CN107330329A - The authentication method and device of application file - Google Patents

The authentication method and device of application file Download PDF

Info

Publication number
CN107330329A
CN107330329A CN201710531796.7A CN201710531796A CN107330329A CN 107330329 A CN107330329 A CN 107330329A CN 201710531796 A CN201710531796 A CN 201710531796A CN 107330329 A CN107330329 A CN 107330329A
Authority
CN
China
Prior art keywords
application file
file
information
generation
application
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201710531796.7A
Other languages
Chinese (zh)
Inventor
晋晓宇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Kingsoft Security Management System Technology Co Ltd
Original Assignee
Beijing Kingsoft Security Management System Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Kingsoft Security Management System Technology Co Ltd filed Critical Beijing Kingsoft Security Management System Technology Co Ltd
Priority to CN201710531796.7A priority Critical patent/CN107330329A/en
Publication of CN107330329A publication Critical patent/CN107330329A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/033Test or assess software

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a kind of authentication method of application file and device.Wherein, this method includes:It is determined that the auth type identified application file, wherein, auth type includes:Dynamic identification and static identification;According to the auth type of determination, application file is identified, qualification result is obtained.The present invention solves the technical problem that the method identified application file is not present in correlation technique, improves Consumer's Experience.

Description

The authentication method and device of application file
Technical field
The present invention relates to computer network field, in particular to the authentication method and device of a kind of application file.
Background technology
In the related art, the problem of whether having potential safety hazard for application file, generally, only at this When a little potential safety hazards produce a certain degree of destruction, it can just be found, the above-mentioned this potential safety hazard to application file It is delayed to find, on the one hand, to produce and potential threat is produced to computer, mobile phone and other-end, for example, calculating can be excited The direct destruction of machine data message, takes substantial amounts of disk, seizes system resource, influences the computer speed of service;Another Aspect, can also cause serious psychological pressure to user.
The problem of for the method identified application file is not present in above-mentioned correlation technique, not yet propose have at present The solution of effect.
The content of the invention
The embodiments of the invention provide a kind of authentication method of application file and device, at least to solve in correlation technique not In the presence of the technical problem for the method identified application file.
One side according to embodiments of the present invention is there is provided a kind of authentication method of application file, applied to personal electricity Brain PC end equipments, including:It is determined that the auth type identified application file, wherein, auth type includes:Dynamic identification and Static state identification;According to the auth type of determination, application file is identified, qualification result is obtained.
Alternatively, according to the auth type of determination, application file is identified, obtaining qualification result includes:It is determined that Auth type for static identification in the case of, obtain the fileinfo of application file;According to the fileinfo of acquisition, generation should Static probation report under the scene not being run with file.
Alternatively, according to the fileinfo of acquisition, the static probation report under the scene that generation application file is not run Including at least one of:The essential information and key message of application file are determined according to the fileinfo of acquisition, wherein, substantially Information includes at least one of:For the file type information for the file type for identifying application file, for application file The shell adding type information for the shell adding type being packaged, and the compiler type for being compiled to application file, key letter Cease to be influenceed information by the threat of the threat level of viral threat for identifying influence application file;According to essential information and key Static probation report under information, the scene that generation application file is not run.
Alternatively, according to essential information and key message, the static identification under the scene that generation application file is not run Report includes:In the case where application file is transplantable executable PE files, the PE headers of PE files are obtained, according to Essential information, key message and the static probation report of PE headers generation, wherein, PE headers include:Disc operating system DOS The File header information of header and application file;Determine the money of operation resource needed during the running paper corresponding to application file Source information, according to essential information, key message and the static probation report of resource information generation;Determine the text corresponding to application file The function information of function called is needed when part is run, according to essential information, key message and the static identification of function information generation Report;Obtain the section information in the section area of application file, the string resource information of the string resource corresponding to application file, according to basic Information, key message, section information and the static probation report of string resource information generation.
Alternatively, according to the auth type of determination, application file is identified, obtaining qualification result includes:It is determined that Auth type for dynamic identification in the case of, obtain operation action information of application file when being run;According to the fortune of acquisition Dynamic probation report under row behavioural information, the scene that generation application file is run.
Alternatively, according to the operation action information of acquisition, the dynamic identification report under the scene that generation application file is run Announcement includes at least one of:The window size of window when the application corresponding to application file is run is obtained, generation includes window The dynamic probation report of mouth size;It is determined that being formed brokenly when being run to the application corresponding to application file to system software or hardware Bad destruction shape is that generation includes destroying the dynamic probation report that shape is;When determining that the application corresponding to application file is run The threat list item threatened in registration table to application file, generation includes threatening the dynamic probation report of list item;It is determined that using The file for being used to identify file generated file threatened when application corresponding to file is run to application file derives pass System, generation includes the dynamic probation report of file secondary relationship;Obtain when being run to the application corresponding to application file to net The network access record that network conducts interviews, generation includes the dynamic probation report of network access record;Obtain to application file institute The picture interception record that the interception situation of picture is recorded is intercepted when corresponding application is run, generation includes picture interception note The dynamic probation report of record.
According to another aspect of inventive embodiments, a kind of identification apparatus of application file is additionally provided, applied to individual People's computer PC end equipments, including:Determining unit, for the auth type for determining to identify application file, wherein, identify class Type includes:Dynamic identification and static identification;Unit is identified, for the auth type according to determination, application file is identified, Obtain qualification result.
Alternatively, identification unit includes:First obtains subelement, for it is determined that auth type for static identification feelings Under condition, the fileinfo of application file is obtained;First generation subelement, for the fileinfo according to acquisition, generates practical writing Static probation report under the scene that part is not run.
Alternatively, the first generation subelement includes at least one of:Determining module, for the fileinfo according to acquisition The essential information and key message of application file are determined, wherein, essential information includes at least one of:For identifying practical writing The file type information of the file type of part, for the shell adding type information for the shell adding type being packaged to application file, and For the compiler type being compiled to application file, key message is for identifying influence application file by viral threat The threat influence information of threat level;First generation module, for according to essential information and key message, generation application file to be not Static probation report under the scene being run.
Alternatively, the first generation module includes:First generation submodule, for being transplantable executable in application file PE files in the case of, obtain the PE headers of PE files, according to essential information, key message and the generation of PE headers are static Probation report, wherein, PE headers include:The File header information of disc operating system DOS headers and application file;Second life Into submodule, for the resource information for the operation resource for determining to need during the running paper corresponding to application file, according to basic Information, key message and the static probation report of resource information generation;3rd generation submodule, for determining corresponding to application file Running paper when need the function information of function called, according to essential information, key message and function information generation are static Probation report;4th generation submodule, the section information in the section area for obtaining application file, the string money corresponding to application file The string resource information in source, according to essential information, key message, section information and the static probation report of string resource information generation.
Alternatively, identification unit includes:Second obtain subelement, for it is determined that auth type for dynamic identification feelings Under condition, operation action information when application file is run is obtained;Second generation subelement, for the operation action according to acquisition Dynamic probation report under information, the scene that generation application file is run.
Alternatively, the second generation subelement includes at least one of:Second generation module, for obtaining application file institute The window size of window when corresponding application is run, generation includes the dynamic probation report of window size;3rd generation module, It is to generate to the destruction shape of system software or hardware formation destruction during for determining to be run the application corresponding to application file The dynamic probation report for being including destruction shape;4th generation module, during for determining that the application corresponding to application file is run The threat list item threatened in registration table to application file, generation includes threatening the dynamic probation report of list item;5th generation Module, application file is threatened during for determining that the application corresponding to application file is run be used for identify file generated The file secondary relationship of file, generation includes the dynamic probation report of file secondary relationship;6th generation module, for acquisition pair The network access record conducted interviews when application corresponding to application file is run to network, generation includes network access record Dynamic probation report;7th generation module, intercepts picture when being run for obtaining to the application corresponding to application file The picture interception record that interception situation is recorded, generation includes the dynamic probation report of picture interception record.
Another aspect according to embodiments of the present invention, additionally provides a kind of storage medium, and storage medium includes storage Program, wherein, equipment performs the identification of the application file of above-mentioned any one where controlling storage medium when program is run Method.
Another aspect according to embodiments of the present invention, additionally provides a kind of processor, and processor is used for operation program, Wherein, the authentication method of the application file of above-mentioned any one is performed when program is run.
Another aspect according to embodiments of the present invention, additionally provides a kind of terminal, including:The identification dress of application file Put;Processor, processor operation program, wherein, data when program is run for the identification apparatus output from application file are held The following process step of row:It is determined that the auth type identified application file, wherein, auth type includes:Dynamic identification and Static state identification;According to the auth type of determination, application file is identified, qualification result is obtained.
Another aspect according to embodiments of the present invention, additionally provides a kind of terminal, including:The identification dress of application file Put;Storage medium, for storage program, wherein, the data of program operationally for the identification apparatus output from application file Perform following process step:It is determined that the auth type identified application file, wherein, auth type includes:Dynamic identification With static state identification;According to the auth type of determination, application file is identified, qualification result is obtained.
In embodiments of the present invention, by determining the auth type that application file is identified, and according to the identification of determination Type is identified application file, has reached the purpose identified the security of application file, realizes raising application The technique effect of the security of file, and then solve the skill that can not be identified in correlation technique the security of application file Art problem, improves Consumer's Experience.
Brief description of the drawings
Accompanying drawing described herein is used for providing a further understanding of the present invention, constitutes the part of the application, this hair Bright schematic description and description is used to explain the present invention, does not constitute inappropriate limitation of the present invention.In the accompanying drawings:
Fig. 1 is the flow chart of the authentication method of application file according to embodiments of the present invention;
Fig. 2 is the structured flowchart of the identification apparatus of application file according to embodiments of the present invention;
Fig. 3 be application file according to embodiments of the present invention identification apparatus in identify unit 23 schematic diagram;
Fig. 4 is the schematic diagram of the first generation subelement 33 in application file identification apparatus according to embodiments of the present invention;
Fig. 5 is the schematic diagram of the first generation module 43 in application file identification apparatus according to embodiments of the present invention;
Fig. 6 is the preferred schematic diagram of identification unit 23 in application file identification apparatus according to embodiments of the present invention;And
Fig. 7 is the schematic diagram of the second generation subelement 63 in application file identification apparatus according to embodiments of the present invention.
Embodiment
In order that those skilled in the art more fully understand the present invention program, below in conjunction with the embodiment of the present invention Accompanying drawing, the technical scheme in the embodiment of the present invention is clearly and completely described, it is clear that described embodiment is only The embodiment of a part of the invention, rather than whole embodiments.Based on the embodiment in the present invention, ordinary skill people The every other embodiment that member is obtained under the premise of creative work is not made, should all belong to the model that the present invention is protected Enclose.
It should be noted that term " first " in description and claims of this specification and above-mentioned accompanying drawing, " Two " etc. be for distinguishing similar object, without for describing specific order or precedence.It should be appreciated that so using Data can exchange in the appropriate case, so as to embodiments of the invention described herein can with except illustrating herein or Order beyond those of description is implemented.In addition, term " comprising " and " having " and their any deformation, it is intended that cover Lid is non-exclusive to be included, for example, the process, method, system, product or the equipment that contain series of steps or unit are not necessarily limited to Those steps or unit clearly listed, but may include not list clearly or for these processes, method, product Or the intrinsic other steps of equipment or unit.
Describe, the part noun or term in the embodiment of the present invention are illustrated for convenience below:
Message digest algorithm 5 (Message-Digest Algorithm 5, abbreviation MD5):It is that computer is widely used One of hashing algorithm, also known as digest algorithm or hash algorithm.
Portable file (Portable Executable, abbreviation PE):Transplantable execution body, common EXE, DLL, OCX, SYS and COM are PE files, and PE files are the program files in Microsoft's Windows operating system.
Disc operating system (Disk Operating System, abbreviation DOS):Mainly a kind of disc oriented system Software.
Encapsulation:It is to be combined abstract obtained data and behavior (or function), forms an organic whole, that is, will The source code of data and peration data is organically combined, and is formed " class ", wherein data and class are all the members of class, also for Miscellaneous data transmission is realized, the data structure transmitted is mapped into the processing mode of another data structure.
Shell adding:It is the compression of executable program resource, is the conventional means for protecting file.The program that shell adding is crossed can be straight Operation is connect, but source code can not be checked, only source code can be just checked by shelling, belongs to the conventional hand of file protection Section.
Decompiling:Refer generally to reversely compiling, also reduce instrument as computer software, refer to by the mesh to other people softwares Beacon course sequence carries out " conversed analysis, research " work, to derive thinking used in other people software product, principle, structure, calculation Source code may be derived under the design considerations such as method, processing procedure, operation method, some particular cases.
According to embodiments of the present invention there is provided a kind of embodiment of the method for the authentication method of application file, it is necessary to explanation It is that can be performed the step of the flow of accompanying drawing is illustrated in the computer system of such as one group computer executable instructions, And, although logical order is shown in flow charts, but in some cases, can be with different from order execution herein Shown or described step.
One side according to embodiments of the present invention is there is provided a kind of authentication method of application file, applied to personal electricity Brain PC end equipments, Fig. 1 is the flow chart of the authentication method of application file according to embodiments of the present invention, as shown in figure 1, the application The authentication method of file comprises the following steps:
Step S102, it is determined that the auth type identified application file, wherein, auth type includes:Dynamic identification With static state identification.
S104, according to the auth type of determination, is identified application file, obtains qualification result.
Pass through above-mentioned steps, it is possible to achieve determine the auth type that application file is identified, and according to the identification of determination Type is identified application file, has reached the purpose identified the security of application file, realizes raising application The technique effect of the security of file, and then solve the skill that can not be identified in correlation technique the security of application file Art problem, improves Consumer's Experience.
Therefore, in above-mentioned steps S102 into step S104, it is determined that after the auth type of application file, according to determination Auth type, is identified application file, wherein, the auth type of the application file provided in the embodiment of the present invention can be wrapped Include:Dynamic identification and static identification.Above-mentioned auth type is specifically described with reference to specific application scenarios.
When application file is under the scene not being run, application file can be entered using static authentication method Row identification, so, according to the auth type of determination, application file is identified, a variety of realities can be included by obtaining qualification result Mode is applied, for example, can include:It is determined that auth type for static identification in the case of, obtain the file letter of application file Breath;According to the fileinfo of acquisition, the static probation report under the scene that generation application file is not run.Wherein, static mirror Fixed report is that file is deployed in itself in specific static system to read internal information, so as to form static probation report.
Wherein, according to the fileinfo of acquisition, the static probation report under the scene that generation application file is not run can With including at least one of:The essential information and key message of application file are determined according to the fileinfo of acquisition, wherein, base This information can include at least one of:For the file type information for the file type for identifying application file, for example, pdf, The all kinds such as picture, audio-visual, mail;For the shell adding type information for the shell adding type being packaged to application file, and use In the compiler type being compiled to application file, key message is the prestige for identifying influence application file by viral threat Coerce the threat influence information of grade;It is quiet under the scene that generation application file is not run according to essential information and key message State probation report.It should be noted that when static identification is carried out to application file, obtaining the fileinfo of application file Can include it is a variety of, for example:Report header, essential information and key message.Wherein, report header can include:① Program icon;2. qualification result:Shown here as Virus Name or " secure file ", " unknown to threaten ", " no abnormality seen " etc.;③ Threat level:The judgement threat level of file, is always divided into 5 stars, and 5 stars are highest threat level, represent Gao Wei files;4. file Source:Upload the ip addresses of this file;5. the date that file is uploaded for the first time;Essential information can include:1. file type: The all kinds such as pdf, picture, audio-visual, mail;2. shell adding type:Do not found to be debugged easily for some threat files, To itself doing various encapsulation 3. compiler type:Which kind of compiled with compiler;4. file size;5. hardware platform;6. version is believed Breath;Key message:1. resource exception, for example, whether resource includes exe, dll and sys;2. PE key messages, for example, importing Table, digital signature, code segment compression and window resource etc..
After the essential information and key message that determine application file according to the fileinfo of acquisition based on above-described embodiment, According to essential information and key message, the static probation report under the scene that generation application file is not run can also include: In the case where application file is transplantable executable PE files, the PE headers of PE files are obtained, according to essential information, Key message and the static probation report of PE headers generation, wherein, PE headers can include:DOS letters of disc operating system The File header information of breath and application file.Specifically, disc operating system DOS headers can include:The title of DOS and The value of DOS;The File header information of application file can include:The file header title and the value of file header of application file.Really Determine the resource information of operation resource needed during the running paper corresponding to application file, according to essential information, key message and The static probation report of resource information generation;Determine to need the function of the function called to believe during the running paper corresponding to application file Breath, according to essential information, key message and the static probation report of function information generation;Obtain the section area letter in the section area of application file Breath, the string resource information of the string resource corresponding to application file, according to essential information, key message, section information and string resource The static probation report of information generation.It should be noted that section information Zhong Jie areas can include multiple section areas, each section area can be with Including:The title of application file, the virtual address of application file, pointer of the initial data of application file etc..
Another aspect is right according to the auth type of determination when the identification of respective file uses the method for dynamic identification Application file is identified that obtaining qualification result can also include:It is determined that auth type for dynamic identification in the case of, obtain Operation action information when taking the application file to be run;According to the operation action information of acquisition, generation application file is run Dynamic probation report under scene.Wherein, dynamic probation report is to run file in the various autonomous systems in backstage, by file The user behaviors log of operation is recorded, and then by a series of analyses, forms dynamic probation report.In the dynamic identification report of generation Application file essential information included in static report can also be included in announcement, for example, the file name of application file, application The type of the file of file, the file type of application file, detection time of application file etc..Wherein, the report of application file Header can include the report header of application file included in static report, for example:1. program icon;2. identification is tied Really:Shown here as Virus Name or " secure file ", " unknown to threaten ", " no abnormality seen " etc.;3. threat level:File is sentenced Disconnected threat level, is always divided into 5 stars, and 5 stars are highest threat level, represent Gao Wei files;4. document source:Upload this file Ip addresses;5. the date that file is uploaded for the first time;Determinant attribute:1. resource exception, for example, resource whether include exe, dll with And sys;2. PE key messages, for example, importing table, digital signature, code segment compression and window resource etc..Need explanation It is that the operation action information obtained when application file is run can include much information, for example:Permissions list information can be wrapped Include:Included authority can be with a variety of, for example, can include following information in the permissions list:Whether allow to access network Authority, if support the authority of access download management (ACCESS_DOWNLOAD_MANAGER), if allow to obtain mission bit stream Authority, if allow the authority for obtaining network state, if allow the authority for obtaining WiFi states, if allow to obtain accurate The authority of position, if allow the authority for showing system windows, if allow the authority of recording, if allow the power using vibration Limit, if allow the outside authority for reading storage (READ_EXTERNAL_STORAGE), if allow the power for obtaining wrong slightly position Limit, if allow to wake up the authority locked, if allow the authority for accessing positioning additional command, if allow to write external storage Authority etc.;Application file monitoring can include:Operation (for example, read and write) to application file, application file The path of file size and application file;Other behavior monitorings can include:The behavior description of application file, application file Additional information, behavior description of application file etc..
In terms of another of the embodiment of the present invention, according to the operation action information of acquisition, generation application file is transported Dynamic probation report under capable scene can include at least one of:When application corresponding to acquisition application file is run The window size of window, generation includes the dynamic probation report of window size;It is determined that being transported to the application corresponding to application file It is that generation includes destroying the dynamic probation report that shape is to the destruction shape of system software or hardware formation destruction during row;It is determined that should The threat list item threatened when being run with the application corresponding to file in registration table to application file, generation includes threatening table The dynamic probation report of item;Being used for of determining to threaten to application file when the application corresponding to application file is run identifies The file secondary relationship of file generated file, generation includes the dynamic probation report of file secondary relationship;Obtain to application file The network access record conducted interviews when corresponding application is run to network, generation includes the dynamic mirror of network access record Fixed report;Obtain the picture interception that the interception situation of interception picture when being run to the application corresponding to application file is recorded Record, generation includes the dynamic probation report of picture interception record.
It should be noted that dynamic probation report and static probation report are the presence of some differences in itself, static state identification Report is the information obtained in the case of file off-duty, therefore, static state identification environment be can in a variety of systems across Platform deployment;It is that running paper must be got up that corresponding information could be obtained and dynamic is identified, therefore its running environment is often It is system specified, much can not cross-platform operation.
In the present embodiment, a kind of device embodiment of the identification apparatus of application file is additionally provided, wherein, the practical writing The identification apparatus of part is applied to PC PC end equipments, and the device is used to realize above-described embodiment and preferred embodiment, Through carrying out repeating no more for explanation.As used below, term " unit " can realize the software of predetermined function and/or hard The combination of part.Although the device described by following examples is preferably realized with software, hardware, or software and hardware The realization of combination be also that may and be contemplated.
Fig. 2 is the structured flowchart of the identification apparatus of application file according to embodiments of the present invention, as shown in Fig. 2 the application The identification apparatus of file includes:Determining unit 21 and identification unit 23, are illustrated to the device below.
Determining unit 21, for the auth type for determining to identify application file, wherein, auth type includes:It is dynamic State is identified and static identification.
Unit 23 is identified, is connected with above-mentioned determining unit 21, for the auth type according to determination, application file is carried out Identification, obtains qualification result.
By the identification apparatus of application file provided in an embodiment of the present invention, using determining unit 21, for determining correspondence The auth type identified with file, wherein, auth type includes:Dynamic identification and static identification.Unit 23 is identified, it is and upper State determining unit 21 to connect, for the auth type according to determination, application file is identified, obtain qualification result.Reach The purpose that security to application file is identified, realizes the technique effect for the security for improving application file, and then The technical problem that can not be identified in correlation technique the security of application file is solved, Consumer's Experience is improved.
Fig. 3 be application file according to embodiments of the present invention identification apparatus in identify unit 23 schematic diagram, such as Fig. 3 institutes Show, the identification unit 23 includes:First obtains the generation subelement 33 of subelement 31 and first, and the identification unit 23 is entered below Row is described in detail.
First obtains subelement 31, for it is determined that auth type for static identification in the case of, obtain application file Fileinfo.
First generation subelement 33, is connected with the above-mentioned first acquisition subelement 31, raw for the fileinfo according to acquisition Static probation report under the scene not being run into application file.
Fig. 4 is the schematic diagram of the first generation subelement 33 in application file identification apparatus according to embodiments of the present invention, such as Shown in Fig. 4, the first generation subelement 33 includes at least one of:The generation module 43 of determining module 41 and first, below The first generation subelement 33 is described in detail.
Determining module 41, essential information and key message for determining application file according to the fileinfo of acquisition, its In, essential information includes at least one of:For the file type information for the file type for identifying application file, for correspondence The shell adding type information for the shell adding type being packaged with file, and the compiler type for being compiled to application file, Key message is to influence application file to be influenceed information by the threat of the threat level of viral threat for identifying;First generation module 43, it is connected with above-mentioned determining module 41, for the scene not being run according to essential information and key message, generation application file Under static probation report.
Fig. 5 is the schematic diagram of the first generation module 43 in application file identification apparatus according to embodiments of the present invention, such as Fig. 5 Shown, first generation module 43 includes:The first generation generation generation submodule 55 of submodule the 53, the 3rd of submodule 51, second And the 4th generation submodule 57, first generation module 43 is described in detail below.
First generation submodule 51, in the case of being transplantable executable PE files in application file, is obtained The PE headers of PE files, according to essential information, key message and the static probation report of PE headers generation, wherein, PE letters Breath includes:The File header information of disc operating system DOS headers and application file.
Second generation submodule 53, for the money for the operation resource for determining to need during the running paper corresponding to application file Source information, according to essential information, key message and the static probation report of resource information generation.
3rd generation submodule 55, the letter for determining the function that needs the are called during running paper corresponding to application file Number information, according to essential information, key message and the static probation report of function information generation.
4th generation submodule 57, the section information in the section area for obtaining application file, the string corresponding to application file The string resource information of resource, according to essential information, key message, section information and the static probation report of string resource information generation.
Fig. 6 is the preferred schematic diagram of identification unit 23 in application file identification apparatus according to embodiments of the present invention, such as Fig. 6 Shown, the identification unit 23 includes:
Second obtain subelement 61, for it is determined that auth type for dynamic identification in the case of, obtain application file Operation action information when being run.
Second generation subelement 63, is connected with the above-mentioned second acquisition subelement 61, for being believed according to the operation action of acquisition Dynamic probation report under breath, the scene that generation application file is run.
Fig. 7 is the schematic diagram of the second generation subelement 63 in application file identification apparatus according to embodiments of the present invention, such as Shown in Fig. 7, the second generation subelement 63 includes at least one of:
Second generation module 71, the window size for obtaining window when the application corresponding to application file is run is raw Into the dynamic probation report including window size.
3rd generation module 72, to system software or hardware during for determining to be run the application corresponding to application file The destruction shape for forming destruction is that generation includes destroying the dynamic probation report that shape is.
4th generation module 73, to application file in registration table during for determining that the application corresponding to application file is run The threat list item threatened, generation includes threatening the dynamic probation report of list item.
5th generation module 74, threatens during for determining that the application corresponding to application file is run to application file Be used for identify the file secondary relationship of file generated file, generation includes the dynamic probation report of file secondary relationship.
6th generation module 75, conducts interviews when being run for obtaining to the application corresponding to application file to network Network access is recorded, and generation includes the dynamic probation report of network access record.
7th generation module 76, intercepts the interception feelings of picture when being run for obtaining to the application corresponding to application file The picture interception record that condition is recorded, generation includes the dynamic probation report of picture interception record.
Another aspect according to embodiments of the present invention, additionally provides a kind of storage medium, and storage medium includes storage Program, wherein, equipment performs the identification of the application file of above-mentioned any one where controlling storage medium when program is run Method.
Another aspect according to embodiments of the present invention, additionally provides a kind of processor, and processor is used for operation program, Wherein, the authentication method of the application file of above-mentioned any one is performed when program is run.
Another aspect according to embodiments of the present invention, additionally provides a kind of terminal, including:The identification dress of application file Put;Processor, processor operation program, wherein, data when program is run for the identification apparatus output from application file are held The following process step of row:It is determined that the auth type identified application file, wherein, auth type includes:Dynamic identification and Static state identification;According to the auth type of determination, application file is identified, qualification result is obtained.
Another aspect according to embodiments of the present invention, additionally provides a kind of terminal, including:The identification dress of application file Put;Storage medium, for storage program, wherein, the data of program operationally for the identification apparatus output from application file Perform following process step:It is determined that the auth type identified application file, wherein, auth type includes:Dynamic identification With static state identification;According to the auth type of determination, application file is identified, qualification result is obtained.
The embodiments of the present invention are for illustration only, and the quality of embodiment is not represented.
In the above embodiment of the present invention, the description to each embodiment all emphasizes particularly on different fields, and does not have in some embodiment The part of detailed description, may refer to the associated description of other embodiment.
In several embodiments provided herein, it should be understood that disclosed technology contents, others can be passed through Mode is realized.Wherein, device embodiment described above is only schematical, such as division of described unit, Ke Yiwei A kind of division of logic function, can there is other dividing mode when actually realizing, such as multiple units or component can combine or Person is desirably integrated into another system, or some features can be ignored, or does not perform.Another, shown or discussed is mutual Between coupling or direct-coupling or communication connection can be the INDIRECT COUPLING or communication link of unit or module by some interfaces Connect, can be electrical or other forms.
The unit illustrated as separating component can be or may not be it is physically separate, it is aobvious as unit The part shown can be or may not be physical location, you can with positioned at a place, or can also be distributed to multiple On unit.Some or all of unit therein can be selected to realize the purpose of this embodiment scheme according to the actual needs.
In addition, each functional unit in each embodiment of the invention can be integrated in a processing unit, can also That unit is individually physically present, can also two or more units it is integrated in a unit.Above-mentioned integrated list Member can both be realized in the form of hardware, it would however also be possible to employ the form of SFU software functional unit is realized.
If the integrated unit is realized using in the form of SFU software functional unit and as independent production marketing or used When, it can be stored in a computer read/write memory medium.Understood based on such, technical scheme is substantially The part contributed in other words to prior art or all or part of the technical scheme can be in the form of software products Embody, the computer software product is stored in a storage medium, including some instructions are to cause a computer Equipment (can for personal computer, server or network equipment etc.) perform each embodiment methods described of the invention whole or Part steps.And foregoing storage medium includes:USB flash disk, read-only storage (ROM, Read-Only Memory), arbitrary access are deposited Reservoir (RAM, Random Access Memory), mobile hard disk, magnetic disc or CD etc. are various can be with store program codes Medium.
Described above is only the preferred embodiment of the present invention, it is noted that for the ordinary skill people of the art For member, under the premise without departing from the principles of the invention, some improvements and modifications can also be made, these improvements and modifications also should It is considered as protection scope of the present invention.

Claims (10)

1. a kind of authentication method of application file, it is characterised in that applied to PC PC end equipments, including:
It is determined that the auth type identified application file, wherein, the auth type includes:Dynamic identification and static mirror It is fixed;
According to the auth type of determination, the application file is identified, qualification result is obtained.
2. according to the method described in claim 1, it is characterised in that according to the auth type of determination, the application file is entered Row identification, obtaining qualification result includes:
It is determined that the auth type for static identification in the case of, obtain the fileinfo of the application file;
According to the fileinfo of acquisition, the static probation report under the scene that the application file is not run is generated.
3. method according to claim 2, it is characterised in that according to the fileinfo of acquisition, generates the application Static probation report under the scene that file is not run includes at least one of:
The essential information and key message of the application file are determined according to the fileinfo of acquisition, wherein, it is described basic Information includes at least one of:For the file type information for the file type for identifying the application file, for described The shell adding type information for the shell adding type that application file is packaged, and the compiler for being compiled to the application file Type, the key message is to influence the application file to be influenceed letter by the threat of the threat level of viral threat for identifying Breath;
According to the essential information and the key message, the static state under the scene that the application file is not run is generated Probation report.
4. method according to claim 3, it is characterised in that according to the essential information and the key message, generation The static probation report under the scene that the application file is not run includes:
In the case where the application file is transplantable executable PE files, the PE headers of the PE files are obtained, According to the essential information, the key message and the PE headers generate the static probation report, wherein, the PE heads Information includes:The File header information of disc operating system DOS headers and the application file;
The resource information of operation resource needed during the running paper corresponding to the application file is determined, according to the basic letter Breath, the key message and the resource information generate the static probation report;
The function information of the function that needs the are called during running paper corresponding to the application file is determined, according to the basic letter Breath, the key message and the function information generate the static probation report;
Obtain the application file section area section information, the string resource information of the string resource corresponding to the application file, According to the essential information, the key message, the section information and the string resource information generation static identification report Accuse.
5. according to the method described in claim 1, it is characterised in that according to the auth type of determination, the application file is entered Row identification, obtaining qualification result includes:
It is determined that the auth type for dynamic identification in the case of, obtain the operation action when application file is run Information;
According to the operation action information of acquisition, the dynamic probation report under the scene that the application file is run is generated.
6. method according to claim 5, it is characterised in that according to the operation action information of acquisition, generation is described Dynamic probation report under the scene that application file is run includes at least one of:
The window size of window when the application corresponding to the application file is run is obtained, generation includes the window size Dynamic probation report;
It is determined that be to the destruction shape of system software or hardware formation destruction when being run to the application corresponding to the application file, Generation includes the dynamic probation report that the destruction shape is;
Determine the threat threatened when the application corresponding to the application file is run in registration table to the application file List item, generation includes the dynamic probation report of the threat list item;
Being used for of determining to threaten to the application file when application corresponding to the application file is run identifies file The file secondary relationship of file is generated, generation includes the dynamic probation report of the file secondary relationship;
Obtain the network access record conducted interviews when being run to the application corresponding to the application file to network, generation bag Include the dynamic probation report of the network access record;
Obtain the picture section that the interception situation of interception picture when being run to the application corresponding to the application file is recorded Record is taken, generation includes the dynamic probation report of the picture interception record.
7. a kind of identification apparatus of application file, it is characterised in that applied to PC PC end equipments, including:
Determining unit, for the auth type for determining to identify application file, wherein, the auth type includes:Dynamic Identification and static identification;
Unit is identified, for the auth type according to determination, the application file is identified, qualification result is obtained.
8. device according to claim 7, it is characterised in that the identification unit includes:
First obtains subelement, for it is determined that the auth type for static identification in the case of, obtain the practical writing The fileinfo of part;
First generation subelement, for the fileinfo according to acquisition, generates the scene that the application file is not run Under static probation report.
9. device according to claim 8, it is characterised in that the first generation subelement includes at least one of:
Determining module, essential information and key message for determining the application file according to the fileinfo of acquisition, Wherein, the essential information includes at least one of:For the file type letter for the file type for identifying the application file Breath, for the shell adding type information for the shell adding type being packaged to the application file, and for entering to the application file The compiler type of row compiling, the key message is the threat level for identifying the influence application file by viral threat Threat influence information;
First generation module, is not run for according to the essential information and the key message, generating the application file Scene under the static probation report.
10. device according to claim 9, it is characterised in that first generation module includes:
First generation submodule, in the case of being transplantable executable PE files in the application file, obtains institute The PE headers of PE files are stated, according to the essential information, the key message and the PE headers generation static mirror Fixed report, wherein, the PE headers include:The File header information of disc operating system DOS headers and the application file;
Second generation submodule, for the resource for the operation resource for determining to need during the running paper corresponding to the application file Information, according to the essential information, the key message and the resource information generate the static probation report;
3rd generation submodule, the function for determining the function that needs the are called during running paper corresponding to the application file Information, according to the essential information, the key message and the function information generate the static probation report;
4th generates submodule, the section information in the section area for obtaining the application file, corresponding to the application file The string resource information of string resource, according to the essential information, the key message, the section information and the string resource information Generate the static probation report.
CN201710531796.7A 2017-06-30 2017-06-30 The authentication method and device of application file Pending CN107330329A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710531796.7A CN107330329A (en) 2017-06-30 2017-06-30 The authentication method and device of application file

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710531796.7A CN107330329A (en) 2017-06-30 2017-06-30 The authentication method and device of application file

Publications (1)

Publication Number Publication Date
CN107330329A true CN107330329A (en) 2017-11-07

Family

ID=60198723

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710531796.7A Pending CN107330329A (en) 2017-06-30 2017-06-30 The authentication method and device of application file

Country Status (1)

Country Link
CN (1) CN107330329A (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101329711A (en) * 2008-07-24 2008-12-24 成都市华为赛门铁克科技有限公司 Method and apparatus for detecting computer file
CN102024112A (en) * 2010-12-17 2011-04-20 四川大学 PE (portable executable) file pack detection method based on static characteristics
CN102930206A (en) * 2011-08-09 2013-02-13 腾讯科技(深圳)有限公司 Cluster partitioning processing method and cluster partitioning processing device for virus files
CN102930210A (en) * 2012-10-14 2013-02-13 江苏金陵科技集团公司 System and method for automatically analyzing, detecting and classifying malicious program behavior
CN104123501A (en) * 2014-08-06 2014-10-29 厦门大学 Online virus detection method based on assembly of multiple detectors
CN104200155A (en) * 2014-08-12 2014-12-10 中国科学院信息工程研究所 Monitoring device and method for protecting user privacy based on iPhone operating system (iOS)

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101329711A (en) * 2008-07-24 2008-12-24 成都市华为赛门铁克科技有限公司 Method and apparatus for detecting computer file
CN102024112A (en) * 2010-12-17 2011-04-20 四川大学 PE (portable executable) file pack detection method based on static characteristics
CN102930206A (en) * 2011-08-09 2013-02-13 腾讯科技(深圳)有限公司 Cluster partitioning processing method and cluster partitioning processing device for virus files
CN102930210A (en) * 2012-10-14 2013-02-13 江苏金陵科技集团公司 System and method for automatically analyzing, detecting and classifying malicious program behavior
CN104123501A (en) * 2014-08-06 2014-10-29 厦门大学 Online virus detection method based on assembly of multiple detectors
CN104200155A (en) * 2014-08-12 2014-12-10 中国科学院信息工程研究所 Monitoring device and method for protecting user privacy based on iPhone operating system (iOS)

Similar Documents

Publication Publication Date Title
CN109766700A (en) Access control method and device, the storage medium, electronic device of file
CN103294950B (en) A kind of high-power secret information stealing malicious code detecting method based on backward tracing and system
Singh et al. Experimental analysis of Android malware detection based on combinations of permissions and API-calls
CN103530535A (en) Shell adding and removing method for Android platform application program protection
CN113849808B (en) Container security management method, system, terminal and storage medium
GB2378015A (en) Detecting computer programs within packed computer files
Wang et al. Demadroid: Object Reference Graph‐Based Malware Detection in Android
CN107979581A (en) The detection method and device of corpse feature
CN108183796A (en) The method and device of encryption and decryption is carried out using whitepack library file and whitepack key file
CN108111622A (en) A kind of method, apparatus and system for downloading whitepack library file
CN108399319A (en) Source code guard method, application server and computer readable storage medium
CN110826031A (en) Encryption method, device, computer equipment and storage medium
CN109726348A (en) The method and system of webpage watermark protection
CN108134673A (en) A kind of method and device for generating whitepack library file
CN107423630A (en) Data processing method and device
CN105760761A (en) Software behavior analyzing method and device
CN108334404A (en) The operation method and device of application program
CN111259382A (en) Malicious behavior identification method, device and system and storage medium
US9191397B2 (en) Extension model for improved parsing and describing protocols
Martinelli et al. Classifying android malware through subgraph mining
WO2009023683A2 (en) Methods and systems for transmitting a data attribute from an authenticated system
CN106559386A (en) A kind of authentication method and device
CN108985040B (en) Method and apparatus, storage medium and the processor logged in using cipher key
Papalitsas et al. A honeypot proxy framework for deceiving attackers with fabricated content
CN109522683A (en) Software source tracing method, system, computer equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20171107