CN108846280B - Application file shelling method and device - Google Patents
Application file shelling method and device Download PDFInfo
- Publication number
- CN108846280B CN108846280B CN201810697104.0A CN201810697104A CN108846280B CN 108846280 B CN108846280 B CN 108846280B CN 201810697104 A CN201810697104 A CN 201810697104A CN 108846280 B CN108846280 B CN 108846280B
- Authority
- CN
- China
- Prior art keywords
- file
- structure information
- shelled
- information
- determining
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/51—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention discloses a method and a device for shelling application files, wherein the method comprises the following steps: monitoring a current shelling method operated by a file to be shelled, and reading process information corresponding to the current shelling method; judging whether the process corresponding to the current method to be hulled is the process meeting the preset hulling condition or not according to the process information corresponding to the current method to be hulled; if yes, converting the memory data of the current method to be hulled into first structure information; determining second structure information of the DEX file corresponding to the file to be shelled according to the first structure information; and repairing the second structure information by using the first structure information, and generating a DEX file with a file to be shelled being shelled according to the repaired second structure information. Through this mode, can effectively peel to the application file after the reinforcement to can guarantee the integrality of the data of the DEX file that obtains after the peel, promote shelling effect and shelling success rate.
Description
Technical Field
The invention relates to the technical field of computers, in particular to a method and a device for shelling an application file.
Background
At present, with the maturity of technologies such as decompilation and reverse, the safety problem of APP becomes more and more serious. The reinforcing scheme is adopted to reinforce and protect the APP, so that the problems that the APP is cracked or secondarily packaged and the like can be avoided, for example, reinforcing processing is carried out on an apk (Android package) file of the APP. However, some malicious APPs or malicious codes often also use a reinforcement technology to protect the APPs so as to resist detection such as Trojan killing, and therefore, in order to detect and kill the malicious APPs or malicious codes, a method of firstly performing shelling processing on the reinforced APPs and then detecting whether the shelled APPs are malicious applications is often adopted.
In the prior art, an unshelling tool is used to unsharp a file to be unshelled (a reinforced application file), for example, a DexHunter divides a DEX file in the file to be unshelled into data before class _ defs, class _ defs data and data after class _ defs, copies useless custom data before class _ defs and data after class _ defs from a memory first, then actively loads and initializes all class files in class _ defs at one time, then copies the loaded class files in the memory, and assembles the copied and loaded three parts of files, thereby implementing unshelling. For another example, the file to be shelled is shelled using an indeid shelling tool.
However, in the process of implementing the present invention, the inventors found that: firstly, the data content of the real original file pointed by the middle classification file of the file to be shelled is not in the memory range of the DEX file, but is modified and mapped into the memory region outside the continuous memory of the DEX file, so that the obtained DEX file after shelling is empty at the corresponding extraction position. It can be seen that there is a lack in the art of a method that can solve the above problems well.
Disclosure of Invention
In view of the above, the present invention is proposed to provide a method and apparatus for shelling an application file that overcomes or at least partially solves the above-mentioned problems.
According to an aspect of the present invention, there is provided a method for shelling an application file, the method including:
monitoring a current shelling method operated by a file to be shelled, and reading process information corresponding to the current shelling method;
judging whether the process corresponding to the current method to be hulled is the process meeting the preset hulling condition or not according to the process information corresponding to the current method to be hulled; if yes, converting the memory data of the current method to be hulled into first structure information;
determining second structure information of the DEX file corresponding to the file to be shelled according to the first structure information;
and repairing the second structure information by using the first structure information, and generating a DEX file with a file to be shelled being shelled according to the repaired second structure information.
According to another aspect of the present invention, there is provided an apparatus for shelling an application file, the apparatus including:
the monitoring module is suitable for monitoring the current file to be shelled running method;
the reading module is suitable for reading the process information corresponding to the current method to be hulled;
the judging module is suitable for judging whether the process corresponding to the current method to be hulled is the process meeting the preset hulling condition according to the process information corresponding to the current method to be hulled;
the conversion module is suitable for converting the memory data of the current method to be hulled into first structure information if the process corresponding to the current method to be hulled is judged to be a process meeting the preset hulling condition;
the second structure information determining module is suitable for determining second structure information of the DEX file corresponding to the file to be shelled according to the first structure information;
the repairing module is suitable for repairing the second structural body information by utilizing the first structural body information;
and the shelling module is suitable for generating the DEX file after the file to be shelled is shelled according to the repaired second structure body information.
According to yet another aspect of the present invention, there is provided a computing device comprising: the processor, the memory and the communication interface complete mutual communication through the communication bus;
the memory is used for storing at least one executable instruction, and the executable instruction enables the processor to execute the operation corresponding to the shelling method of the application file.
According to still another aspect of the present invention, there is provided a computer storage medium having at least one executable instruction stored therein, the executable instruction causing a processor to perform an operation corresponding to the application file shelling method as described above.
