CN108959921A - A kind of malware analysis method based on intelligent terminal chip - Google Patents
A kind of malware analysis method based on intelligent terminal chip Download PDFInfo
- Publication number
- CN108959921A CN108959921A CN201810538417.1A CN201810538417A CN108959921A CN 108959921 A CN108959921 A CN 108959921A CN 201810538417 A CN201810538417 A CN 201810538417A CN 108959921 A CN108959921 A CN 108959921A
- Authority
- CN
- China
- Prior art keywords
- chip
- intelligent terminal
- malware
- data
- malware analysis
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
Abstract
The malware analysis method based on intelligent terminal chip that the invention discloses a kind of obtains corresponding IC chip from intelligent terminal first, reads the logic unit data in chip, then analyzed data.The IC chip that scheme provided by the invention passes through dismantling intelligence;Malware behavior is analyzed based on the data stored in IC chip, analysis evidence obtaining can be carried out to Malware in the case where intelligent terminal can not effectively be switched on, to effectively solve the problems, such as that damage intelligent terminal can not analyze Malware.
Description
Technical field
The present invention relates to electronic evidence-collecting technologies, and in particular to the analysis forensic technologies of Malware.
Background technique
In recent years, increasing sharply with smart phone user, cell-phone function is also more and more.It stores in mobile phone a large amount of
The information such as privacy of user, property.Security issues become increasingly urgent, and illegal person makes it hide by writing Malware
On the mobile phone of user, the privacy information of user is then obtained, or customizes the business etc. of payment wantonly, causes the economic damage of user
It becomes estranged privacy leakage.
Various malware analysis tools are had devised to this people, however existing most malware analysis tool,
Requiring smart phone is to carry out the case where can be switched on and can run.If smart phone leads to intelligence in damage or other reasons
Energy mobile phone cannot be started up, these malware analysis tools are then had no way of doing it, and evidence obtaining will have reached an impasse, and there is presently no preferable
Method thoroughly solve the problems, such as this.
Summary of the invention
Malware analysis can not be carried out when smart machine cannot be started up for existing malware analysis tool
The problem of, need a kind of new smart machine malware analysis scheme.
For this purpose, the purpose of the present invention is to provide a kind of malware analysis method based on intelligent terminal chip, can have
Effect ground is solved the problems, such as to the smart phone malware analysis that cannot be started up.
In order to achieve the above object, the malware analysis method provided by the invention based on intelligent terminal chip, packet
Include following steps:
Obtain the IC chip on intelligent terminal mainboard;
IC chip bottom data is read into single file;
Successful file is read in parsing;
Malware analysis is carried out to the data file after parsing.
Further, when reading IC chip data, chip is converted into USB DISK and is read out again, and generated single
Dump file.
The IC chip that scheme provided by the invention passes through dismantling intelligence;Malice is analyzed based on the data stored in IC chip
Software action can carry out analysis evidence obtaining to Malware in the case where intelligent terminal can not effectively be switched on, to effectively solve
The problem of certainly damage intelligent terminal can not analyze Malware becomes one of the important breakthrough of electronic evidence-collecting work.
Detailed description of the invention
The present invention is further illustrated below in conjunction with the drawings and specific embodiments.
Fig. 1 is the flow chart that present example carries out malware analysis for damage smart phone;
Fig. 2 is the structural schematic diagram that conversion module is read in present example.
Specific embodiment
In order to be easy to understand the technical means, the creative features, the aims and the efficiencies achieved by the present invention, tie below
Conjunction is specifically illustrating, and the present invention is further explained.
This example outside the intelligent terminal for being not powered on operation by directly reading dependency number in intelligent terminal chip
According to thus analyzing mobile phone Malware behavior.The program is switched on without intelligent terminal, can be to original soft in intelligent terminal
Part is analyzed.
Specifically, the scheme that this example carries out malware analysis to the intelligent terminal that cannot be started up is as follows:
Firstly, dismantling intelligent terminal, obtains its corresponding IC chip;
Then, reading intelligent terminal IC chip is single dump file;
Then, single dump file data is parsed respectively;
Finally, the data obtained for parsing carry out malicious act analysis by malware analysis tool.
The malware analysis being achieved in the case of cannot be started up for intelligent terminal.
In addition, the intelligent terminal being directed in this example approach is existing conventional intelligent terminal, such as operation Android system
Smart phone, tablet computer or the smart phone for running IOS system, tablet computer etc..
For above scheme, it is illustrated by taking Android mobile phone as an example by an application example below.
For the smart phone of operation Android system in this example, and smart phone damage can not effectively be switched on.At this
In the case of, in order to effectively analyze the malicious act for the software installed in the smart phone, this example uses following scheme:
Step 101: obtaining the IC chip on smart phone mainboard.
The step specifically obtains the storage chip on smart phone mainboard, first according to the model of smart phone, dismantling
The mainboard of mobile phone out finds mobile phone storage chip, is removed chip from mainboard by demounting tool, be cleaned and dried to
With.
Step 102: reading IC chip bottom data into single file.
The step puts it on corresponding conversion equipment, passes through for the storage chip got is disassembled in step 101
Storage chip is converted into USB DISK and is read out by the conversion equipment, and generates single dump file, and thus, it is possible to quickly complete
The whole legacy data read on storage chip.
By way of the angle pin of storage chip in this programme getting dismantling is converted into SD card, then meet a SD
EMMC chip is converted into USB DISK and is read out by the reading hardware module of card, realization.
Referring to fig. 2, this programme chip is read by following reading conversion module realization and be converted into USB DISK into
Row is read.
As seen from the figure, which mainly includes control single chip computer STM32, SD/eMMC turn USB read module with
And USB HUB, wherein SD/eMMC turns USB read module and is connected to eMMC chip by eMMC bus, and passes through USB data line
It is connected to USB HUB;Single-chip microcontroller STM32 is connected to eMMC chip by eMMC bus, and is connected to USB by USB data line
HUB;USB HUB is then connected to several USB interfaces.
USB DISK is converted by eMMC chip as a result, to be read out, and may be implemented:
1. the information such as the amount of capacity of character library can be recognized;
2. the reading of dump file can be carried out to character library;
3. normally reading each partition directory and the associated documents inside character library;
4. the character library can be recognized inside the disk management of Windows.
Step 103: successful file is read in parsing.
For each dump file read in the step, data analysis is carried out by analysis tool, to extract malice
Software relative program file.
Step 104: malware analysis is carried out to the data file after parsing.
The step carries out malicious act analysis for the Malware relative program file that step 103 extracts.
Based on aforementioned four step it is found that this programme is based on intelligent terminal chip, smart phone storage chip is directly read
In data, and analyze mobile phone Malware behavior, and various smart machines, including most of intelligence can be suitable for scheme
Android or IOS mobile phone, tablet computer etc..
The malware analysis scheme based on intelligent terminal chip that this example provides is when for electronic evidence evidence obtaining, energy
It is enough to carry out correct quickly analysis for the intelligent terminal damaged.
Form the malware analysis tool based on intelligent terminal chip based on top scheme, the analysis tool by software and
Hardware cooperation is constituted, including smart phone demounting tool, conversion equipment, data analytical tool and Malware behavioural analysis work
Tool.Wherein, conversion equipment and data analytical tool data connection, and data analytical tool and Malware behavioural analysis tool number
According to connection.
Thus the malware analysis tool needle constituted carries out Malware behavioural analysis evidence obtaining to the intelligent terminal of damage
When, first choice passes through smart phone demounting tool from the IC chip obtained above cell phone mainboard in smart phone;Then, by IC chip
It is placed in conversion equipment, storage chip is converted into USB DISK by conversion equipment, reads the logic unit data in chip,
And single dump file is generated, and by the single dump transmitting file in real time of generation to data analytical tool;Then, data parse
Tool carries out malware analysis to the data received, extracts Malware relative program file based on the analysis results, and real
Shi Chuanzhi Malware behavioural analysis tool;Finally, related to the Malware received by Malware behavioural analysis tool
Program file carries out Malware behavioural analysis, and has according to standard criterion output and have equal authenticity, public with papery evidence
The electronic evidence that Jian Fadeng relevant department is approved.
The basic principles, main features and advantages of the present invention have been shown and described above.The technology of the industry
Personnel are it should be appreciated that the present invention is not limited to the above embodiments, and the above embodiments and description only describe this
The principle of invention, without departing from the spirit and scope of the present invention, various changes and improvements may be made to the invention, these changes
Change and improvement all fall within the protetion scope of the claimed invention.The claimed scope of the invention by appended claims and its
Equivalent thereof.
Claims (2)
1. the malware analysis method based on intelligent terminal chip, which comprises the steps of:
Obtain the IC chip on intelligent terminal mainboard;
IC chip bottom data is read into single file;
Successful file is read in parsing;
Malware analysis is carried out to the data file after parsing.
2. malware analysis method according to claim 1, which is characterized in that when reading IC chip data, by core
Piece is converted into USB DISK and is read out again, and generates single dump file.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810538417.1A CN108959921B (en) | 2018-05-30 | 2018-05-30 | Malicious software analysis method based on intelligent terminal chip |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810538417.1A CN108959921B (en) | 2018-05-30 | 2018-05-30 | Malicious software analysis method based on intelligent terminal chip |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108959921A true CN108959921A (en) | 2018-12-07 |
| CN108959921B CN108959921B (en) | 2023-04-14 |
Family
ID=64492595
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810538417.1A Active CN108959921B (en) | 2018-05-30 | 2018-05-30 | Malicious software analysis method based on intelligent terminal chip |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108959921B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103136476A (en) * | 2011-12-01 | 2013-06-05 | 深圳市证通电子股份有限公司 | Mobile intelligent terminal malicious software analysis system |
| CN104598419A (en) * | 2015-02-13 | 2015-05-06 | 北京安信荣达科技有限公司 | Memory-chip data acquiring device for AX-flash mobile phones |
| CN105183395A (en) * | 2015-09-18 | 2015-12-23 | 四川效率源信息安全技术股份有限公司 | Data extraction method for mobile phone storage chip |
| CN205158208U (en) * | 2015-11-03 | 2016-04-13 | 上海良相智能化工程有限公司 | Electron investigation case of collecting evidence |
-
2018
- 2018-05-30 CN CN201810538417.1A patent/CN108959921B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103136476A (en) * | 2011-12-01 | 2013-06-05 | 深圳市证通电子股份有限公司 | Mobile intelligent terminal malicious software analysis system |
| CN104598419A (en) * | 2015-02-13 | 2015-05-06 | 北京安信荣达科技有限公司 | Memory-chip data acquiring device for AX-flash mobile phones |
| CN105183395A (en) * | 2015-09-18 | 2015-12-23 | 四川效率源信息安全技术股份有限公司 | Data extraction method for mobile phone storage chip |
| CN205158208U (en) * | 2015-11-03 | 2016-04-13 | 上海良相智能化工程有限公司 | Electron investigation case of collecting evidence |
Non-Patent Citations (1)
| Title |
|---|
| 刘铁铭 等: "存储数据逆向分析与电子取证实验室建设实践与思考", 《计算机工程与科学》 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108959921B (en) | 2023-04-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106294222A (en) | A kind of method and device determining PCIE device and slot corresponding relation | |
| CN104598793A (en) | Fingerprint authentication method and fingerprint authentication device | |
| CN104375836A (en) | Method and device for showing lock screen window | |
| CN103679012A (en) | Clustering method and device of portable execute (PE) files | |
| CN101968769A (en) | Behavioral model-based software security test case generation method | |
| CN106155596A (en) | Method for writing data and device | |
| CN104484407A (en) | Method and system for recognizing fraud information | |
| CN107454118A (en) | Identifying code acquisition methods and device, login method and system | |
| CN103744890A (en) | Log separation method and device | |
| CN103324617A (en) | Identification method and system for history waste information | |
| CN107871080A (en) | The hybrid Android malicious code detecting methods of big data and device | |
| CN105159913A (en) | Method and device for determining file to be cleaned | |
| CN107277019A (en) | Data clear text acquisition methods, device, electric terminal and readable storage medium storing program for executing | |
| CN106445736A (en) | Method for extracting and recombining MTK62 series word stock data of mobile phone | |
| CN103177022A (en) | Method and device of malicious file search | |
| CN1234130C (en) | System guiding device base on core and method for realizing said guide | |
| CN102968325A (en) | USB (Universal Serial Bus) equipment and method and device for automatically initializing same | |
| CN104156430A (en) | Device and method for fast extracting Android mobile phone data | |
| CN102236426A (en) | Terminal integrated input equipment and terminal interaction system | |
| CN109582238A (en) | A kind of hard disk binding, matching process, system and electronic equipment and storage medium | |
| CN102982318A (en) | Fingerprint acquisition system and network identity authentication system using the same | |
| CN103369532A (en) | Black box detection method for mobile terminal malicious software behavior | |
| CN108959921A (en) | A kind of malware analysis method based on intelligent terminal chip | |
| CN104298570A (en) | Data processing method and device | |
| CN101425120B (en) | Card reader and executing method thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |