CN107341403B - A file conversion method and device - Google Patents

A file conversion method and device Download PDF

Info

Publication number
CN107341403B
CN107341403B CN201710607870.9A CN201710607870A CN107341403B CN 107341403 B CN107341403 B CN 107341403B CN 201710607870 A CN201710607870 A CN 201710607870A CN 107341403 B CN107341403 B CN 107341403B
Authority
CN
China
Prior art keywords
file
angr
framework
dex
android application
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710607870.9A
Other languages
Chinese (zh)
Other versions
CN107341403A (en
Inventor
胡昌振
马锐
王夏菁
王赫晨
赵小林
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Institute of Technology BIT
Original Assignee
Beijing Institute of Technology BIT
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Institute of Technology BIT filed Critical Beijing Institute of Technology BIT
Priority to CN201710607870.9A priority Critical patent/CN107341403B/en
Publication of CN107341403A publication Critical patent/CN107341403A/en
Application granted granted Critical
Publication of CN107341403B publication Critical patent/CN107341403B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F40/00Handling natural language data
    • G06F40/10Text processing
    • G06F40/12Use of codes for handling textual entities
    • G06F40/151Transformation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/034Test or assess a computer or a system

Landscapes

  • Engineering & Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Computational Linguistics (AREA)
  • Audiology, Speech & Language Pathology (AREA)
  • Artificial Intelligence (AREA)
  • Computing Systems (AREA)
  • Debugging And Monitoring (AREA)

Abstract

本发明公开了一种文件转换方法和装置,应用于二进制文件分析框架angr中,包括:获取待检测Android应用的dex文件;将所述dex文件转换为所述angr框架支持的二进制格式的第一文件;加载所述第一文件到所述angr框架中并对所述第一文件进行符号执行分析,根据所述符号执行分析结果辅助判断待检测Android应用是否存在漏洞。本发明实施例的技术方案通过对Android应用的可执行文件进行转换处理,使其能够成功加载到angr框架,利用angr对Android应用进行基于符号执行的漏洞检测,从而为Android应用漏洞检测提供了新的解决方案,保证Android应用的安全性。

Figure 201710607870

The invention discloses a file conversion method and device, which are applied to a binary file analysis framework angr, including: obtaining a dex file of an Android application to be detected; converting the dex file into a first binary format supported by the angr framework file; load the first file into the angr framework and perform a symbolic execution analysis on the first file, and assist in judging whether the Android application to be detected has loopholes according to the symbolic execution analysis result. The technical solution of the embodiment of the present invention is to convert the executable file of the Android application, so that it can be successfully loaded into the angr framework, and use angr to perform the vulnerability detection based on symbol execution on the Android application, thereby providing a new method for Android application vulnerability detection. The solution to ensure the security of Android applications.

Figure 201710607870

Description

一种文件转换方法和装置A file conversion method and device

技术领域technical field

本发明涉及信息安全技术领域,具体涉及一种文件转换方法和装置。The invention relates to the technical field of information security, in particular to a file conversion method and device.

背景技术Background technique

随着互联网技术和移动终端技术的发展,移动终端安全问题和安全隐患也随之愈来愈严重。尤其是安装了Android系统的移动终端,基于Android系统源代码的开放性,其开发的应用程序存在的风险更是备受关注。Android系统虽然也有精心设计的安全体系,但是攻击者仍然可以利用漏洞来绕过某些防护机制。With the development of Internet technology and mobile terminal technology, the security problems and security risks of mobile terminals are becoming more and more serious. Especially for mobile terminals installed with the Android system, based on the openness of the source code of the Android system, the risks of the applications developed by them are even more concerned. Although the Android system also has a well-designed security system, attackers can still use vulnerabilities to bypass certain protection mechanisms.

由于这个特性,大量恶意代码和安全事件往往围绕安全漏洞展开,由此可见安全漏洞是影响Android安全性的关键因素,而如何有效挖掘Android系统的安全漏洞,是技术人员面临的亟需解决的技术问题。Due to this feature, a large number of malicious codes and security incidents often revolve around security vulnerabilities. It can be seen that security vulnerabilities are a key factor affecting the security of Android, and how to effectively mine the security vulnerabilities of the Android system is a technology that needs to be solved urgently for technicians. question.

发明内容SUMMARY OF THE INVENTION

本发明提供了一种文件转换方法和装置,以对Android系统的安全漏洞进行挖掘,增强安装了Android系统的移动终端的安全性,保护用户隐私数据免遭攻击者窃取。The invention provides a file conversion method and device to mine the security loopholes of the Android system, enhance the security of a mobile terminal installed with the Android system, and protect user privacy data from being stolen by attackers.