According to the method and the device for shelling the application files, firstly, a current method to be shelled, in which the files to be shelled operate, is monitored, and process information corresponding to the current method to be shelled is read; secondly, judging whether the process corresponding to the current method to be hulled is the process meeting the preset hulling condition according to the process information corresponding to the current method to be hulled; if yes, converting the memory data of the current method to be hulled into first structure information; then, determining second structure information of the DEX file corresponding to the file to be shelled according to the first structure information; and finally, repairing the second structure body information by using the first structure body information, and generating a DEX file with a file to be shelled being shelled. Through this mode, can effectively peel to the application file after the reinforcement to can guarantee the integrality of the data of the DEX file that obtains after the peel, promote peel effect and peel success rate.
The foregoing description is only an overview of the technical solutions of the present invention, and the embodiments of the present invention are described below in order to make the technical means of the present invention more clearly understood and to make the above and other objects, features, and advantages of the present invention more clearly understandable.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
fig. 1 is a flowchart illustrating a method for shelling an application file according to a first embodiment of the present invention;
fig. 2 is a flowchart illustrating a method for shelling an application file according to a second embodiment of the present invention;
fig. 3 is a schematic structural diagram illustrating a shelling apparatus for an application file according to a third embodiment of the present invention;
fig. 4 is a schematic structural diagram illustrating a shelling apparatus for an application file according to a fourth embodiment of the present invention;
fig. 5 is a schematic structural diagram of a computing device according to a fifth embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
Fig. 1 is a flowchart illustrating a method for shelling an application file according to a first embodiment of the present invention, where as shown in fig. 1, the method includes the following steps:
step S101, monitoring the current method to be shelled operated by the file to be shelled, and reading the process information corresponding to the current method to be shelled.
The file to be unshelled refers to an application file subjected to reinforcement processing, for example, an apk (Android package) file in an Android environment, one apk file at least includes one DEX file, and one apk file corresponds to one process.
In this embodiment, specifically, an example of shelling an apk file (to-be-shelled file) after being reinforced in a dalvik virtual machine mode is taken as an example, and in a popular way, the method of this embodiment is to extract a method that actually exists in a DEX file reinforced in an apk, so as to obtain a complete DEX file. In addition, when the file to be shelled includes a plurality of DEX files, the method described in this embodiment may still be used for shelling.
The current method for monitoring the file to be shelled may be implemented by inserting a monitoring code at an entry of an interpreter of the virtual machine, and monitoring the method to be shelled by the interpreter using the monitoring code, which is not limited in this respect. After the current method to be shelled is monitored, reading process information corresponding to the current method to be shelled, where the process information may refer to a process name.
Step S102, judging whether the process corresponding to the current method to be hulled is the process meeting the preset hulling condition according to the process information corresponding to the current method to be hulled.
The process meeting the preset shelling condition refers to a process which is written for the APP in advance and related to a program related to the functions of the APP, except a self-contained process of the system or a third-party plug-in calling process. It may be determined whether the process is a process that meets the preset shelling condition according to the process information corresponding to the current method to be shelled read in step S101.
Step S103, if it is determined that the process corresponding to the current method to be shelled meets the preset shelling condition, converting the memory data of the current method to be shelled into the first structure information.
If the process corresponding to the current method to be shelled is judged to be the process meeting the preset shelling condition, the memory data of the current method to be shelled is converted into the first structure information for facilitating subsequent searching and modification, wherein the memory data is binary memory data. And if the process corresponding to the current method to be hulled is judged not to be the process meeting the preset hulling condition, not processing the current method to be hulled. That is to say, in the method of this embodiment, whether to perform shelling on the current method to be shelled is determined according to the process corresponding to the current method to be shelled, and only the corresponding process is the method to be shelled that satisfies the preset condition.
And step S104, determining second structure information of the DEX file corresponding to the file to be shelled according to the first structure information.
In practical application, a system function can be called to process the first structure information, and then the second structure information of the DEX file corresponding to the file to be shelled is determined, specifically, first, a memory area of the DEX file in the file to be shelled is determined according to the first structure information, and then, the system function is called to analyze data in the memory area, so that the second structure information corresponding to the DEX file is obtained. Wherein the second structure information corresponds one-to-one to information contained in the DEX file.
And step S105, repairing the second structure information by using the first structure information, and generating a DEX file with a file to be shelled being shelled according to the repaired second structure information.
The second structure information is obtained according to the DEX file in the memory, and since part of codes in the DEX file may be modified and mapped to other storage areas in the memory other than the continuous memory of the file, a situation that part of the codes in the second structure information correspond to empty byte codes at the positions of the part of bytes may occur, and thus part of the byte codes in the second structure information needs to be repaired. The first structure information is obtained by monitoring the running method to be shelled, and the memory data of the method to be shelled is real and effective in the memory, that is, the first structure information is real and effective in the memory.
And after the second structure information is repaired, obtaining memory data in the memory area of the complete DEX file, and writing the memory data in the memory area of the complete DEX file into a disk file, thereby obtaining the DEX file after the file to be shelled is shelled.
