file to be measured
The step of function name and function length of the function to be measured in part, integrity detection result for obtaining the file to be measured, includes:
The text of the file to be measured is obtained according to the filename of the file to be measured and the first function for obtaining file handle
Part handle;
Function name, the file handle of the file to be measured according to the function to be measured and the second letter for obtaining function address
Number, obtains the initial address of the function to be measured;
The code of the function to be measured is obtained according to the initial address of the function to be measured and the function length of the function to be measured;
Dissipating for the function to be measured is obtained according to the code of the function to be measured and the 3rd function for calculating function hashed value
Train value, using the hashed value as the integrity detection result.
3. method according to claim 2, it is characterised in that the first function is dlopen functions, second letter
Number is dlsym functions, and the 3rd function is MD5 functions.
4. method according to claim 1, it is characterised in that the integrity detection result is sent to the service
Device, so that the server judges the whether normal step of the integrity of the file to be measured according to the integrity detection result
Including:
Send to the server after the integrity detection result is encrypted so that the server by encryption after it is complete
The decryption of whole property testing result, and according to decryption after the integrity detection result judge the integrity of the file to be measured whether
Normally.
5. a kind of file test method, it is characterised in that be applied to file detecting system, the file detecting system includes movement
Terminal and server, for detecting the DLL for Speed Measurement file of the Android system on the mobile terminal, methods described includes:
The server sends detection instruction to mobile terminal, wherein, the detection instruction includes filename, the institute of file to be measured
The function name and function length of function to be measured in file to be measured are stated, the file to be measured is the text in the DLL for Speed Measurement file
Part;
The function name and letter of to be measured function of the mobile terminal in filename, the file to be measured of the file to be measured
Number length, obtains the integrity detection result of the file to be measured;
The server judges whether the integrity of the file to be measured is normal according to the integrity detection result.
6. method according to claim 5, it is characterised in that file of the mobile terminal according to the file to be measured
The function name and function length of the function to be measured in name, the file to be measured, obtains the integrity detection knot of the file to be measured
The step of fruit, includes:
The mobile terminal is according to the filename of the file to be measured and the first function for obtaining file handle are obtained
The file handle of file to be measured;
The mobile terminal is according to the function name of the function to be measured, the file handle of the file to be measured and for obtaining function
The second function of address, obtains the initial address of the function to be measured;
The mobile terminal is treated according to the initial address of the function to be measured and the function length of the function to be measured are obtained
Survey the code of function;
The mobile terminal is according to the code of the function to be measured and the 3rd function for calculating function hashed value are obtained
The hashed value of function to be measured, using the hashed value as the integrity detection result.
7. method according to claim 5, it is characterised in that the server sends detection instruction to the mobile terminal
The step of before, methods described also includes:
The server generates the configuration file of the correspondence file to be measured, and the configuration file includes the text of the file to be measured
The function name of the function to be measured in part name, the file to be measured, function length and the integrity for judging the file to be measured
Whether normal standard testing result.
8. a kind of file detection means, it is characterised in that mobile terminal is applied to, for detecting Android system in mobile terminal
DLL for Speed Measurement file, the file detection means includes:
Detection instruction acquisition module, for obtaining the detection instruction of server transmission, wherein, the detection instruction includes text to be measured
The function name and function length of the function to be measured in the filename of part, the file to be measured, the file to be measured is the dynamic
File in chain library file;
Testing result acquisition module, for the function to be measured in the filename of the file to be measured, the file to be measured
Function name and function length, obtain the integrity detection result of the file to be measured;
Testing result sending module, for the integrity detection result to be sent to the server, so that the server
Judge whether the integrity of the file to be measured is normal.
9. a kind of file detecting system, it is characterised in that including server and mobile terminal, for detecting the mobile terminal
Android system DLL for Speed Measurement file;
The server is used to send detection instruction to mobile terminal, wherein, the detection instruction includes the file of file to be measured
The function name and function length of the function to be measured in name, the file to be measured, the file to be measured is the DLL for Speed Measurement file
In file;
The function name of the function to be measured that the mobile terminal is used in filename, the file to be measured of the file to be measured
And function length, obtain the integrity detection result of the file to be measured;
The server is used for according to the integrity detection result, judges whether the integrity of the file to be measured is normal.
10. system according to claim 9, it is characterised in that the mobile terminal specifically for:
The text of the file to be measured is obtained according to the filename of the file to be measured and the first function for obtaining file handle
Part handle;
Function name, the file handle of the file to be measured according to the function to be measured and the second letter for obtaining function address
Number, obtains the initial address of the function to be measured;
The code of the function to be measured is obtained according to the initial address of the function to be measured and the function length of the function to be measured;
Dissipating for the function to be measured is obtained according to the code of the function to be measured and the 3rd function for calculating function hashed value
Train value, using the hashed value as the integrity detection result.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611197029.9A CN106599730B (en) | 2016-12-20 | 2016-12-20 | File test method, device and system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611197029.9A CN106599730B (en) | 2016-12-20 | 2016-12-20 | File test method, device and system |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106599730A true CN106599730A (en) | 2017-04-26 |
CN106599730B CN106599730B (en) | 2019-08-02 |
Family
ID=58602178
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201611197029.9A Active CN106599730B (en) | 2016-12-20 | 2016-12-20 | File test method, device and system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106599730B (en) |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103944757A (en) * | 2014-04-11 | 2014-07-23 | 珠海市君天电子科技有限公司 | Network anomaly detecting method and device |
CN104679561A (en) * | 2015-02-15 | 2015-06-03 | 福建天晴数码有限公司 | Dynamic link library file loading method and dynamic link library file loading system |
CN104751048A (en) * | 2015-01-29 | 2015-07-01 | 中国科学院信息工程研究所 | Dynamic link library integrity measuring method under perlink mechanism |
CN105447349A (en) * | 2015-11-20 | 2016-03-30 | 珠海多玩信息技术有限公司 | Method and device for protecting derived symbol in so file |
US9489220B1 (en) * | 2012-11-26 | 2016-11-08 | Parallels IP Holdings GmbH | Displaying guest operating system statistics in host task manager |
-
2016
- 2016-12-20 CN CN201611197029.9A patent/CN106599730B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9489220B1 (en) * | 2012-11-26 | 2016-11-08 | Parallels IP Holdings GmbH | Displaying guest operating system statistics in host task manager |
CN103944757A (en) * | 2014-04-11 | 2014-07-23 | 珠海市君天电子科技有限公司 | Network anomaly detecting method and device |
CN104751048A (en) * | 2015-01-29 | 2015-07-01 | 中国科学院信息工程研究所 | Dynamic link library integrity measuring method under perlink mechanism |
CN104679561A (en) * | 2015-02-15 | 2015-06-03 | 福建天晴数码有限公司 | Dynamic link library file loading method and dynamic link library file loading system |
CN105447349A (en) * | 2015-11-20 | 2016-03-30 | 珠海多玩信息技术有限公司 | Method and device for protecting derived symbol in so file |
Also Published As
Publication number | Publication date |
---|---|
CN106599730B (en) | 2019-08-02 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
KR101471589B1 (en) | Method for Providing Security for Common Intermediate Language Program | |
JP6257754B2 (en) | Data protection | |
US9268945B2 (en) | Detection of vulnerabilities in computer systems | |
KR101214893B1 (en) | Apparatus and method for detecting similarity amongf applications | |
CN106055341A (en) | Application installation package checking method and device | |
CN105320535B (en) | A kind of method of calibration of installation kit, client, server and system | |
Barua et al. | Server side detection of content sniffing attacks | |
CN109284585B (en) | Script encryption method, script decryption operation method and related device | |
US11347865B2 (en) | Determining security risks in binary software code | |
CN108229112A (en) | A kind of operation method and device for protecting application program, application program | |
CN113342639A (en) | Applet security risk assessment method and electronic device | |
KR101472346B1 (en) | Method for providing encrypted web application, terminal supporting the same, and recording medium thereof | |
CN106897587A (en) | The method and apparatus of reinforcement application, loading reinforcement application | |
Lim et al. | Structural analysis of packing schemes for extracting hidden codes in mobile malware | |
CN113312577A (en) | Webpage resource processing method and device, electronic equipment and storage medium | |
CN112416395A (en) | Hot repair updating method and device | |
CN106599730A (en) | File detection method, apparatus and system | |
CN115828228A (en) | Method and device for verifying detection capability of memory horse and electronic equipment | |
CN109165512A (en) | A kind of the intention agreement URL leak detection method and device of application program | |
CN111610990A (en) | Method, device and related system for upgrading application program | |
KR20200066778A (en) | Code coverage measuring apparatus, code coverage measuring method of the code coverage mearusing apparatus, and code coverage measuring system | |
CN115238249A (en) | Application code obfuscation method, apparatus, device and medium | |
CN112631654A (en) | Program linkage method and system based on evidence obtaining platform | |
CN112182617A (en) | Processing method, device and system for interface request | |
CN109492392B (en) | Detection method and system of kernel function |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
TR01 | Transfer of patent right | ||
TR01 | Transfer of patent right |
Effective date of registration: 20231110 Address after: Room 606-609, Compound Office Complex Building, No. 757, Dongfeng East Road, Yuexiu District, Guangzhou, Guangdong Province, 510699 Patentee after: China Southern Power Grid Internet Service Co.,Ltd. Address before: 430000 East Lake Development Zone, Wuhan City, Hubei Province, No. 1 Software Park East Road 4.1 Phase B1 Building 11 Building Patentee before: WUHAN DOUYU NETWORK TECHNOLOGY Co.,Ltd. |