根据本发明的一个方面,提供了一种文件转换方法,应用于二进制文件分析框架angr中,包括:According to an aspect of the present invention, a file conversion method is provided, applied in the binary file analysis framework angr, including:

获取待检测的Android应用的dex文件;Get the dex file of the Android application to be detected;

将所述dex文件转换为所述angr框架支持的二进制格式的第一文件;Convert the dex file to the first file in the binary format supported by the angr framework;

加载所述第一文件到所述angr框架中并对所述第一文件进行符号执行分析,根据所述符号执行分析结果辅助判断所述Android应用是否存在漏洞。Load the first file into the angr framework and perform a symbolic execution analysis on the first file, and assist in determining whether the Android application has a vulnerability according to the symbolic execution analysis result.

根据本发明的另一个方面,提供了一种文件转换装置,应用于二进制文件分析框架angr中,包括:According to another aspect of the present invention, a file conversion device is provided, applied in the binary file analysis framework angr, including:

文件获取模块,用于获取待检测的Android应用的dex文件;The file obtaining module is used to obtain the dex file of the Android application to be detected;

文件转换模块,用于将所述dex文件转换为所述angr框架支持的二进制格式的第一文件;a file conversion module for converting the dex file into a first file in a binary format supported by the angr framework;

检测确定模块,用于加载所述第一文件到所述angr框架中并对所述第一文件进行符号执行分析,根据所述符号执行分析结果辅助判断所述Android应用是否存在漏洞。A detection and determination module is configured to load the first file into the angr framework and perform a symbolic execution analysis on the first file, and assist in determining whether the Android application has a vulnerability according to the symbolic execution analysis result.

本发明的有益效果是:本发明实施例的文件转换方法和装置,应用于二进制文件分析框架angr中,通过获取待检测Android应用的dex文件,将dex文件转换为angr框架支持的二进制格式的第一文件,然后加载第一文件到angr框架中对第一文件进行符号执行分析,根据符号执行分析结果辅助判断待检测Android应用是否存在漏洞。如此,解决了由于现有angr框架不支持Android应用的字节码文件进而不能利用angr框架对Android应用进行符号执行分析的问题。而且,为Android应用的漏洞检测提供了新的解决方案,增强了安装Android系统的移动终端的安全性,保护用户隐私数据免遭窃取和泄露,改善了移动终端的用户体验。The beneficial effects of the present invention are as follows: the file conversion method and device according to the embodiments of the present invention are applied in the binary file analysis framework angr, and by acquiring the dex file of the Android application to be detected, the dex file is converted into the first binary format supported by the angr framework. A file is loaded, and then the first file is loaded into the angr framework to perform symbolic execution analysis on the first file, and according to the symbolic execution analysis result, it is assisted to determine whether the Android application to be detected has loopholes. In this way, the problem that the existing angr framework does not support the bytecode file of the Android application and therefore cannot use the angr framework to perform symbolic execution analysis on the Android application is solved. Moreover, a new solution is provided for vulnerability detection of Android applications, which enhances the security of mobile terminals installed with the Android system, protects user privacy data from theft and leakage, and improves user experience of mobile terminals.

附图说明Description of drawings

图1是本发明一个实施例的一种文件转换方法的流程示意图;1 is a schematic flowchart of a file conversion method according to an embodiment of the present invention;

图2是本发明一个实施例的文件获取流程示意图;2 is a schematic diagram of a file acquisition process according to an embodiment of the present invention;

图3是APK文件转换的流程示意图;Fig. 3 is the schematic flow chart of APK file conversion;

图4是dex文件的转换流程示意图;Figure 4 is a schematic diagram of the conversion process of the dex file;

图5是本发明一个实施例的一种文件转换装置的结构框图。FIG. 5 is a structural block diagram of a file conversion apparatus according to an embodiment of the present invention.