According to the method and the device for shelling the application file, firstly, a current method to be shelled, operated by the file to be shelled, is monitored, and process information corresponding to the current method to be shelled is read; secondly, judging whether the process corresponding to the current method to be hulled is the process meeting the preset hulling condition according to the process information corresponding to the current method to be hulled; if yes, converting the memory data of the current method to be hulled into first structure information; then, determining second structure information of the DEX file corresponding to the file to be shelled according to the first structure information; and finally, repairing the second structure body information by using the first structure body information, and generating a DEX file with a file to be shelled being shelled. Through this mode, can effectively peel to the application file after the reinforcement to can guarantee the integrality of the data of the DEX file that obtains after the peel, promote peel effect and peel success rate.
Fig. 2 is a flowchart illustrating a second method for shelling an application file according to a second embodiment of the present invention, where as shown in fig. 2, the method includes the following steps:
step S201, monitoring a current method to be shelled operated by the file to be shelled, and reading process information corresponding to the current method to be shelled.
Specifically, a monitoring code is inserted into an entrance of an interpreter, and the monitoring code is used for monitoring the current method to be hulled passing through the interpreter; wherein, the interpreter entry is the initial position of the file to be shelled entering the interpreter function. And inserting a monitoring code at an entrance of an interpreter of a dalvik virtual machine in the Android source code, and monitoring the current method to be shelled passing through the interpreter.
Optionally, before the method of this embodiment is executed, the method further includes: and modifying the interpretation mode of the executable file of the virtual machine in the source code into a portable mode, wherein the portable mode is suitable for a corresponding programming running environment, such as C + +, and the like. By the method, firstly, all the running statements in the file to be shelled can be ensured to pass through the interpreter; secondly, any APP running in the source code can be guaranteed to run in a portable mode; third, it can be guaranteed that the DEX file in the file to be shelled can be compiled into the interpretation mode of the machine code. In practical applications, other interpretation modes may be adopted according to the actual programming operation environment, and the present invention is not limited to this.
Step S202, according to the process information corresponding to the current method to be shelled, judging whether the process corresponding to the current method to be shelled is a process meeting the preset shelling condition.
The specific steps of judging whether the process corresponding to the current method to be hulled is the process meeting the preset hulling condition are as follows:
and judging whether the process is related to the program related to the function of the application, if so, judging that the process is the process meeting the preset shelling condition. By the method, whether the process corresponding to the current method to be shelled is the process meeting the preset shelling condition is directly judged, for example, whether the process is the process related to a program which is written for the APP by a programmer in advance and is related to the function of the APP is judged.
In addition, in practical application, the following method can be adopted to judge the process corresponding to the current hulling method: firstly, judging whether the process is a system process or a plug-in calling process, and if the process is judged to be neither the system process nor the plug-in calling process, further judging whether the process is a process related to a program related to the function of the application. That is, the process satisfying the preset shelling condition specifically refers to: besides the self-contained process of the system or the calling process of the third-party plug-in, the process related to the pre-written program corresponding to the file to be shelled.
In practical application, any one of the two manners may be used alone to determine the process corresponding to the current method for hulling, and the two manners may also be combined to determine the process, which is not limited in this invention.
In step S203, if it is determined that the process corresponding to the current method to be shelled meets the preset shelling condition, the memory data of the current method to be shelled is converted into the first structure information, and the first structure information is stored.
If the process corresponding to the current method to be shelled is judged to be the process meeting the preset shelling condition, converting the memory data of the current method to be shelled into first structure information, wherein the number of the first structure information can be multiple according to different actual conditions; and for the current method to be hulled corresponding to the process which does not meet the preset hulling condition, the memory data is not processed.
Optionally, the first structure information may be stored in a hash table, the hash table storage may enable fast lookup, and when the hash table is used to store the first structure information, when it is detected that the currently stored first structure information is the same as the previously stored first structure information, the currently stored first structure information is not stored, that is, different methods to be shelled are different between the hash table storage. In practical applications, the first structure information may also be stored in other manners, for example, the first structure information is stored in a linked list, or the first structure information is stored in a binary tree, which is not limited in this invention.
Step S204, when the number of the stored first structure information is greater than or equal to the preset threshold, determining a memory area of the DEX file in the file to be shelled according to the attribute information included in any one of the first structure information.
Step S204 to step S205 correspond to a method for determining second structure information of the DEX file corresponding to the file to be shelled according to the first structure information, and in practical applications, when the number of the stored first structure information is greater than or equal to a preset threshold, the second structure information of the DEX file corresponding to the file to be shelled may be determined according to any one of the first structure information. Accordingly, the memory area of the DEX file in the file to be shelled can be determined according to any one of the first structure information.
The preset threshold is determined according to the size of the file to be shelled, and if the preset threshold is too small, the repairing times in the subsequent repairing process are more; if the preset threshold is too large, the time consumed by single repair is long, and the repair efficiency is low under the two conditions, so that the preset threshold can be determined according to the size of the file to be unshelled. Optionally, the preset threshold is set to 1000.
The step of determining the memory area of the DEX file in the file to be shelled according to the attribute information included in the first structure information specifically includes: determining the length of the DEX file according to first attribute information contained in the first structure information; and determining the initial position of the DEX file according to the second attribute information contained in the first structure information, and determining the memory area of the DEX file in the file to be shelled according to the length of the DEX file and the initial position of the DEX file. For example, a DvmDex structure can be determined according to a clazz- > pDvmDex attribute of the Method structure, the start position of the DEX file can be determined according to a pDexFile- > baseAddr attribute in the DvmDex structure, the length of the DEX file can be determined according to a pDexFile- > pheder- > fileSize attribute in the DvmDex structure, and then the position of the DEX file in the memory, that is, the memory area of the DEX file in the file to be shelled, is obtained.
Step S205, a system function is called to analyze the data in the memory area, and second structural body information corresponding to the method in the DEX file is obtained.
The memory area of the DEX file obtained in step S204 is a whole block of memory, which contains a continuous segment of data, and information of each method contained in the DEX file cannot be directly obtained, so that data in the memory area of the DEX file needs to be analyzed. For example, a dexGetClassDef function is called to obtain a DexClassDef structure, then all directMethod functions and virtualMethod functions in the DexClassDef structure are traversed, the DexGetMethodId, dexStringById, dexGetCode and other system functions are called to analyze the DexClassDef structure, and a Method structure, that is, second structure information corresponding to each Method included in the DEX file is determined according to the analysis result.
In step S206, the bytecode in the first structure information and the bytecode in the second structure information are determined.
Step S206 to step S210 correspond to a method for repairing the second structure information by using the first structure information, and first, a bytecode included in the first structure information and a bytecode included in the second structure information are determined, respectively.
Step S207, comparing the bytecode in the first structure information with the bytecode in the second structure information to obtain a comparison result.
The second structure information is obtained according to the DEX file in the memory, and since part of codes in the DEX file may be modified and mapped to other storage areas in the memory other than the continuous memory of the file, a situation that part of the codes in the second structure information correspond to empty byte codes at the positions of the part of bytes may occur, and thus part of the byte codes in the second structure information needs to be repaired. The first structure information is obtained by monitoring the running method to be shelled, and the memory data of the method to be shelled is real and effective in the memory, that is, the first structure information is real and effective in the memory.
Specifically, the stored first structure information is traversed, and the bytecode in the first structure information is compared with the bytecode in the second structure information to obtain a comparison result, wherein the bytecode of the second structure information missing relative to the first structure information can be determined according to the comparison result.
Step S208, according to the comparison result, determining the first bytecode in the first structure information and the first bytecode position of the first bytecode in the first structure information, where the first bytecode is determined according to the comparison result in step S207, and specifically, the first bytecode may be a bytecode portion added to the first structure information relative to the second structure information, that is, a bytecode missing from the second structure information relative to the first structure information.
And determining the first byte code and the first byte code position of the first byte code in the first structure body information according to the comparison result.
In step S209, a second bytecode position in the second structure information corresponding to the first bytecode position is determined.
According to the first bytecode and the first bytecode position determined in the above step, a second bytecode position corresponding to the first bytecode position in the second structure information can be determined.
And step S210, replacing the first byte code to the position of the second byte code to obtain repaired second structural body information, and generating the DEX file after the file to be shelled is shelled according to the repaired second structural body information.
The step of replacing the byte code of the second structure information, which is missing relative to the first structure information, to the corresponding position in the second structure information, thereby completing the repair of the second structure information, wherein the repaired second structure information is the memory data in the memory area of the complete DEX file, and the memory data in the memory area of the complete DEX file is written into a file, thereby obtaining the DEX file after the file to be dehulled is dehulled.
In summary, in consideration of the situation that in the prior art, after a file to be shelled is shelled, a part of bytecodes are missing in an obtained DEX file, the method innovatively inserts a monitoring code into an interpreter entry of a virtual machine to monitor a method to be shelled passing through the interpreter, further obtains memory data of a process corresponding to the method to be shelled and converts the memory data into first structure information, and then repairs the DEX file by using the first structure information. The interpreter inlet into which the monitoring code is inserted can ensure that each running method in the file to be shelled passes through the interpreter inlet, so that the obtained memory data (first structure information) can be ensured to be real and effective, and the memory data of the DEX file obtained after the file to be shelled is shelled can be ensured to be complete by repairing the DEX file by using the first structure information, so that the shelling effect and the shelling success rate are improved.
Fig. 3 is a schematic structural diagram illustrating an apparatus for shelling an application file according to a third embodiment of the present invention, where as shown in fig. 3, the apparatus includes: a monitoring module 310, a reading module 320, a judging module 330, a converting module 340, a second structure information determining module 350, a repairing module 360, and a shelling module 370.
A monitoring module 310 adapted to monitor a current method to be shelled by which a file to be shelled runs;
a reading module 320, adapted to read process information corresponding to a current method to be shelled;
the determining module 330 is adapted to determine whether the process corresponding to the current method to be shelled is a process meeting a preset shelling condition according to the process information corresponding to the current method to be shelled;
the conversion module 340 is adapted to convert the memory data of the current method to be shelled into the first structure information if it is determined that the process corresponding to the current method to be shelled is a process satisfying a preset shelling condition;
a second structure information determining module 350, adapted to determine, according to the first structure information, second structure information of the DEX file corresponding to the file to be decapsulated;
the repairing module 360 is suitable for repairing the second structural body information by using the first structural body information;
and the shelling module 370 is adapted to generate a DEX file with a file to be shelled being shelled according to the repaired second structure information.
According to the shelling device for the application files provided by the embodiment, the application files after being reinforced can be effectively shelled, the integrity of the data of the obtained DEX files after shelling can be guaranteed, and the shelling effect and the shelling success rate are improved.
Fig. 4 is a schematic structural diagram of a shelling apparatus for application files according to a fourth embodiment of the present invention, and as shown in fig. 4, the shelling apparatus further includes, on the basis of the apparatus shown in fig. 3: a storage module 410 and a modification module 420.
A storage module 410 adapted to store the first structure information; the second structure information determining module 350 is further adapted to determine, when the number of the stored first structure information is greater than or equal to a preset threshold, the second structure information of the DEX file corresponding to the file to be shelled according to any one of the first structure information.
In a specific embodiment, the second structure information determining module 350 further includes:
the memory area determining unit 351 is adapted to determine a memory area of the DEX file in the file to be shelled according to the attribute information included in the first structure information;
the analyzing unit 352 is adapted to invoke a system function to analyze the data in the memory area, so as to obtain the second structure information corresponding to the method in the DEX file.
The memory region determination unit 351 is further adapted to:
determining the length of the DEX file according to first attribute information contained in the first structure information;
determining the starting position of the DEX file according to second attribute information contained in the first structure information;
and determining the memory area of the DEX file in the file to be shelled according to the length of the DEX file and the starting position of the DEX file.
The repair module 360 is further adapted to:
respectively determining byte codes in the first structural body information and byte codes in the second structural body information;
comparing the byte codes in the first structural body information with the byte codes in the second structural body information to obtain a comparison result;
according to the comparison result, determining a first byte code in the first structure information and a first byte code position of the first byte code in the first structure information, wherein the first byte code is a byte code in which the second structure information is missing relative to the first structure information;
determining a second byte position in the second structure information corresponding to the first byte position;
and replacing the first byte code to the position of the second byte code to obtain the repaired second structural body information.
The monitoring module 310 is further adapted to:
inserting a monitoring code at an entrance of an interpreter, and monitoring the current method to be hulled by the interpreter by using the monitoring code;
wherein, the interpreter entry is the initial position of the file to be shelled entering the interpreter function.
In a specific embodiment, the above apparatus further comprises:
a modification module 420 adapted to modify an interpretation mode of the executable file of the virtual machine in the source code to a portable mode.
The determining module 330 is further adapted to:
and judging whether the process is related to the program related to the function of the application, if so, judging that the process is the process meeting the preset shelling condition.
The storage module 410 is further adapted to:
storing the first structure body information in a hash table; or storing the first structure body information in a linked list; or storing the first structure body information in a binary tree.
According to the device for shelling application files provided by this embodiment, a monitoring code is inserted into an interpreter entry of a virtual machine to monitor a method to be shelled that passes through the interpreter, so as to obtain memory data of a process corresponding to the method to be shelled and convert the memory data into first structure information, and then the first structure information is used to repair a DEX file. Firstly, inserting a monitoring code into an interpreter entrance, which can ensure that each running method in a file to be shelled passes through the interpreter entrance, thereby ensuring that the obtained memory data (first structure information) is real and effective; secondly, the first structure information is used for repairing the DEX file, so that the memory data of the DEX file obtained after the file to be shelled is shelled can be ensured to be complete, and the shelling effect and the shelling success rate are improved.
Embodiments of the present invention provide a non-volatile computer storage medium, where at least one executable instruction is stored in the computer storage medium, and the computer executable instruction may execute the method for shelling an application file in any of the above method embodiments.
Fig. 5 is a schematic structural diagram of a computing device according to a fifth embodiment of the present invention, and the specific embodiment of the present invention does not limit the specific implementation of the computing device.
As shown in fig. 5, the computing device may include: a processor (processor)502, a Communications Interface 504, a memory 506, and a communication bus 508.
Wherein:
the processor 502, communication interface 504, and memory 506 communicate with one another via a communication bus 508.
A communication interface 504 for communicating with network elements of other devices, such as clients or other servers.
The processor 502 is configured to execute the program 510, and may specifically execute the relevant steps in the foregoing embodiment of the method for shelling the application file.
In particular, program 510 may include program code that includes computer operating instructions.
The processor 502 may be a central processing unit CPU, or an Application Specific Integrated Circuit (ASIC), or one or more Integrated circuits configured to implement an embodiment of the present invention. The computing device includes one or more processors, which may be the same type of processor, such as one or more CPUs; or may be different types of processors such as one or more CPUs and one or more ASICs.
And a memory 506 for storing a program 510. The memory 506 may comprise high-speed RAM memory, and may also include non-volatile memory (non-volatile memory), such as at least one disk memory.
The program 510 may be specifically configured to enable the processor 502 to execute a shelling method of an application file in any of the above-described method embodiments. For specific implementation of each step in the program 510, reference may be made to corresponding steps and corresponding descriptions in units in the foregoing embodiment of the method for removing a shell of an application file, which are not described herein again. It can be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described devices and modules may refer to the corresponding process descriptions in the foregoing method embodiments, and are not described herein again.
The algorithms and displays presented herein are not inherently related to any particular computer, virtual machine, or other apparatus. Various general purpose systems may also be used with the teachings herein. The required structure for constructing such a system will be apparent from the description above. Moreover, the present invention is not directed to any particular programming language. It is appreciated that a variety of programming languages may be used to implement the teachings of the present invention as described herein, and any descriptions of specific languages are provided above to disclose the best mode of the invention.
In the description provided herein, numerous specific details are set forth. It is understood, however, that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be interpreted as reflecting an intention that: that the invention as claimed requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this invention.
Those skilled in the art will appreciate that the modules in the device in an embodiment may be adaptively changed and disposed in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and furthermore they may be divided into a plurality of sub-modules or sub-units or sub-components. All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or elements of any method or apparatus so disclosed, may be combined in any combination, except combinations where at least some of such features and/or processes or elements are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Furthermore, those skilled in the art will appreciate that while some embodiments described herein include some features included in other embodiments, rather than other features, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments. For example, in the following claims, any of the claimed embodiments may be used in any combination.
The various component embodiments of the invention may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. Those skilled in the art will appreciate that a microprocessor or Digital Signal Processor (DSP) may be used in practice to implement some or all of the functionality of some or all of the components in accordance with embodiments of the present invention. The present invention may also be embodied as apparatus or device programs (e.g., computer programs and computer program products) for performing a portion or all of the methods described herein. Such programs implementing the present invention may be stored on computer-readable media or may be in the form of one or more signals. Such a signal may be downloaded from an internet website or provided on a carrier signal or in any other form.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The usage of the words first, second and third, etcetera do not indicate any ordering. These words may be interpreted as names.
Claims (22)
1. A method for shelling an application file, comprising:
monitoring a current shelling method operated by a file to be shelled, and reading process information corresponding to the current shelling method;
judging whether the process corresponding to the current method to be hulled is the process meeting the preset hulling condition according to the process information corresponding to the current method to be hulled; if yes, converting the memory data of the current method to be hulled into first structure information;
determining a memory area of the DEX file in the file to be shelled according to the attribute information contained in the first structure information;
calling a system function to analyze the data in the memory area to obtain second structural body information corresponding to the method in the DEX file;
and repairing the second structure information by using the first structure information, and generating the DEX file with the file to be shelled.
2. The method according to claim 1, wherein the first structure information is plural, and after the step of converting the memory data of the current method to be shelled into the first structure information, the method further comprises:
storing the first structure body information;
determining a memory area of the DEX file in the file to be shelled according to the attribute information included in the first structure information, and calling a system function to analyze data in the memory area to obtain second structure information corresponding to the method in the DEX file, further comprising:
and when the number of the stored first structure information is greater than or equal to a preset threshold value, determining second structure information of the DEX file corresponding to the file to be shelled according to any one of the first structure information.
3. The method according to claim 1, wherein the determining the memory area of the DEX file in the file to be shelled according to the attribute information included in the first structure information further comprises:
determining the length of the DEX file according to first attribute information contained in the first structure information;
determining the starting position of the DEX file according to second attribute information contained in the first structure information;
and determining the memory area of the DEX file in the file to be shelled according to the length of the DEX file and the initial position of the DEX file.
4. The method of claim 1, wherein the repairing the second structure information using the first structure information further comprises:
respectively determining byte codes in the first structural body information and byte codes in the second structural body information;
comparing the byte codes in the first structural body information with the byte codes in the second structural body information to obtain a comparison result;
determining a first byte code in the first structure information and a first byte code position of the first byte code in the first structure information according to the comparison result, wherein the first byte code is a byte code in which the second structure information is missing relative to the first structure information;
determining a second byte position in the second structure information corresponding to the first byte position;
and replacing the first byte code to the position of the second byte code to obtain the repaired second structural body information.
5. The method of claim 1, wherein the monitoring a current to-be-shelled method on which the to-be-shelled file is run further comprises:
inserting a monitoring code at an entrance of an interpreter, and monitoring the current method to be hulled passing through the interpreter by using the monitoring code;
wherein the interpreter entry is an initial position of the file to be shelled entering an interpreter function.
6. The method of claim 1, wherein prior to performing the method, further comprising:
and modifying the interpretation mode of the executable file of the virtual machine in the source code into a portable mode.
7. The method according to claim 1, wherein the determining whether the process corresponding to the current method to be hulled is a process satisfying a preset hulling condition further comprises:
and judging whether the process corresponding to the current method to be shelled is a process related to a program related to the function of the application, if so, determining that the process corresponding to the current method to be shelled is a process meeting a preset shelling condition.
8. The method of claim 2, wherein storing the first structure information further comprises:
storing the first structure body information in a hash table; or storing the first structure body information in a linked list; or storing the first structure body information in a binary tree.
9. The method according to claim 2, wherein the preset threshold is determined according to the size of the file to be shelled.
10. The method of claim 2, wherein the predetermined threshold is 1000.
11. An apparatus for shelling an application file, comprising:
the monitoring module is suitable for monitoring the current file to be shelled running method;
the reading module is suitable for reading the process information corresponding to the current method to be hulled;
the judging module is suitable for judging whether the process corresponding to the current method to be hulled is the process meeting the preset hulling condition according to the process information corresponding to the current method to be hulled;
the conversion module is suitable for converting the memory data of the current method to be hulled into first structure information if the process corresponding to the current method to be hulled is judged to be a process meeting a preset hulling condition;
the second structural body information determination module includes: a memory area determination unit and an analysis unit,
the memory area determining unit is adapted to determine a memory area of the DEX file in the file to be shelled according to the attribute information included in the first structure information;
the analysis unit is suitable for calling a system function to analyze the data in the memory area to obtain second structural body information corresponding to the method in the DEX file;
the repairing module is suitable for repairing the second structural body information by using the first structural body information;
and the shelling module is suitable for generating the DEX file after the file to be shelled is shelled according to the repaired second structure body information.
12. The apparatus according to claim 11, wherein the first structure information is plural, the apparatus further comprising:
a storage module adapted to store the first structure information;
the second structure information determining module is further adapted to determine, when the number of the stored first structure information is greater than or equal to a preset threshold, second structure information of the DEX file corresponding to the file to be decapsulated according to any one of the first structure information.
13. The apparatus of claim 11, wherein the memory region determining unit is further adapted to:
determining the length of the DEX file according to first attribute information contained in the first structure information;
determining the starting position of the DEX file according to second attribute information contained in the first structure information;
and determining the memory area of the DEX file in the file to be shelled according to the length of the DEX file and the initial position of the DEX file.
14. The apparatus of claim 11, wherein the repair module is further adapted to:
respectively determining byte codes in the first structural body information and byte codes in the second structural body information;
comparing the byte codes in the first structural body information with the byte codes in the second structural body information to obtain a comparison result;
according to the comparison result, determining a first byte code in the first structure information and a first byte code position of the first byte code in the first structure information, wherein the first byte code is a byte code in which the second structure information is missing relative to the first structure information;
determining a second byte position in the second structure information corresponding to the first byte position;
and replacing the first byte code to the position of the second byte code to obtain the repaired second structural body information.
15. The apparatus of claim 11, wherein the monitoring module is further adapted to:
inserting a monitoring code at an entrance of an interpreter, and monitoring the current method to be hulled passing through the interpreter by using the monitoring code;
wherein the interpreter entry is an initial position of the file to be shelled entering an interpreter function.
16. The apparatus of claim 11, further comprising:
and the modification module is suitable for modifying the interpretation mode of the executable file of the virtual machine in the source code into a portable mode.
17. The apparatus of claim 11, wherein the determining module is further adapted to:
and judging whether the process corresponding to the current method to be shelled is a process related to a program related to the function of the application, if so, determining that the process corresponding to the current method to be shelled is a process meeting a preset shelling condition.
18. The apparatus of claim 12, wherein the storage module is further adapted to:
storing the first structure body information in a hash table; or storing the first structure body information in a linked list; or storing the first structure body information in a binary tree.
19. The apparatus of claim 12, wherein the preset threshold is determined according to a size of the file to be dehulled.
20. The apparatus of claim 12, wherein the preset threshold is 1000.
21. A computing device, comprising: the system comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete mutual communication through the communication bus;
the memory is used for storing at least one executable instruction, and the executable instruction causes the processor to execute the operation corresponding to the shelling method of the application file according to any one of claims 1-10.
22. A computer storage medium having stored therein at least one executable instruction for causing a processor to perform operations corresponding to the method of shelling application files according to any one of claims 1 to 10.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810697104.0A CN108846280B (en) | 2018-06-29 | 2018-06-29 | Application file shelling method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810697104.0A CN108846280B (en) | 2018-06-29 | 2018-06-29 | Application file shelling method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108846280A CN108846280A (en) | 2018-11-20 |
| CN108846280B true CN108846280B (en) | 2021-04-02 |
Family
ID=64199888
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810697104.0A Active CN108846280B (en) | 2018-06-29 | 2018-06-29 | Application file shelling method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108846280B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109635565A (en) * | 2018-11-28 | 2019-04-16 | 江苏通付盾信息安全技术有限公司 | The detection method of rogue program, calculates equipment and computer storage medium at device |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103530535A (en) * | 2013-10-25 | 2014-01-22 | 苏州通付盾信息技术有限公司 | Shell adding and removing method for Android platform application program protection |
| CN105574411A (en) * | 2015-12-25 | 2016-05-11 | 北京奇虎科技有限公司 | Dynamic unshelling method, device and equipment |
| CN105631335A (en) * | 2015-12-25 | 2016-06-01 | 北京奇虎科技有限公司 | Dynamic decompression method, device and apparatus |
| CN105930692A (en) * | 2016-04-20 | 2016-09-07 | 北京鼎源科技有限公司 | Dynamic shelling method for Android application |
| CN106022130A (en) * | 2016-05-20 | 2016-10-12 | 中国科学院信息工程研究所 | Shelling method and device for reinforced application program |
| CN107066886A (en) * | 2017-04-13 | 2017-08-18 | 深圳海云安网络安全技术有限公司 | A kind of Android reinforces the detection method of shelling |
| CN107341392A (en) * | 2016-04-29 | 2017-11-10 | 腾讯科技(深圳)有限公司 | File hulling method and device in android system |
| CN107742078A (en) * | 2017-05-04 | 2018-02-27 | 四川大学 | A kind of automatic hulling method of general DEX and system |
| CN108154011A (en) * | 2018-01-12 | 2018-06-12 | 广州汇智通信技术有限公司 | Hulling method, system, equipment and readable storage medium storing program for executing based on art patterns |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101154259A (en) * | 2007-08-27 | 2008-04-02 | 电子科技大学 | General automated shelling engine and method |
-
2018
- 2018-06-29 CN CN201810697104.0A patent/CN108846280B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103530535A (en) * | 2013-10-25 | 2014-01-22 | 苏州通付盾信息技术有限公司 | Shell adding and removing method for Android platform application program protection |
| CN105574411A (en) * | 2015-12-25 | 2016-05-11 | 北京奇虎科技有限公司 | Dynamic unshelling method, device and equipment |
| CN105631335A (en) * | 2015-12-25 | 2016-06-01 | 北京奇虎科技有限公司 | Dynamic decompression method, device and apparatus |
| CN105930692A (en) * | 2016-04-20 | 2016-09-07 | 北京鼎源科技有限公司 | Dynamic shelling method for Android application |
| CN107341392A (en) * | 2016-04-29 | 2017-11-10 | 腾讯科技(深圳)有限公司 | File hulling method and device in android system |
| CN106022130A (en) * | 2016-05-20 | 2016-10-12 | 中国科学院信息工程研究所 | Shelling method and device for reinforced application program |
| CN107066886A (en) * | 2017-04-13 | 2017-08-18 | 深圳海云安网络安全技术有限公司 | A kind of Android reinforces the detection method of shelling |
| CN107742078A (en) * | 2017-05-04 | 2018-02-27 | 四川大学 | A kind of automatic hulling method of general DEX and system |
| CN108154011A (en) * | 2018-01-12 | 2018-06-12 | 广州汇智通信技术有限公司 | Hulling method, system, equipment and readable storage medium storing program for executing based on art patterns |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108846280A (en) | 2018-11-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8176559B2 (en) | Obfuscated malware detection | |
| US20160110543A1 (en) | Apparatus and method for detecting malicious application based on visualization similarity | |
| US20160119375A1 (en) | Cloud security-based file processing method and apparatus | |
| KR101228899B1 (en) | Method and Apparatus for categorizing and analyzing Malicious Code Using Vector Calculation | |
| US20180096148A1 (en) | Detecting malicious scripts | |
| US20060200481A1 (en) | Method and system for data optimization and protection in DSP firmware | |
| CN111222137A (en) | Program classification model training method, program classification method and device | |
| CN107577943B (en) | Sample prediction method and device based on machine learning and server | |
| EP3087475A1 (en) | Generic unpacking of program binaries | |
| CN108846280B (en) | Application file shelling method and device | |
| CN110147653B (en) | Application program security reinforcing method and device | |
| CN107908964B (en) | Security detection method and device for shell files in Android platform Unity3D game | |
| CN107301105B (en) | Method and device for checking hot patch or dynamic library | |
| CN110333993B (en) | Memory snapshot generation method and device, electronic equipment and storage medium | |
| CN108021790B (en) | File protection method and device, computing equipment and computer storage medium | |
| CN113449291B (en) | File import method and device, computing equipment and storage medium | |
| KR101052735B1 (en) | Method for detecting presence of memory operation and device using same | |
| CN110135152B (en) | Application program attack detection method and device | |
| KR102434899B1 (en) | Method for Training Malware Detection Model And Method for Detecting Malware | |
| US8554522B2 (en) | Detection of design redundancy | |
| CN112948819B (en) | Application file shelling method and device and computer readable storage medium | |
| CN110110506B (en) | Program reinforcing method and device based on application program installation package | |
| JP2011164972A (en) | Program loader, data processing apparatus, program loading method and load program | |
| RU94016U1 (en) | OBFUSIONED MALICIOUS SOFTWARE DETECTION DETECTION SYSTEM | |
| JP5389734B2 (en) | Extraction apparatus and extraction method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20210218 Address after: 4f, building C2, Suzhou 2.5 Industrial Park, 88 Dongchang Road, Suzhou Industrial Park, Jiangsu Province, 215000 Applicant after: JIANGSU TONGFUDUN INFORMATION SECURITY TECHNOLOGY Co.,Ltd. Applicant after: JIANGSU PAY EGIS TECHNOLOGY Co.,Ltd. Address before: 215021 4 building, 2.5 Industrial Park, building 2.5, Dongchang Road, Suzhou Industrial Park, Jiangsu, China, C2 Applicant before: JIANGSU TONGFUDUN INFORMATION SECURITY TECHNOLOGY Co.,Ltd. |
|
| TA01 | Transfer of patent application right | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |