CN107330329A - The authentication method and device of application file - Google Patents
The authentication method and device of application file Download PDFInfo
- Publication number
- CN107330329A CN107330329A CN201710531796.7A CN201710531796A CN107330329A CN 107330329 A CN107330329 A CN 107330329A CN 201710531796 A CN201710531796 A CN 201710531796A CN 107330329 A CN107330329 A CN 107330329A
- Authority
- CN
- China
- Prior art keywords
- application file
- file
- information
- generation
- application
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a kind of authentication method of application file and device.Wherein, this method includes:It is determined that the auth type identified application file, wherein, auth type includes:Dynamic identification and static identification;According to the auth type of determination, application file is identified, qualification result is obtained.The present invention solves the technical problem that the method identified application file is not present in correlation technique, improves Consumer's Experience.
Description
Technical field
The present invention relates to computer network field, in particular to the authentication method and device of a kind of application file.
Background technology
In the related art, the problem of whether having potential safety hazard for application file, generally, only at this
When a little potential safety hazards produce a certain degree of destruction, it can just be found, the above-mentioned this potential safety hazard to application file
It is delayed to find, on the one hand, to produce and potential threat is produced to computer, mobile phone and other-end, for example, calculating can be excited
The direct destruction of machine data message, takes substantial amounts of disk, seizes system resource, influences the computer speed of service;Another
Aspect, can also cause serious psychological pressure to user.
The problem of for the method identified application file is not present in above-mentioned correlation technique, not yet propose have at present
The solution of effect.
The content of the invention
The embodiments of the invention provide a kind of authentication method of application file and device, at least to solve in correlation technique not
In the presence of the technical problem for the method identified application file.
One side according to embodiments of the present invention is there is provided a kind of authentication method of application file, applied to personal electricity
Brain PC end equipments, including:It is determined that the auth type identified application file, wherein, auth type includes:Dynamic identification and
Static state identification;According to the auth type of determination, application file is identified, qualification result is obtained.
Alternatively, according to the auth type of determination, application file is identified, obtaining qualification result includes:It is determined that
Auth type for static identification in the case of, obtain the fileinfo of application file;According to the fileinfo of acquisition, generation should
Static probation report under the scene not being run with file.
Alternatively, according to the fileinfo of acquisition, the static probation report under the scene that generation application file is not run
Including at least one of:The essential information and key message of application file are determined according to the fileinfo of acquisition, wherein, substantially
Information includes at least one of:For the file type information for the file type for identifying application file, for application file
The shell adding type information for the shell adding type being packaged, and the compiler type for being compiled to application file, key letter
Cease to be influenceed information by the threat of the threat level of viral threat for identifying influence application file;According to essential information and key
Static probation report under information, the scene that generation application file is not run.
Alternatively, according to essential information and key message, the static identification under the scene that generation application file is not run
Report includes:In the case where application file is transplantable executable PE files, the PE headers of PE files are obtained, according to
Essential information, key message and the static probation report of PE headers generation, wherein, PE headers include:Disc operating system DOS
The File header information of header and application file;Determine the money of operation resource needed during the running paper corresponding to application file
Source information, according to essential information, key message and the static probation report of resource information generation;Determine the text corresponding to application file
The function information of function called is needed when part is run, according to essential information, key message and the static identification of function information generation
Report;Obtain the section information in the section area of application file, the string resource information of the string resource corresponding to application file, according to basic
Information, key message, section information and the static probation report of string resource information generation.
Alternatively, according to the auth type of determination, application file is identified, obtaining qualification result includes:It is determined that
Auth type for dynamic identification in the case of, obtain operation action information of application file when being run;According to the fortune of acquisition
Dynamic probation report under row behavioural information, the scene that generation application file is run.
Alternatively, according to the operation action information of acquisition, the dynamic identification report under the scene that generation application file is run
Announcement includes at least one of:The window size of window when the application corresponding to application file is run is obtained, generation includes window
The dynamic probation report of mouth size;It is determined that being formed brokenly when being run to the application corresponding to application file to system software or hardware
Bad destruction shape is that generation includes destroying the dynamic probation report that shape is;When determining that the application corresponding to application file is run
The threat list item threatened in registration table to application file, generation includes threatening the dynamic probation report of list item;It is determined that using
The file for being used to identify file generated file threatened when application corresponding to file is run to application file derives pass
System, generation includes the dynamic probation report of file secondary relationship;Obtain when being run to the application corresponding to application file to net
The network access record that network conducts interviews, generation includes the dynamic probation report of network access record;Obtain to application file institute
The picture interception record that the interception situation of picture is recorded is intercepted when corresponding application is run, generation includes picture interception note
The dynamic probation report of record.
According to another aspect of inventive embodiments, a kind of identification apparatus of application file is additionally provided, applied to individual
People's computer PC end equipments, including:Determining unit, for the auth type for determining to identify application file, wherein, identify class
Type includes:Dynamic identification and static identification;Unit is identified, for the auth type according to determination, application file is identified,
Obtain qualification result.
Alternatively, identification unit includes:First obtains subelement, for it is determined that auth type for static identification feelings
Under condition, the fileinfo of application file is obtained;First generation subelement, for the fileinfo according to acquisition, generates practical writing
Static probation report under the scene that part is not run.
Alternatively, the first generation subelement includes at least one of:Determining module, for the fileinfo according to acquisition
The essential information and key message of application file are determined, wherein, essential information includes at least one of:For identifying practical writing
The file type information of the file type of part, for the shell adding type information for the shell adding type being packaged to application file, and
For the compiler type being compiled to application file, key message is for identifying influence application file by viral threat
The threat influence information of threat level;First generation module, for according to essential information and key message, generation application file to be not
Static probation report under the scene being run.
Alternatively, the first generation module includes:First generation submodule, for being transplantable executable in application file
PE files in the case of, obtain the PE headers of PE files, according to essential information, key message and the generation of PE headers are static
Probation report, wherein, PE headers include:The File header information of disc operating system DOS headers and application file;Second life
Into submodule, for the resource information for the operation resource for determining to need during the running paper corresponding to application file, according to basic
Information, key message and the static probation report of resource information generation;3rd generation submodule, for determining corresponding to application file
Running paper when need the function information of function called, according to essential information, key message and function information generation are static
Probation report;4th generation submodule, the section information in the section area for obtaining application file, the string money corresponding to application file
The string resource information in source, according to essential information, key message, section information and the static probation report of string resource information generation.
Alternatively, identification unit includes:Second obtain subelement, for it is determined that auth type for dynamic identification feelings
Under condition, operation action information when application file is run is obtained;Second generation subelement, for the operation action according to acquisition
Dynamic probation report under information, the scene that generation application file is run.
Alternatively, the second generation subelement includes at least one of:Second generation module, for obtaining application file institute
The window size of window when corresponding application is run, generation includes the dynamic probation report of window size;3rd generation module,
It is to generate to the destruction shape of system software or hardware formation destruction during for determining to be run the application corresponding to application file
The dynamic probation report for being including destruction shape;4th generation module, during for determining that the application corresponding to application file is run
The threat list item threatened in registration table to application file, generation includes threatening the dynamic probation report of list item;5th generation
Module, application file is threatened during for determining that the application corresponding to application file is run be used for identify file generated
The file secondary relationship of file, generation includes the dynamic probation report of file secondary relationship;6th generation module, for acquisition pair
The network access record conducted interviews when application corresponding to application file is run to network, generation includes network access record
Dynamic probation report;7th generation module, intercepts picture when being run for obtaining to the application corresponding to application file
The picture interception record that interception situation is recorded, generation includes the dynamic probation report of picture interception record.
Another aspect according to embodiments of the present invention, additionally provides a kind of storage medium, and storage medium includes storage
Program, wherein, equipment performs the identification of the application file of above-mentioned any one where controlling storage medium when program is run
Method.
Another aspect according to embodiments of the present invention, additionally provides a kind of processor, and processor is used for operation program,
Wherein, the authentication method of the application file of above-mentioned any one is performed when program is run.
Another aspect according to embodiments of the present invention, additionally provides a kind of terminal, including:The identification dress of application file
Put;Processor, processor operation program, wherein, data when program is run for the identification apparatus output from application file are held
The following process step of row:It is determined that the auth type identified application file, wherein, auth type includes:Dynamic identification and
Static state identification;According to the auth type of determination, application file is identified, qualification result is obtained.
Another aspect according to embodiments of the present invention, additionally provides a kind of terminal, including:The identification dress of application file
Put;Storage medium, for storage program, wherein, the data of program operationally for the identification apparatus output from application file
Perform following process step:It is determined that the auth type identified application file, wherein, auth type includes:Dynamic identification
With static state identification;According to the auth type of determination, application file is identified, qualification result is obtained.
In embodiments of the present invention, by determining the auth type that application file is identified, and according to the identification of determination
Type is identified application file, has reached the purpose identified the security of application file, realizes raising application
The technique effect of the security of file, and then solve the skill that can not be identified in correlation technique the security of application file
Art problem, improves Consumer's Experience.
Brief description of the drawings
Accompanying drawing described herein is used for providing a further understanding of the present invention, constitutes the part of the application, this hair
Bright schematic description and description is used to explain the present invention, does not constitute inappropriate limitation of the present invention.In the accompanying drawings:
Fig. 1 is the flow chart of the authentication method of application file according to embodiments of the present invention;
Fig. 2 is the structured flowchart of the identification apparatus of application file according to embodiments of the present invention;
Fig. 3 be application file according to embodiments of the present invention identification apparatus in identify unit 23 schematic diagram;
Fig. 4 is the schematic diagram of the first generation subelement 33 in application file identification apparatus according to embodiments of the present invention;
Fig. 5 is the schematic diagram of the first generation module 43 in application file identification apparatus according to embodiments of the present invention;
Fig. 6 is the preferred schematic diagram of identification unit 23 in application file identification apparatus according to embodiments of the present invention;And
Fig. 7 is the schematic diagram of the second generation subelement 63 in application file identification apparatus according to embodiments of the present invention.
Embodiment
In order that those skilled in the art more fully understand the present invention program, below in conjunction with the embodiment of the present invention
Accompanying drawing, the technical scheme in the embodiment of the present invention is clearly and completely described, it is clear that described embodiment is only
The embodiment of a part of the invention, rather than whole embodiments.Based on the embodiment in the present invention, ordinary skill people
The every other embodiment that member is obtained under the premise of creative work is not made, should all belong to the model that the present invention is protected
Enclose.
It should be noted that term " first " in description and claims of this specification and above-mentioned accompanying drawing, "
Two " etc. be for distinguishing similar object, without for describing specific order or precedence.It should be appreciated that so using
Data can exchange in the appropriate case, so as to embodiments of the invention described herein can with except illustrating herein or
Order beyond those of description is implemented.In addition, term " comprising " and " having " and their any deformation, it is intended that cover
Lid is non-exclusive to be included, for example, the process, method, system, product or the equipment that contain series of steps or unit are not necessarily limited to
Those steps or unit clearly listed, but may include not list clearly or for these processes, method, product
Or the intrinsic other steps of equipment or unit.
Describe, the part noun or term in the embodiment of the present invention are illustrated for convenience below:
Message digest algorithm 5 (Message-Digest Algorithm 5, abbreviation MD5):It is that computer is widely used
One of hashing algorithm, also known as digest algorithm or hash algorithm.
Portable file (Portable Executable, abbreviation PE):Transplantable execution body, common EXE, DLL,
OCX, SYS and COM are PE files, and PE files are the program files in Microsoft's Windows operating system.
Disc operating system (Disk Operating System, abbreviation DOS):Mainly a kind of disc oriented system
Software.
Encapsulation:It is to be combined abstract obtained data and behavior (or function), forms an organic whole, that is, will
The source code of data and peration data is organically combined, and is formed " class ", wherein data and class are all the members of class, also for
Miscellaneous data transmission is realized, the data structure transmitted is mapped into the processing mode of another data structure.
Shell adding:It is the compression of executable program resource, is the conventional means for protecting file.The program that shell adding is crossed can be straight
Operation is connect, but source code can not be checked, only source code can be just checked by shelling, belongs to the conventional hand of file protection
Section.
Decompiling:Refer generally to reversely compiling, also reduce instrument as computer software, refer to by the mesh to other people softwares
Beacon course sequence carries out " conversed analysis, research " work, to derive thinking used in other people software product, principle, structure, calculation
Source code may be derived under the design considerations such as method, processing procedure, operation method, some particular cases.
According to embodiments of the present invention there is provided a kind of embodiment of the method for the authentication method of application file, it is necessary to explanation
It is that can be performed the step of the flow of accompanying drawing is illustrated in the computer system of such as one group computer executable instructions,
And, although logical order is shown in flow charts, but in some cases, can be with different from order execution herein
Shown or described step.
One side according to embodiments of the present invention is there is provided a kind of authentication method of application file, applied to personal electricity
Brain PC end equipments, Fig. 1 is the flow chart of the authentication method of application file according to embodiments of the present invention, as shown in figure 1, the application
The authentication method of file comprises the following steps:
Step S102, it is determined that the auth type identified application file, wherein, auth type includes:Dynamic identification
With static state identification.
S104, according to the auth type of determination, is identified application file, obtains qualification result.
Pass through above-mentioned steps, it is possible to achieve determine the auth type that application file is identified, and according to the identification of determination
Type is identified application file, has reached the purpose identified the security of application file, realizes raising application
The technique effect of the security of file, and then solve the skill that can not be identified in correlation technique the security of application file
Art problem, improves Consumer's Experience.
Therefore, in above-mentioned steps S102 into step S104, it is determined that after the auth type of application file, according to determination
Auth type, is identified application file, wherein, the auth type of the application file provided in the embodiment of the present invention can be wrapped
Include:Dynamic identification and static identification.Above-mentioned auth type is specifically described with reference to specific application scenarios.
When application file is under the scene not being run, application file can be entered using static authentication method
Row identification, so, according to the auth type of determination, application file is identified, a variety of realities can be included by obtaining qualification result
Mode is applied, for example, can include:It is determined that auth type for static identification in the case of, obtain the file letter of application file
Breath;According to the fileinfo of acquisition, the static probation report under the scene that generation application file is not run.Wherein, static mirror
Fixed report is that file is deployed in itself in specific static system to read internal information, so as to form static probation report.
Wherein, according to the fileinfo of acquisition, the static probation report under the scene that generation application file is not run can
With including at least one of:The essential information and key message of application file are determined according to the fileinfo of acquisition, wherein, base
This information can include at least one of:For the file type information for the file type for identifying application file, for example, pdf,
The all kinds such as picture, audio-visual, mail;For the shell adding type information for the shell adding type being packaged to application file, and use
In the compiler type being compiled to application file, key message is the prestige for identifying influence application file by viral threat
Coerce the threat influence information of grade;It is quiet under the scene that generation application file is not run according to essential information and key message
State probation report.It should be noted that when static identification is carried out to application file, obtaining the fileinfo of application file
Can include it is a variety of, for example:Report header, essential information and key message.Wherein, report header can include:①
Program icon;2. qualification result:Shown here as Virus Name or " secure file ", " unknown to threaten ", " no abnormality seen " etc.;③
Threat level:The judgement threat level of file, is always divided into 5 stars, and 5 stars are highest threat level, represent Gao Wei files;4. file
Source:Upload the ip addresses of this file;5. the date that file is uploaded for the first time;Essential information can include:1. file type:
The all kinds such as pdf, picture, audio-visual, mail;2. shell adding type:Do not found to be debugged easily for some threat files,
To itself doing various encapsulation 3. compiler type:Which kind of compiled with compiler;4. file size;5. hardware platform;6. version is believed
Breath;Key message:1. resource exception, for example, whether resource includes exe, dll and sys;2. PE key messages, for example, importing
Table, digital signature, code segment compression and window resource etc..
After the essential information and key message that determine application file according to the fileinfo of acquisition based on above-described embodiment,
According to essential information and key message, the static probation report under the scene that generation application file is not run can also include:
In the case where application file is transplantable executable PE files, the PE headers of PE files are obtained, according to essential information,
Key message and the static probation report of PE headers generation, wherein, PE headers can include:DOS letters of disc operating system
The File header information of breath and application file.Specifically, disc operating system DOS headers can include:The title of DOS and
The value of DOS;The File header information of application file can include:The file header title and the value of file header of application file.Really
Determine the resource information of operation resource needed during the running paper corresponding to application file, according to essential information, key message and
The static probation report of resource information generation;Determine to need the function of the function called to believe during the running paper corresponding to application file
Breath, according to essential information, key message and the static probation report of function information generation;Obtain the section area letter in the section area of application file
Breath, the string resource information of the string resource corresponding to application file, according to essential information, key message, section information and string resource
The static probation report of information generation.It should be noted that section information Zhong Jie areas can include multiple section areas, each section area can be with
Including:The title of application file, the virtual address of application file, pointer of the initial data of application file etc..
Another aspect is right according to the auth type of determination when the identification of respective file uses the method for dynamic identification
Application file is identified that obtaining qualification result can also include:It is determined that auth type for dynamic identification in the case of, obtain
Operation action information when taking the application file to be run;According to the operation action information of acquisition, generation application file is run
Dynamic probation report under scene.Wherein, dynamic probation report is to run file in the various autonomous systems in backstage, by file
The user behaviors log of operation is recorded, and then by a series of analyses, forms dynamic probation report.In the dynamic identification report of generation
Application file essential information included in static report can also be included in announcement, for example, the file name of application file, application
The type of the file of file, the file type of application file, detection time of application file etc..Wherein, the report of application file
Header can include the report header of application file included in static report, for example:1. program icon;2. identification is tied
Really:Shown here as Virus Name or " secure file ", " unknown to threaten ", " no abnormality seen " etc.;3. threat level:File is sentenced
Disconnected threat level, is always divided into 5 stars, and 5 stars are highest threat level, represent Gao Wei files;4. document source:Upload this file
Ip addresses;5. the date that file is uploaded for the first time;Determinant attribute:1. resource exception, for example, resource whether include exe, dll with
And sys;2. PE key messages, for example, importing table, digital signature, code segment compression and window resource etc..Need explanation
It is that the operation action information obtained when application file is run can include much information, for example:Permissions list information can be wrapped
Include:Included authority can be with a variety of, for example, can include following information in the permissions list:Whether allow to access network
Authority, if support the authority of access download management (ACCESS_DOWNLOAD_MANAGER), if allow to obtain mission bit stream
Authority, if allow the authority for obtaining network state, if allow the authority for obtaining WiFi states, if allow to obtain accurate
The authority of position, if allow the authority for showing system windows, if allow the authority of recording, if allow the power using vibration
Limit, if allow the outside authority for reading storage (READ_EXTERNAL_STORAGE), if allow the power for obtaining wrong slightly position
Limit, if allow to wake up the authority locked, if allow the authority for accessing positioning additional command, if allow to write external storage
Authority etc.;Application file monitoring can include:Operation (for example, read and write) to application file, application file
The path of file size and application file;Other behavior monitorings can include:The behavior description of application file, application file
Additional information, behavior description of application file etc..
In terms of another of the embodiment of the present invention, according to the operation action information of acquisition, generation application file is transported
Dynamic probation report under capable scene can include at least one of:When application corresponding to acquisition application file is run
The window size of window, generation includes the dynamic probation report of window size;It is determined that being transported to the application corresponding to application file
It is that generation includes destroying the dynamic probation report that shape is to the destruction shape of system software or hardware formation destruction during row;It is determined that should
The threat list item threatened when being run with the application corresponding to file in registration table to application file, generation includes threatening table
The dynamic probation report of item;Being used for of determining to threaten to application file when the application corresponding to application file is run identifies
The file secondary relationship of file generated file, generation includes the dynamic probation report of file secondary relationship;Obtain to application file
The network access record conducted interviews when corresponding application is run to network, generation includes the dynamic mirror of network access record
Fixed report;Obtain the picture interception that the interception situation of interception picture when being run to the application corresponding to application file is recorded
Record, generation includes the dynamic probation report of picture interception record.
It should be noted that dynamic probation report and static probation report are the presence of some differences in itself, static state identification
Report is the information obtained in the case of file off-duty, therefore, static state identification environment be can in a variety of systems across
Platform deployment;It is that running paper must be got up that corresponding information could be obtained and dynamic is identified, therefore its running environment is often
It is system specified, much can not cross-platform operation.
In the present embodiment, a kind of device embodiment of the identification apparatus of application file is additionally provided, wherein, the practical writing
The identification apparatus of part is applied to PC PC end equipments, and the device is used to realize above-described embodiment and preferred embodiment,
Through carrying out repeating no more for explanation.As used below, term " unit " can realize the software of predetermined function and/or hard
The combination of part.Although the device described by following examples is preferably realized with software, hardware, or software and hardware
The realization of combination be also that may and be contemplated.
Fig. 2 is the structured flowchart of the identification apparatus of application file according to embodiments of the present invention, as shown in Fig. 2 the application
The identification apparatus of file includes:Determining unit 21 and identification unit 23, are illustrated to the device below.
Determining unit 21, for the auth type for determining to identify application file, wherein, auth type includes:It is dynamic
State is identified and static identification.
Unit 23 is identified, is connected with above-mentioned determining unit 21, for the auth type according to determination, application file is carried out
Identification, obtains qualification result.
By the identification apparatus of application file provided in an embodiment of the present invention, using determining unit 21, for determining correspondence
The auth type identified with file, wherein, auth type includes:Dynamic identification and static identification.Unit 23 is identified, it is and upper
State determining unit 21 to connect, for the auth type according to determination, application file is identified, obtain qualification result.Reach
The purpose that security to application file is identified, realizes the technique effect for the security for improving application file, and then
The technical problem that can not be identified in correlation technique the security of application file is solved, Consumer's Experience is improved.
Fig. 3 be application file according to embodiments of the present invention identification apparatus in identify unit 23 schematic diagram, such as Fig. 3 institutes
Show, the identification unit 23 includes:First obtains the generation subelement 33 of subelement 31 and first, and the identification unit 23 is entered below
Row is described in detail.
First obtains subelement 31, for it is determined that auth type for static identification in the case of, obtain application file
Fileinfo.
First generation subelement 33, is connected with the above-mentioned first acquisition subelement 31, raw for the fileinfo according to acquisition
Static probation report under the scene not being run into application file.
Fig. 4 is the schematic diagram of the first generation subelement 33 in application file identification apparatus according to embodiments of the present invention, such as
Shown in Fig. 4, the first generation subelement 33 includes at least one of:The generation module 43 of determining module 41 and first, below
The first generation subelement 33 is described in detail.
Determining module 41, essential information and key message for determining application file according to the fileinfo of acquisition, its
In, essential information includes at least one of:For the file type information for the file type for identifying application file, for correspondence
The shell adding type information for the shell adding type being packaged with file, and the compiler type for being compiled to application file,
Key message is to influence application file to be influenceed information by the threat of the threat level of viral threat for identifying;First generation module
43, it is connected with above-mentioned determining module 41, for the scene not being run according to essential information and key message, generation application file
Under static probation report.
Fig. 5 is the schematic diagram of the first generation module 43 in application file identification apparatus according to embodiments of the present invention, such as Fig. 5
Shown, first generation module 43 includes:The first generation generation generation submodule 55 of submodule the 53, the 3rd of submodule 51, second
And the 4th generation submodule 57, first generation module 43 is described in detail below.
First generation submodule 51, in the case of being transplantable executable PE files in application file, is obtained
The PE headers of PE files, according to essential information, key message and the static probation report of PE headers generation, wherein, PE letters
Breath includes:The File header information of disc operating system DOS headers and application file.
Second generation submodule 53, for the money for the operation resource for determining to need during the running paper corresponding to application file
Source information, according to essential information, key message and the static probation report of resource information generation.
3rd generation submodule 55, the letter for determining the function that needs the are called during running paper corresponding to application file
Number information, according to essential information, key message and the static probation report of function information generation.
4th generation submodule 57, the section information in the section area for obtaining application file, the string corresponding to application file
The string resource information of resource, according to essential information, key message, section information and the static probation report of string resource information generation.
Fig. 6 is the preferred schematic diagram of identification unit 23 in application file identification apparatus according to embodiments of the present invention, such as Fig. 6
Shown, the identification unit 23 includes:
Second obtain subelement 61, for it is determined that auth type for dynamic identification in the case of, obtain application file
Operation action information when being run.
Second generation subelement 63, is connected with the above-mentioned second acquisition subelement 61, for being believed according to the operation action of acquisition
Dynamic probation report under breath, the scene that generation application file is run.
Fig. 7 is the schematic diagram of the second generation subelement 63 in application file identification apparatus according to embodiments of the present invention, such as
Shown in Fig. 7, the second generation subelement 63 includes at least one of:
Second generation module 71, the window size for obtaining window when the application corresponding to application file is run is raw
Into the dynamic probation report including window size.
3rd generation module 72, to system software or hardware during for determining to be run the application corresponding to application file
The destruction shape for forming destruction is that generation includes destroying the dynamic probation report that shape is.
4th generation module 73, to application file in registration table during for determining that the application corresponding to application file is run
The threat list item threatened, generation includes threatening the dynamic probation report of list item.
5th generation module 74, threatens during for determining that the application corresponding to application file is run to application file
Be used for identify the file secondary relationship of file generated file, generation includes the dynamic probation report of file secondary relationship.
6th generation module 75, conducts interviews when being run for obtaining to the application corresponding to application file to network
Network access is recorded, and generation includes the dynamic probation report of network access record.
7th generation module 76, intercepts the interception feelings of picture when being run for obtaining to the application corresponding to application file
The picture interception record that condition is recorded, generation includes the dynamic probation report of picture interception record.
Another aspect according to embodiments of the present invention, additionally provides a kind of storage medium, and storage medium includes storage
Program, wherein, equipment performs the identification of the application file of above-mentioned any one where controlling storage medium when program is run
Method.
Another aspect according to embodiments of the present invention, additionally provides a kind of processor, and processor is used for operation program,
Wherein, the authentication method of the application file of above-mentioned any one is performed when program is run.
Another aspect according to embodiments of the present invention, additionally provides a kind of terminal, including:The identification dress of application file
Put;Processor, processor operation program, wherein, data when program is run for the identification apparatus output from application file are held
The following process step of row:It is determined that the auth type identified application file, wherein, auth type includes:Dynamic identification and
Static state identification;According to the auth type of determination, application file is identified, qualification result is obtained.
Another aspect according to embodiments of the present invention, additionally provides a kind of terminal, including:The identification dress of application file
Put;Storage medium, for storage program, wherein, the data of program operationally for the identification apparatus output from application file
Perform following process step:It is determined that the auth type identified application file, wherein, auth type includes:Dynamic identification
With static state identification;According to the auth type of determination, application file is identified, qualification result is obtained.
The embodiments of the present invention are for illustration only, and the quality of embodiment is not represented.
In the above embodiment of the present invention, the description to each embodiment all emphasizes particularly on different fields, and does not have in some embodiment
The part of detailed description, may refer to the associated description of other embodiment.
In several embodiments provided herein, it should be understood that disclosed technology contents, others can be passed through
Mode is realized.Wherein, device embodiment described above is only schematical, such as division of described unit, Ke Yiwei
A kind of division of logic function, can there is other dividing mode when actually realizing, such as multiple units or component can combine or
Person is desirably integrated into another system, or some features can be ignored, or does not perform.Another, shown or discussed is mutual
Between coupling or direct-coupling or communication connection can be the INDIRECT COUPLING or communication link of unit or module by some interfaces
Connect, can be electrical or other forms.
The unit illustrated as separating component can be or may not be it is physically separate, it is aobvious as unit
The part shown can be or may not be physical location, you can with positioned at a place, or can also be distributed to multiple
On unit.Some or all of unit therein can be selected to realize the purpose of this embodiment scheme according to the actual needs.
In addition, each functional unit in each embodiment of the invention can be integrated in a processing unit, can also
That unit is individually physically present, can also two or more units it is integrated in a unit.Above-mentioned integrated list
Member can both be realized in the form of hardware, it would however also be possible to employ the form of SFU software functional unit is realized.
If the integrated unit is realized using in the form of SFU software functional unit and as independent production marketing or used
When, it can be stored in a computer read/write memory medium.Understood based on such, technical scheme is substantially
The part contributed in other words to prior art or all or part of the technical scheme can be in the form of software products
Embody, the computer software product is stored in a storage medium, including some instructions are to cause a computer
Equipment (can for personal computer, server or network equipment etc.) perform each embodiment methods described of the invention whole or
Part steps.And foregoing storage medium includes:USB flash disk, read-only storage (ROM, Read-Only Memory), arbitrary access are deposited
Reservoir (RAM, Random Access Memory), mobile hard disk, magnetic disc or CD etc. are various can be with store program codes
Medium.
Described above is only the preferred embodiment of the present invention, it is noted that for the ordinary skill people of the art
For member, under the premise without departing from the principles of the invention, some improvements and modifications can also be made, these improvements and modifications also should
It is considered as protection scope of the present invention.
Claims (10)
1. a kind of authentication method of application file, it is characterised in that applied to PC PC end equipments, including:
It is determined that the auth type identified application file, wherein, the auth type includes:Dynamic identification and static mirror
It is fixed;
According to the auth type of determination, the application file is identified, qualification result is obtained.
2. according to the method described in claim 1, it is characterised in that according to the auth type of determination, the application file is entered
Row identification, obtaining qualification result includes:
It is determined that the auth type for static identification in the case of, obtain the fileinfo of the application file;
According to the fileinfo of acquisition, the static probation report under the scene that the application file is not run is generated.
3. method according to claim 2, it is characterised in that according to the fileinfo of acquisition, generates the application
Static probation report under the scene that file is not run includes at least one of:
The essential information and key message of the application file are determined according to the fileinfo of acquisition, wherein, it is described basic
Information includes at least one of:For the file type information for the file type for identifying the application file, for described
The shell adding type information for the shell adding type that application file is packaged, and the compiler for being compiled to the application file
Type, the key message is to influence the application file to be influenceed letter by the threat of the threat level of viral threat for identifying
Breath;
According to the essential information and the key message, the static state under the scene that the application file is not run is generated
Probation report.
4. method according to claim 3, it is characterised in that according to the essential information and the key message, generation
The static probation report under the scene that the application file is not run includes:
In the case where the application file is transplantable executable PE files, the PE headers of the PE files are obtained,
According to the essential information, the key message and the PE headers generate the static probation report, wherein, the PE heads
Information includes:The File header information of disc operating system DOS headers and the application file;
The resource information of operation resource needed during the running paper corresponding to the application file is determined, according to the basic letter
Breath, the key message and the resource information generate the static probation report;
The function information of the function that needs the are called during running paper corresponding to the application file is determined, according to the basic letter
Breath, the key message and the function information generate the static probation report;
Obtain the application file section area section information, the string resource information of the string resource corresponding to the application file,
According to the essential information, the key message, the section information and the string resource information generation static identification report
Accuse.
5. according to the method described in claim 1, it is characterised in that according to the auth type of determination, the application file is entered
Row identification, obtaining qualification result includes:
It is determined that the auth type for dynamic identification in the case of, obtain the operation action when application file is run
Information;
According to the operation action information of acquisition, the dynamic probation report under the scene that the application file is run is generated.
6. method according to claim 5, it is characterised in that according to the operation action information of acquisition, generation is described
Dynamic probation report under the scene that application file is run includes at least one of:
The window size of window when the application corresponding to the application file is run is obtained, generation includes the window size
Dynamic probation report;
It is determined that be to the destruction shape of system software or hardware formation destruction when being run to the application corresponding to the application file,
Generation includes the dynamic probation report that the destruction shape is;
Determine the threat threatened when the application corresponding to the application file is run in registration table to the application file
List item, generation includes the dynamic probation report of the threat list item;
Being used for of determining to threaten to the application file when application corresponding to the application file is run identifies file
The file secondary relationship of file is generated, generation includes the dynamic probation report of the file secondary relationship;
Obtain the network access record conducted interviews when being run to the application corresponding to the application file to network, generation bag
Include the dynamic probation report of the network access record;
Obtain the picture section that the interception situation of interception picture when being run to the application corresponding to the application file is recorded
Record is taken, generation includes the dynamic probation report of the picture interception record.
7. a kind of identification apparatus of application file, it is characterised in that applied to PC PC end equipments, including:
Determining unit, for the auth type for determining to identify application file, wherein, the auth type includes:Dynamic
Identification and static identification;
Unit is identified, for the auth type according to determination, the application file is identified, qualification result is obtained.
8. device according to claim 7, it is characterised in that the identification unit includes:
First obtains subelement, for it is determined that the auth type for static identification in the case of, obtain the practical writing
The fileinfo of part;
First generation subelement, for the fileinfo according to acquisition, generates the scene that the application file is not run
Under static probation report.
9. device according to claim 8, it is characterised in that the first generation subelement includes at least one of:
Determining module, essential information and key message for determining the application file according to the fileinfo of acquisition,
Wherein, the essential information includes at least one of:For the file type letter for the file type for identifying the application file
Breath, for the shell adding type information for the shell adding type being packaged to the application file, and for entering to the application file
The compiler type of row compiling, the key message is the threat level for identifying the influence application file by viral threat
Threat influence information;
First generation module, is not run for according to the essential information and the key message, generating the application file
Scene under the static probation report.
10. device according to claim 9, it is characterised in that first generation module includes:
First generation submodule, in the case of being transplantable executable PE files in the application file, obtains institute
The PE headers of PE files are stated, according to the essential information, the key message and the PE headers generation static mirror
Fixed report, wherein, the PE headers include:The File header information of disc operating system DOS headers and the application file;
Second generation submodule, for the resource for the operation resource for determining to need during the running paper corresponding to the application file
Information, according to the essential information, the key message and the resource information generate the static probation report;
3rd generation submodule, the function for determining the function that needs the are called during running paper corresponding to the application file
Information, according to the essential information, the key message and the function information generate the static probation report;
4th generates submodule, the section information in the section area for obtaining the application file, corresponding to the application file
The string resource information of string resource, according to the essential information, the key message, the section information and the string resource information
Generate the static probation report.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710531796.7A CN107330329A (en) | 2017-06-30 | 2017-06-30 | The authentication method and device of application file |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710531796.7A CN107330329A (en) | 2017-06-30 | 2017-06-30 | The authentication method and device of application file |
Publications (1)
Publication Number | Publication Date |
---|---|
CN107330329A true CN107330329A (en) | 2017-11-07 |
Family
ID=60198723
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710531796.7A Pending CN107330329A (en) | 2017-06-30 | 2017-06-30 | The authentication method and device of application file |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107330329A (en) |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101329711A (en) * | 2008-07-24 | 2008-12-24 | 成都市华为赛门铁克科技有限公司 | Method and apparatus for detecting computer file |
CN102024112A (en) * | 2010-12-17 | 2011-04-20 | 四川大学 | PE (portable executable) file pack detection method based on static characteristics |
CN102930206A (en) * | 2011-08-09 | 2013-02-13 | 腾讯科技(深圳)有限公司 | Cluster partitioning processing method and cluster partitioning processing device for virus files |
CN102930210A (en) * | 2012-10-14 | 2013-02-13 | 江苏金陵科技集团公司 | System and method for automatically analyzing, detecting and classifying malicious program behavior |
CN104123501A (en) * | 2014-08-06 | 2014-10-29 | 厦门大学 | Online virus detection method based on assembly of multiple detectors |
CN104200155A (en) * | 2014-08-12 | 2014-12-10 | 中国科学院信息工程研究所 | Monitoring device and method for protecting user privacy based on iPhone operating system (iOS) |
-
2017
- 2017-06-30 CN CN201710531796.7A patent/CN107330329A/en active Pending
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101329711A (en) * | 2008-07-24 | 2008-12-24 | 成都市华为赛门铁克科技有限公司 | Method and apparatus for detecting computer file |
CN102024112A (en) * | 2010-12-17 | 2011-04-20 | 四川大学 | PE (portable executable) file pack detection method based on static characteristics |
CN102930206A (en) * | 2011-08-09 | 2013-02-13 | 腾讯科技(深圳)有限公司 | Cluster partitioning processing method and cluster partitioning processing device for virus files |
CN102930210A (en) * | 2012-10-14 | 2013-02-13 | 江苏金陵科技集团公司 | System and method for automatically analyzing, detecting and classifying malicious program behavior |
CN104123501A (en) * | 2014-08-06 | 2014-10-29 | 厦门大学 | Online virus detection method based on assembly of multiple detectors |
CN104200155A (en) * | 2014-08-12 | 2014-12-10 | 中国科学院信息工程研究所 | Monitoring device and method for protecting user privacy based on iPhone operating system (iOS) |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109766700A (en) | Access control method and device, the storage medium, electronic device of file | |
CN103294950B (en) | A kind of high-power secret information stealing malicious code detecting method based on backward tracing and system | |
Singh et al. | Experimental analysis of Android malware detection based on combinations of permissions and API-calls | |
CN103530535A (en) | Shell adding and removing method for Android platform application program protection | |
CN113849808B (en) | Container security management method, system, terminal and storage medium | |
GB2378015A (en) | Detecting computer programs within packed computer files | |
Wang et al. | Demadroid: Object Reference Graph‐Based Malware Detection in Android | |
CN107979581A (en) | The detection method and device of corpse feature | |
CN108183796A (en) | The method and device of encryption and decryption is carried out using whitepack library file and whitepack key file | |
CN108111622A (en) | A kind of method, apparatus and system for downloading whitepack library file | |
CN108399319A (en) | Source code guard method, application server and computer readable storage medium | |
CN110826031A (en) | Encryption method, device, computer equipment and storage medium | |
CN109726348A (en) | The method and system of webpage watermark protection | |
CN108134673A (en) | A kind of method and device for generating whitepack library file | |
CN107423630A (en) | Data processing method and device | |
CN105760761A (en) | Software behavior analyzing method and device | |
CN108334404A (en) | The operation method and device of application program | |
CN111259382A (en) | Malicious behavior identification method, device and system and storage medium | |
US9191397B2 (en) | Extension model for improved parsing and describing protocols | |
Martinelli et al. | Classifying android malware through subgraph mining | |
WO2009023683A2 (en) | Methods and systems for transmitting a data attribute from an authenticated system | |
CN106559386A (en) | A kind of authentication method and device | |
CN108985040B (en) | Method and apparatus, storage medium and the processor logged in using cipher key | |
Papalitsas et al. | A honeypot proxy framework for deceiving attackers with fabricated content | |
CN109522683A (en) | Software source tracing method, system, computer equipment and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20171107 |