具体实施方式Detailed ways

本发明的设计构思在于:angr框架可以对不同类型的二进制文件进行符号执行分析,它的加载器可以加载多种类型的二进制文件,并且可以根据二进制文件的类型自动识别和匹配合适的后端装载器。但是由于Android字节码的特殊性(即,Android字节码运行在Dalvik虚拟机中,与Java不同,Java字节码运行在JVM虚拟机中),angr框架的加载器不能识别Android应用的可执行文件,即,Android应用的可执行文件dex文件无法被angr成功加载。由于上述原因的存在,导致angr框架无法对Android应用进行符号执行分析进而不能检测Android应用是否存在漏洞。The design concept of the present invention is: the angr framework can perform symbolic execution analysis on different types of binary files, its loader can load multiple types of binary files, and can automatically identify and match the appropriate back-end loading according to the type of binary files. device. But due to the particularity of Android bytecode (ie, Android bytecode runs in Dalvik virtual machine, unlike Java, Java bytecode runs in JVM virtual machine), the loader of the angr framework cannot recognize the availability of Android applications. The executable file, that is, the executable dex file of the Android application cannot be successfully loaded by angr. Due to the above reasons, the angr framework cannot perform symbolic execution analysis on Android applications and cannot detect whether there are vulnerabilities in Android applications.

本发明实施例主要是通过对Android应用的可执行文件进行处理,使其能够成功加载到angr框架,从而使angr能够适用于移动终端的Android系统,对其进行基于符号执行的漏洞检测,帮助提升Android系统的安全性。The embodiment of the present invention mainly processes the executable file of the Android application, so that it can be successfully loaded into the angr framework, so that the angr can be applied to the Android system of the mobile terminal, and performs vulnerability detection based on symbol execution, which helps to improve Android system security.

为便于理解,这里对本发明实施例中的几个技术名词进行简要说明。For ease of understanding, several technical terms in the embodiments of the present invention are briefly described here.

angr框架:angr是二进制自动化分析框架,其中集成了很多二进制分析技术,具备对二进制程序的动态符号执行能力和静态分析能力。angr起初是用来寻找程序中的后门,现在可以应用于漏洞分析领域。angr基于Python架构,其兼容性较好,同时支持跨平台、跨架构,目前可以分析多种二进制文件。angr framework: angr is an automated binary analysis framework, which integrates many binary analysis technologies, and has the ability to execute dynamic symbols and static analysis of binary programs. Angr was originally used to find backdoors in programs, and now it can be used in the field of vulnerability analysis. Angr is based on the Python architecture, which has good compatibility and supports cross-platform and cross-architecture. Currently, it can analyze a variety of binary files.

符号执行:符号执行是一种代码执行空间遍历技术,在软件安全、恶意代码分析、程序调试等领域有着重要应用。符号执行是用抽象符号代替程序变量,根据程序的语义,在每条路径上通过符号计算引擎对抽象符号等做语义操作,模拟程序执行。符号执行分为过程内分析和过程间分析,基于是否实际执行也可分为静态符号执行与动态符号执行。Symbolic execution: Symbolic execution is a code execution space traversal technology, which has important applications in software security, malicious code analysis, program debugging and other fields. Symbolic execution is to replace program variables with abstract symbols. According to the semantics of the program, the symbolic computing engine performs semantic operations on abstract symbols on each path to simulate program execution. Symbolic execution is divided into intra-procedural analysis and inter-procedural analysis, and can also be divided into static symbolic execution and dynamic symbolic execution based on whether it is actually executed.

angr框架符号执行包括四个部分:可以加载几乎任何二进制文件的加载工具;将二进制文件转换为中间语言的转换工具;对中间语言进行符号执行的符号执行工具以及约束求解工具。The angr framework symbolic execution consists of four parts: a loading tool that can load almost any binary file; a conversion tool that converts the binary file to an intermediate language; a symbolic execution tool that performs symbolic execution of the intermediate language and a constraint solving tool.

Android应用:Android是一种基于Linux的自由及开放源代码的操作系统,主要使用于移动设备,如智能手机和平板电脑。Android应用是指运行于Android操作系统的应用程序,包括系统应用和普通应用。Android application: Android is a free and open source operating system based on Linux, mainly used in mobile devices such as smartphones and tablets. Android applications refer to applications running on the Android operating system, including system applications and common applications.

图1是本发明一个实施例的一种文件转换方法的流程示意图,参见图1,本实施例的文件转换方法,应用于二进制文件分析框架angr中,包括:1 is a schematic flowchart of a file conversion method according to an embodiment of the present invention. Referring to FIG. 1 , the file conversion method of the present embodiment is applied to the binary file analysis framework angr, including:

步骤S101,获取待检测的Android应用的dex文件;Step S101, obtaining the dex file of the Android application to be detected;

dex是Dalvik VM executes的简称,dex是Android平台上(Dalvik虚拟机)的可执行文件,相当于Windows平台中的exe文件,每个APK(Android Package)安装包中都有dex文件,里面包含了该应用的所有源码,通过反编译工具可以获取到相应的Java源码。dex is the abbreviation of Dalvik VM executes, dex is the executable file on the Android platform (Dalvik virtual machine), which is equivalent to the exe file on the Windows platform. Each APK (Android Package) installation package has a dex file, which contains All the source code of the application, the corresponding Java source code can be obtained through the decompilation tool.

步骤S102,将所述dex文件转换为所述angr框架支持的二进制格式的第一文件;Step S102, converting the dex file into the first file in the binary format supported by the angr framework;

步骤S103,加载所述第一文件到所述angr框架中并对所述第一文件进行符号执行分析,根据所述符号执行分析结果辅助判断所述Android应用是否存在漏洞。Step S103: Load the first file into the angr framework and perform a symbolic execution analysis on the first file, and assist in determining whether there is a vulnerability in the Android application according to the symbolic execution analysis result.

由图1所示可知,本实施例的文件转换方法,获取Android应用的dex文件,将dex文件转换为angr框架支持的二进制格式的第一文件,并加载到angr框架中,对第一文件进行符号执行分析,根据符号执行分析结果辅助判断待检测Android应用是否存在漏洞。解决了目前angr框架不能识别Android应用的可执行文件,无法对Android应用进行符号执行分析的问题,为Android应用的漏洞检测提供了新的解决方案,帮助提升Android应用的安全性,避免Android移动终端的用户隐私数据被攻击者窃取,改善Android移动终端的用户体验。As shown in FIG. 1, the file conversion method of this embodiment obtains the dex file of the Android application, converts the dex file into the first file in the binary format supported by the angr framework, and loads it into the angr framework. Symbolic execution analysis, based on the symbolic execution analysis results to assist in determining whether the Android application to be tested has vulnerabilities. It solves the problem that the current angr framework cannot recognize the executable files of Android applications, and cannot perform symbolic execution analysis on Android applications. It provides a new solution for Android application vulnerability detection, helps improve the security of Android applications, and avoids Android mobile terminals. of user privacy data is stolen by attackers, improving the user experience of Android mobile terminals.

下面结合图2至图4对本发明实施例的文件转换方法进行具体说明。The file conversion method according to the embodiment of the present invention will be specifically described below with reference to FIG. 2 to FIG. 4 .

针对现有的angr框架无法加载Android应用的可执行文件的不足,本实施例根据Android代码的特点,提出一种针对Android应用的可执行文件的转换方法,即,对Android应用的可执行文件进行格式转换。Aiming at the deficiency that the existing angr framework cannot load the executable file of the Android application, this embodiment proposes a conversion method for the executable file of the Android application according to the characteristics of the Android code, that is, the executable file of the Android application is converted. format conversion.

具体的,参见图2,首先,获取一个待检测的Android应用;Specifically, referring to Figure 2, first, an Android application to be detected is obtained;

然后,对该Android应用进行文件转换生成exe可执行文件。Then, perform file conversion on the Android application to generate an exe executable file.

由于exe可执行文件是angr框架支持的二进制文件格式,从而能够将Android应用对应的exe可执行文件加载到angr框架中。Since the exe executable file is a binary file format supported by the angr framework, the exe executable file corresponding to the Android application can be loaded into the angr framework.

最后,基于angr框架对exe可执行文件进行符号执行分析,进而辅助判断待检测Android应用是否存在漏洞。Finally, based on the angr framework, the symbolic execution analysis of the exe executable file is performed to assist in determining whether the Android application to be detected has vulnerabilities.

文件转换是本实施例的重点,接下来进行具体说明。File conversion is the focus of this embodiment, which will be described in detail below.

参见图3,首先,获取Android应用的APK文件;Android系统中APK文件是Android安装包。Referring to Fig. 3, first, obtain the APK file of the Android application; the APK file in the Android system is the Android installation package.

其次,在得到APK文件之后,通过APK工具对其进行解压缩处理,得到一个完整的Android项目。需要说明的是,本实施例中是以通过APK工具对APK文件进行解压缩处理为例进行的示意性说明,但不限于此,实际应用中可以使用任何能够对APK文件进行解压缩处理的工具。Secondly, after getting the APK file, decompress it through the APK tool to get a complete Android project. It should be noted that, in this embodiment, the decompression processing of the APK file by the APK tool is used as an example for the schematic description, but it is not limited to this, and any tool that can decompress the APK file can be used in practical applications. .

参见图3,解压缩之后得到的Android项目主要包括META-INF文件、res文件、XML文件、dex文件以及arsc文件。Referring to Figure 3, the Android project obtained after decompression mainly includes META-INF file, res file, XML file, dex file and arsc file.

其中,META-INF文件是APK签名文件,用来保证APK包的完整性和系统的安全性。Among them, the META-INF file is an APK signature file, which is used to ensure the integrity of the APK package and the security of the system.

res文件用来存放Android项目的各种资源文件,并且不同的资源文件存放在不同的目录中。res目录下又有下一级目录,例如,主要存放布局文件的layout目录,主要存放菜单文件的menu目录,主要存放应用程序默认的资源文件的values目录。The res file is used to store various resource files of the Android project, and different resource files are stored in different directories. There are sub-directories under the res directory. For example, the layout directory mainly stores layout files, the menu directory mainly stores menu files, and the values directory mainly stores the default resource files of the application.

XML文件主要是指AndroidManifest.xml,AndroidManifest.xml是Android应用的全局配置文件。The XML file mainly refers to AndroidManifest.xml, which is the global configuration file of Android applications.

arsc文件用来存放编译后的二进制资源文件,并且记录资源文件和资源ID的映射关系。The arsc file is used to store the compiled binary resource file and record the mapping relationship between the resource file and the resource ID.

dex文件是编译生成的Dalvik字节码文件,它只能在Dalvik虚拟机上运行,并且Dalvik虚拟机与Java虚拟机并不兼容。The dex file is a compiled Dalvik bytecode file, which can only run on the Dalvik virtual machine, and the Dalvik virtual machine is not compatible with the Java virtual machine.

最后,从得到的Android项目中提取出dex文件。Finally, extract the dex file from the resulting Android project.

也就是说,本实施例中是从Android项目中提取出可执行文件dex文件以便后续进行转换处理。That is to say, in this embodiment, the executable dex file is extracted from the Android project for subsequent conversion processing.

在得到dex文件之后,参见图4,图4中示意了dex文件到Windows系统的可执行文件exe文件的转换流程。即,通过将dex文件反编译成Java的jar文件之后,再将jar文件转换为Windows系统的可执行文件exe文件。After the dex file is obtained, see FIG. 4 , which illustrates the conversion process of the dex file to the executable file exe file of the Windows system. That is, after decompiling the dex file into a Java jar file, the jar file is converted into an executable file exe file of the Windows system.

图4所示的文件转换又可以细分反编译和重新编译两部分。The file conversion shown in Figure 4 can be subdivided into two parts: decompilation and recompilation.

反编译是将Android的可执行文件dex文件反编译为初始的Java文件包,即,将classes.dex转化成jar文件。Decompilation is to decompile the Android executable dex file into an initial Java file package, that is, convert classes.dex into a jar file.

这一部分所使用的工具是dex2jar,dex2jar是一款针对Android平台dex文件的反编译工具。经过反编译之后得到的jar文件虽然不是标准的Java代码文件,但是可以通过下一步的重新编译将其编译为exe文件。The tool used in this part is dex2jar, which is a decompilation tool for dex files on the Android platform. Although the jar file obtained after decompilation is not a standard Java code file, it can be compiled into an exe file through the next recompilation.

重新编译是将上一步所得到的jar文件编译转换为Windows系统上的可执行文件exe文件。Recompilation is to compile and convert the jar file obtained in the previous step into an executable exe file on the Windows system.

这一部分所使用的工具是jar2exe,jar2exe工具的工作原理是使用JNI接口启动Java虚拟机,并在此基础上提供其他高级功能,jar2exe可以生成控制台程序、Windows窗口程序以及Windows NT服务程序三种类型的可执行文件。在重新编译的过程中通过使用控制台程序便可实现从jar文件到exe可执行文件的转化。The tool used in this part is jar2exe. The working principle of the jar2exe tool is to use the JNI interface to start the Java virtual machine and provide other advanced functions on this basis. jar2exe can generate three types of console programs, Windows window programs and Windows NT service programs. type of executable. In the process of recompiling, the conversion from jar file to exe executable file can be realized by using the console program.

Windows系统上的可执行文件exe文件可以直接加载到angr框架,之后在angr框架上进行后续的符号执行分析。The executable file exe file on the Windows system can be directly loaded into the angr framework, and then the subsequent symbolic execution analysis is performed on the angr framework.

接下来对angr框架上的符号执行分析过程进行简要说明。The following is a brief description of the symbolic execution analysis process on the angr framework.

angr框架集成了一些现有的漏洞分析技术,同时使用不同的模块实现不同的功能,因此,可以很容易对已有的分析技术进行比较,并且能利用不同分析技术的优势。The angr framework integrates some existing vulnerability analysis techniques and uses different modules to achieve different functions. Therefore, the existing analysis techniques can be easily compared and the advantages of different analysis techniques can be utilized.

其简要处理过程是:首先,将二进制程序(例如,图4所示的exe执行文件)加载到angr框架中;再将二进制文件的代码转换成中间语言(Intermediate Representation,简称IR);接着进一步分析程序,其中包括对程序的静态分析或动态符号执行分析。The brief processing process is: first, load the binary program (for example, the exe execution file shown in Figure 4) into the angr framework; then convert the code of the binary file into an intermediate language (Intermediate Representation, referred to as IR); then further analysis Program, which includes static analysis or dynamic symbolic execution analysis of the program.

angr主要包括以下几个模块:angr mainly includes the following modules:

二进制程序加载模块(CLE),其将一个二进制程序加载到分析平台中,其中包括exe可执行文件;Binary Loader Module (CLE), which loads a binary program, including the exe executable, into the analysis platform;

中间表示模块(IR),将二进制代码翻译成中间语言,其中间语言VEX使angr可以在不同架构上分析二进制程序;Intermediate Representation Module (IR), which translates binary code into an intermediate language, where VEX enables angr to analyze binary programs on different architectures;

程序状态表示模块(SimuVEX),表示程序的状态,并且SimuVEX中的SimState实现了一组状态插件的集合,如寄存器、抽象内存以及符号内存等,这些插件的状态可以由用户指定;The program state representation module (SimuVEX) represents the state of the program, and SimState in SimuVEX implements a set of state plug-ins, such as registers, abstract memory and symbolic memory, etc. The states of these plug-ins can be specified by the user;

数据模型模块(Claripy),其为存储在SimState的寄存器或存储器中的值提供抽象表示;A data model module (Claripy) that provides abstract representations for values stored in SimState's registers or memory;

完整程序分析模块,将所有的模块组合起来使得angr可以进行复杂且完整的程序分析。Complete program analysis module, combining all the modules enables angr to perform complex and complete program analysis.

其中,二进制程序加载模块(CLE)是angr框架的入口,通过CLE模块,可以将本实施例的Android应用的字节码文件dex文件转换成的exe可执行文件加载到angr框架进行后续的符号执行分析。The binary program loading module (CLE) is the entrance of the angr framework. Through the CLE module, the exe executable file converted from the bytecode file dex file of the Android application in this embodiment can be loaded into the angr framework for subsequent symbolic execution. analyze.

符号执行能够在复杂的数据依赖关系中发现变量之间本质的约束关系,比污点传播分析以及模糊测试等方法精度高,这种精确的变量代数关系能帮助理解程序的内在逻辑;在模拟程序运行的过程中,符号执行还会精确记录执行路径上所有的约束条件,可以提高控制流分析中路径可达性问题判定的精确性。Symbolic execution can find the essential constraint relationship between variables in complex data dependencies, which is more accurate than methods such as taint propagation analysis and fuzzing. This precise variable algebraic relationship can help understand the internal logic of the program; During the process, symbolic execution also accurately records all constraints on the execution path, which can improve the accuracy of path reachability problem determination in control flow analysis.

需要说明的是,基于angr框架的符号执行分析是现有技术,因而在将由Android应用的字节码文件dex文件转换成的exe可执行文件加载到angr框架后的符号执行分析可以参见现有技术,这里不再赘述。It should be noted that the symbolic execution analysis based on the angr framework is the prior art, so the symbolic execution analysis after the exe executable file converted from the bytecode file dex file of the Android application is loaded into the angr framework can refer to the prior art , which will not be repeated here.

图5是本发明一个实施例的一种文件转换装置的结构框图,参见图5,本实施例的文件转换装置500,应用于二进制文件分析框架angr中,包括:FIG. 5 is a structural block diagram of a file conversion apparatus according to an embodiment of the present invention. Referring to FIG. 5 , the file conversion apparatus 500 of the present embodiment is applied to the binary file analysis framework angr, including:

文件获取模块501,用于获取待检测的Android应用的dex文件;A file obtaining module 501, used for obtaining the dex file of the Android application to be detected;

文件转换模块502,用于将所述dex文件转换为所述angr框架支持的二进制格式的第一文件;A file conversion module 502, configured to convert the dex file into a first file in a binary format supported by the angr framework;

检测确定模块503,用于加载所述第一文件到所述angr框架中并对所述第一文件进行符号执行分析,根据所述符号执行分析结果辅助判断所述Android应用是否存在漏洞。The detection and determination module 503 is configured to load the first file into the angr framework and perform a symbolic execution analysis on the first file, and assist in determining whether there is a vulnerability in the Android application according to the symbolic execution analysis result.

一个实施例中,文件获取模块501,具体用于获取待检测的Android应用的安装包APK文件,解压所述APK文件并提取其中的dex文件。In one embodiment, the file obtaining module 501 is specifically configured to obtain the APK file of the installation package of the Android application to be detected, decompress the APK file and extract the dex file therein.

一个实施例中,文件转换模块502,具体用于反编译所述dex文件得到Java归档文件jar文件;重新编译所述jar文件得到二进制格式的exe文件。In one embodiment, the file conversion module 502 is specifically configured to decompile the dex file to obtain a Java archive file jar file; recompile the jar file to obtain an exe file in binary format.

需要说明的是,本实施例的文件转换装置是和前述实施例中的文件转换方法相对应的,因此,本实施例中文件转换装置的工作过程可以参见前述方法实施例中的说明,在此不再赘述。It should be noted that the file conversion apparatus in this embodiment corresponds to the file conversion method in the foregoing embodiments. Therefore, for the working process of the file conversion apparatus in this embodiment, reference may be made to the descriptions in the foregoing method embodiments. No longer.

综上所述,本发明实施例的文件转换方法和装置实现了针对Android应用进行文件转换,将Android应用的字节码文件dex转换成Windows平台下的可执行文件exe,加载到angr框架中进行后续的符号执行分析的有益效果。解决了angr框架因无法对Android系统的安装包APK文件以及可执行文件dex导入和读取而无法对Android系统的应用程序进行符号执行分析,进而辅助进行漏洞检测的问题,帮助提升了Android系统的可靠性和安全性。To sum up, the file conversion method and device of the embodiments of the present invention realize file conversion for Android applications, convert the bytecode file dex of the Android application into an executable file exe under the Windows platform, and load it into the angr framework for execution. Beneficial effects of subsequent symbolic execution analysis. Solved the problem that the angr framework cannot perform symbolic execution analysis on the application of the Android system because it cannot import and read the installation package APK file and the executable file dex of the Android system, thereby assisting in vulnerability detection, and helping to improve the Android system. reliability and security.

以上所述,仅为本发明的具体实施方式,在本发明的上述教导下,本领域技术人员可以在上述实施例的基础上进行其他的改进或变形。本领域技术人员应该明白,上述的具体描述只是更好的解释本发明的目的,本发明的保护范围以权利要求的保护范围为准。The above descriptions are only specific embodiments of the present invention, and those skilled in the art can make other improvements or modifications on the basis of the above embodiments under the above teachings of the present invention. Those skilled in the art should understand that the above-mentioned specific description is only for better explaining the purpose of the present invention, and the protection scope of the present invention is subject to the protection scope of the claims.

Claims (6)

1. A file conversion method is applied to a binary file analysis framework (angr), and comprises the following steps:
acquiring a dex file of an Android application to be detected;
converting the dex file into a first file in a binary format supported by the angr framework;
loading the first file into the angr frame, performing symbolic execution analysis on the first file, and judging whether the Android application has a bug in an auxiliary manner according to the symbolic execution analysis result;
the first file is an exe executable file.
2. The file conversion method according to claim 1, wherein the obtaining of the dex file of the Android application to be detected comprises:
the method comprises the steps of obtaining an installation package APK file of the Android application to be detected, decompressing the APK file and extracting a dex file in the APK file.
3. The file conversion method of claim 2, wherein converting the dex file into the first file in binary format supported by the angr framework comprises:
decompiling the dex file to obtain a Java archive file jar file;
and recompiling the jar file to obtain an executable file exe file in a binary format.
4. A file conversion device, applied in a binary file analysis framework (angr), comprises:
the file acquisition module is used for acquiring a dex file of the Android application to be detected;
the file conversion module is used for converting the dex file into a first file in a binary format supported by the angr framework;
the detection determining module is used for loading the first file into the angr framework, performing symbolic execution analysis on the first file, and judging whether the Android application has a bug in an auxiliary manner according to the symbolic execution analysis result;
the first file is an exe executable file.
5. The file converting apparatus according to claim 4,
the file acquisition module is specifically used for acquiring an installation package APK file of the Android application to be detected, decompressing the APK file and extracting a dex file in the APK file.
6. The file converting apparatus according to claim 5,
the file conversion module is specifically used for decompiling the dex file to obtain a Java archive file jar file; and recompiling the jar file to obtain an executable file exe file in a binary format.
CN201710607870.9A 2017-07-24 2017-07-24 A file conversion method and device Active CN107341403B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710607870.9A CN107341403B (en) 2017-07-24 2017-07-24 A file conversion method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710607870.9A CN107341403B (en) 2017-07-24 2017-07-24 A file conversion method and device

Publications (2)

Publication Number Publication Date
CN107341403A CN107341403A (en) 2017-11-10
CN107341403B true CN107341403B (en) 2020-11-27

Family

ID=60216589

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710607870.9A Active CN107341403B (en) 2017-07-24 2017-07-24 A file conversion method and device

Country Status (1)

Country Link
CN (1) CN107341403B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115454575B (en) * 2022-09-28 2023-08-15 广东保伦电子股份有限公司 jar packet conversion and automatic loading method, device, equipment and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104484607A (en) * 2014-12-16 2015-04-01 上海交通大学 Universal method and universal system for performing safety testing on Android application programs
CN105279078A (en) * 2014-06-24 2016-01-27 腾讯科技(深圳)有限公司 Method and device for detecting security hole
CN106709356A (en) * 2016-12-07 2017-05-24 西安电子科技大学 Static taint analysis and symbolic execution-based Android application vulnerability discovery method

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105279078A (en) * 2014-06-24 2016-01-27 腾讯科技(深圳)有限公司 Method and device for detecting security hole
CN104484607A (en) * 2014-12-16 2015-04-01 上海交通大学 Universal method and universal system for performing safety testing on Android application programs
CN106709356A (en) * 2016-12-07 2017-05-24 西安电子科技大学 Static taint analysis and symbolic execution-based Android application vulnerability discovery method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于符号执行的Android原生代码控制流图提取方法;颜慧颖等;《网络与信息安全学报》;20170715;第3卷(第7期);第00178-1-00178-14页 *

Also Published As

Publication number Publication date
CN107341403A (en) 2017-11-10

Similar Documents

Publication Publication Date Title
Wright et al. Challenges in firmware re-hosting, emulation, and analysis
Feng et al. A performance-sensitive malware detection system using deep learning on mobile devices
Peng et al. {X-Force}:{Force-Executing} binary programs for security applications
Kim et al. ScanDal: Static analyzer for detecting privacy leaks in android applications
US20210149788A1 (en) Software diagnosis using transparent decompilation
Brown et al. Finding and preventing bugs in javascript bindings
Zhang et al. {CryptoREX}: Large-scale analysis of cryptographic misuse in {IoT} devices
US20050108562A1 (en) Technique for detecting executable malicious code using a combination of static and dynamic analyses
US20090271867A1 (en) Virtual machine to detect malicious code
Arzt et al. Using targeted symbolic execution for reducing false-positives in dataflow analysis
CN114021142A (en) Android application program vulnerability detection method
CN109271789B (en) Malicious process detection method and device, electronic equipment and storage medium
Zhang et al. IntPatch: Automatically fix integer-overflow-to-buffer-overflow vulnerability at compile-time
Zhang et al. Rapid Android parser for investigating DEX files (RAPID)
Arzt et al. The soot-based toolchain for analyzing android apps
Liu et al. Exploring missed optimizations in webassembly optimizers
Oliinyk et al. Fuzzing {BusyBox}: Leveraging {LLM} and Crash Reuse for Embedded Bug Unearthing
You et al. Deoptfuscator: Defeating advanced control-flow obfuscation using android runtime (art)
Peng et al. {GLeeFuzz}: Fuzzing {WebGL} Through Error Message Guided Mutation
Ruggia et al. The dark side of native code on android
Borzacchiello et al. SENinja: A symbolic execution plugin for Binary Ninja
CN106778271A (en) A kind of Android reinforces the reverse process method of plug-in unit
CN107341403B (en) A file conversion method and device
KR20140088963A (en) System and method for testing runtime error
CN114625381A (en) A kind of privacy policy text acquisition method, system and terminal

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant