CN109033764A - Antialiasing processing method and terminal, computer equipment - Google Patents
Antialiasing processing method and terminal, computer equipment Download PDFInfo
- Publication number
- CN109033764A CN109033764A CN201710432152.2A CN201710432152A CN109033764A CN 109033764 A CN109033764 A CN 109033764A CN 201710432152 A CN201710432152 A CN 201710432152A CN 109033764 A CN109033764 A CN 109033764A
- Authority
- CN
- China
- Prior art keywords
- variable
- antialiasing
- destination node
- data
- node
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000003672 processing method Methods 0.000 title claims abstract description 23
- 238000012545 processing Methods 0.000 claims abstract description 91
- 230000006870 function Effects 0.000 claims description 85
- 238000000034 method Methods 0.000 claims description 33
- 230000000694 effects Effects 0.000 claims description 24
- 238000012512 characterization method Methods 0.000 claims description 12
- 230000009977 dual effect Effects 0.000 claims description 10
- 238000004364 calculation method Methods 0.000 claims description 2
- 238000004458 analytical method Methods 0.000 description 25
- 238000010586 diagram Methods 0.000 description 10
- 230000006399 behavior Effects 0.000 description 8
- 238000010276 construction Methods 0.000 description 5
- 238000011156 evaluation Methods 0.000 description 5
- 230000002441 reversible effect Effects 0.000 description 5
- 230000003068 static effect Effects 0.000 description 4
- 230000000295 complement effect Effects 0.000 description 3
- 238000012360 testing method Methods 0.000 description 3
- 238000013459 approach Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000036961 partial effect Effects 0.000 description 2
- 239000000523 sample Substances 0.000 description 2
- 230000009466 transformation Effects 0.000 description 2
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000015572 biosynthetic process Effects 0.000 description 1
- 238000004422 calculation algorithm Methods 0.000 description 1
- 238000009795 derivation Methods 0.000 description 1
- 230000002147 killing effect Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000007620 mathematical function Methods 0.000 description 1
- 238000007781 pre-processing Methods 0.000 description 1
- 238000005086 pumping Methods 0.000 description 1
- 230000002829 reductive effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 239000011800 void material Substances 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
- G06F21/14—Protecting executable software against software analysis or reverse engineering, e.g. by obfuscation
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/563—Static detection by source code analysis
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Virology (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Multimedia (AREA)
- Technology Law (AREA)
- User Interface Of Digital Computer (AREA)
- Devices For Executing Special Programs (AREA)
Abstract
The invention discloses a kind of antialiasing processing method and terminals, computer equipment, which comprises obtains obfuscated data, the obfuscated data is to carry out obscuring the data obtained after processing to former data;The obfuscated data is parsed, the corresponding abstract syntax tree of the obfuscated data is obtained;Based on the structure of the abstract syntax tree, each node of the abstract syntax tree is traversed, when traversing destination node, antialiasing operation is executed to the corresponding scope of the destination node according to the type of the destination node;The abstract syntax tree is rebuild according to antialiasing operating result;According to the abstract syntax tree of reconstruction, the former data are obtained.
Description
Technical field
The present invention relates to antialiasing processing technique more particularly to a kind of antialiasing processing methods and terminal, computer equipment.
Background technique
Javascript is a kind of scripting language for operating in client, and all users can read its complete source generation
Code.And many developers are not intended to the code logic of oneself, function by direct reading, such as: security classes front-end code, sensitive behaviour
Make the front-end code of class.And for the authors of some Malwares, the key logic of oneself code can be also covered by every means,
Hide the identification killing of antivirus software with this.In order to increase the difficulty of code analysis, many hackers will use Code obfuscation work
Have the malicious software code to encrypt oneself, such as: extension horse, cross-site attack.Analysis personnel are former in order to analyze malicious software code
Manage, probe into the real behavior of Malware, it is necessary to obtain and antialiasing conversed analysis processing is carried out to script.
And malicious code hard to understand, automation, the antialiasing conversed analysis work of assisted class are read for difficult after a large amount of Code obfuscations
Tool is just particularly necessary, and the antialiasing conversed analysis tool of some Javascript is merely able to realize simple code format in the industry at present
The antialiasing processing such as beautification, canonical replacement, syntax tree replacement are shown for being added to the obfuscated codes of large amount of complex expression formula
It obtains more out of strength.
Summary of the invention
In order to solve the above technical problems, the embodiment of the invention provides a kind of antialiasing processing method and terminals, computer
Storage medium, computer equipment.
Antialiasing processing method provided in an embodiment of the present invention, comprising:
Obfuscated data is obtained, the obfuscated data is to carry out obscuring the data obtained after processing to former data;
The obfuscated data is parsed, the corresponding abstract syntax tree of the obfuscated data is obtained;
Based on the structure of the abstract syntax tree, each node of the abstract syntax tree is traversed, mesh is traversed
When marking node, antialiasing operation is executed to the corresponding scope of the destination node according to the type of the destination node;
The abstract syntax tree is rebuild according to antialiasing operating result;
According to the abstract syntax tree of reconstruction, the former data are obtained.
In the embodiment of the present invention, the type according to the destination node holds the corresponding scope of the destination node
The antialiasing operation of row, comprising:
Identify the scope of the destination node;
According to the type of the destination node, local back mixing is carried out to the target data in the scope of the destination node
Confuse processing, and antialiasing treated as a result, updating the abstract syntax tree according to part.
In the embodiment of the present invention, the type according to the destination node, in the scope of the destination node
Target data carries out the antialiasing processing in part, comprising:
Following behaviour is executed to the target data in the scope of the destination node according to the type of the destination node
At least one of make:
Variable processing operation, assignment operation, function processing operation, unary operation, dual operation, logical operation, sentence behaviour
Make, member's expression formula processing operation, decryption oprerations.
In the embodiment of the present invention, the method also includes:
Class for characterizing scope chain is set, and the class for characterizing scope chain includes at least following variable: making
With domain variable, father's variable, layer variable, wherein
The effect domain variable is used to store the variable data when under prescope;
Father's variable is for storing upper layer variable data;
The layer variable is used to store the number of levels when prescope.
In the embodiment of the present invention, the method also includes:
When traversing destination node, the data in the effect domain variable are stored into father's variable, by the mesh
Variable data under the corresponding scope of mark node is stored into the effect domain variable, and by the level in the layer variable
Number increases preset step-length.
In the embodiment of the present invention, the type of the destination node is function call type, correspondingly, the destination node packet
Include the first child node and the second child node, wherein first child node is used to characterize the function called, second child node
For characterization parameter;
The type according to the destination node executes antialiasing operation, packet to the corresponding scope of the destination node
It includes:
Antialiasing operation is carried out to the parameter of second child node characterization;
Corresponding function is executed according to the type of first child node, obtains function processing result;
The function processing result is replaced into the abstract syntax tree on corresponding node.
In the embodiment of the present invention, the structure based on the abstract syntax tree, to each section of the abstract syntax tree
Point is traversed, comprising:
Sequence is executed according to the logic of the obfuscated data, each node of the abstract syntax tree is sequentially carried out time
It goes through.
Terminal provided in an embodiment of the present invention, comprising:
Acquiring unit, for obtaining obfuscated data, the obfuscated data obtain after obscuring processing to former data
Data;
First resolution unit obtains the corresponding abstract language of the obfuscated data for parsing to the obfuscated data
Method tree;
Antialiasing unit, for the structure based on the abstract syntax tree, to each node of the abstract syntax tree into
Row traversal when traversing destination node, executes the corresponding scope of the destination node according to the type of the destination node
Antialiasing operation;
Reconstruction unit, for being rebuild according to antialiasing operating result to the abstract syntax tree;
Second resolution unit obtains the former data for the abstract syntax tree according to reconstruction.
In the embodiment of the present invention, the antialiasing unit includes:
Scope tracks subelement, for identification the scope of the destination node;
Antialiasing processing subelement, for the type according to the destination node, in the scope of the destination node
Target data carry out the antialiasing processing in part.
In the embodiment of the present invention, the antialiasing processing subelement is specifically used for: according to the type of the destination node,
At least one of to the target data in the scope of the destination node, perform the following operations:
Variable processing operation, assignment operation, function processing operation, unary operation, dual operation, logical operation, sentence behaviour
Make, member's expression formula processing operation, decryption oprerations.
In the embodiment of the present invention, the terminal further include:
Setting unit, for the class for characterizing scope chain to be arranged, the class for characterizing scope chain is at least wrapped
Include following variable: effect domain variable, father's variable, layer variable, wherein
The effect domain variable is used to store the variable data when under prescope;
Father's variable is for storing upper layer variable data;
The layer variable is used to store the number of levels when prescope.
In the embodiment of the present invention, the setting unit will be in the effect domain variable when being also used to traverse destination node
Data store into father's variable, the variable data under the corresponding scope of the destination node is stored to the effect
In domain variable, and by the layer variable number of levels increase preset step-length.
In the embodiment of the present invention, the type of the destination node is function call type, correspondingly, the destination node packet
Include the first child node and the second child node, wherein first child node is used to characterize the function called, second child node
For characterization parameter;
The antialiasing unit, is specifically used for: carrying out antialiasing operation to the parameter of second child node characterization;According to
The type of first child node executes corresponding function, obtains function processing result;By the function processing result replace to
In the abstract syntax tree on corresponding node.
In the embodiment of the present invention, the antialiasing unit, for executing sequence according to the logic of the obfuscated data, to institute
The each node for stating abstract syntax tree is sequentially traversed.
Computer storage medium provided in an embodiment of the present invention, is stored thereon with computer executable instructions, and feature exists
In the computer executable instructions realize antialiasing processing method provided in an embodiment of the present invention when being executed by processor.
Computer equipment provided in an embodiment of the present invention, including memory, processor and storage are on a memory and can be
The computer executable instructions run on processor, which is characterized in that the processor executes the computer executable instructions
Shi Shixian antialiasing processing method provided in an embodiment of the present invention.
In the technical solution of the embodiment of the present invention, obfuscated data is obtained, the obfuscated data is to obscure former data
The data obtained after processing;The obfuscated data is parsed, the corresponding abstract syntax tree of the obfuscated data is obtained;It is based on
The structure of the abstract syntax tree traverses each node of the abstract syntax tree, when traversing destination node, according to
The type of the destination node executes antialiasing operation to the corresponding scope of the destination node;According to antialiasing operating result
The abstract syntax tree is rebuild;According to the abstract syntax tree of reconstruction, the former data are obtained.Using the embodiment of the present invention
Technical solution, traverse code logic from abstract syntax tree level, the antialiasing place in part carried out to legal code logic
Reason, reduce the complexity of code process, so, it is possible for it is various complicate expression formulas obfuscated codes realize automation,
Complementary antialiasing conversed analysis can realize neatly obfuscated codes in the case where freedom degree certain to analysis personnel
Automated analysis.
Detailed description of the invention
Fig. 1 is the flow diagram one of the antialiasing processing method of the embodiment of the present invention;
Fig. 2 is the antialiasing processing system architecture diagram of the embodiment of the present invention;
Fig. 3 is the flow diagram two of the antialiasing processing method of the embodiment of the present invention;
Fig. 4 is the class formation figure of the ScopeChain of the embodiment of the present invention;
Fig. 5 is the local execution flow chart of the function call expression statement of the embodiment of the present invention;
Fig. 6 is the structure composition schematic diagram of the terminal of the embodiment of the present invention;
Fig. 7 is the structure composition schematic diagram of the computer equipment of the embodiment of the present invention.
Specific embodiment
The characteristics of in order to more fully hereinafter understand the embodiment of the present invention and technology contents, with reference to the accompanying drawing to this hair
The realization of bright embodiment is described in detail, appended attached drawing purposes of discussion only for reference, is not used to limit the embodiment of the present invention.
The following are the present embodiments relate to the explanations of the relational language arrived:
Abstract syntax tree (AST, Abstract Syntax Tree): to program statement carry out morphology and syntactic analysis it
Afterwards, tree is formed by when being derived according to the syntax rule of the program statement, AST represents the derivation result of program statement.
Obscure (obfuscate): Code obfuscation refers to program code, and it is constant to be converted into function, but be difficult to read and
The form of understanding.The program for executing Code obfuscation is referred to as code obfuscator.
Antialiasing (deobfuscate): the reverse procedure of Code obfuscation carries out conversed analysis to the code after obscuring, also
Original goes out its initial more readable source code logic, executes the program obscured for radix-minus-one complement and is referred to as the antialiasing device of code.
In order to realize the conversed analysis to Javascript obfuscated codes, the antialiasing conversed analysis tool of Javascript
The mode that (the antialiasing device of also referred to as JS) is replaced using code format beautification, canonical matching mostly, and using syntax tree to word
The variables such as symbol string carry out the mode of static replacement, carry out antialiasing processing.These antialiasing processing scheme scope of application more offices
Limit, and maloperation is more, for having used a large amount of obfuscated codes for complicating expression formula and Custom Encryption decryption function
It is more out of strength.
Fig. 1 is the flow diagram one of the antialiasing processing method of the embodiment of the present invention, as shown in Figure 1, described antialiasing
Processing method the following steps are included:
Step 101: obtaining obfuscated data, the obfuscated data is to carry out obscuring the data obtained after processing to former data.
The technical solution of the embodiment of the present invention is intended to carry out antialiasing processing to obfuscated data, and here, obfuscated data refers to
Former data are carried out to obscure the data obtained after processing.Further, former data refer to the program in machine code with language-specific rule,
Such as Javascript.Following embodiment of the present invention is explained by taking Javascript as an example, and those skilled in the art answer
Work as understanding, the technical solution of the embodiment of the present invention is not limited to Javascript, can also be the program in machine code of other language.
In the embodiment of the present invention, the mode of obfuscated data and with no restrictions is obtained, is that Javascript is with obfuscated data
Example, since Javascript is the scripting language for operating in client, can be directly obtained by client
Javascript, here, Javascript refer to the program code that is confused that treated.
Step 102: the obfuscated data being parsed, the corresponding abstract syntax tree of the obfuscated data is obtained.
In the embodiment of the present invention, abstract syntax tree is the tree-shaped expression of the abstract syntax structure of source code, each of on tree
Node all indicates one of source code structure.Such as: in the abstract syntax tree of construction if-condition-then sentence
When, it is only necessary to indicate that abstract syntax tree, a node are condition with two nodes, another node is if_body.
Obfuscated data is parsed, the corresponding abstract syntax tree of the obfuscated data is obtained, namely: according to obfuscated data
Construct corresponding abstract syntax tree.Here, the optimal path for constructing abstract syntax tree is with the parsed of program in machine code
Journey;The node of abstract syntax tree is constructed for each production rule, is then directed toward its leaf node using pointer.Here, it constructs
When abstract syntax tree, need to plunder some unessential regular (such as direct transformation rules), or again in subsequent analysis not
The part (such as bracket, variable declarations etc.) wanted.
Step 103: the structure based on the abstract syntax tree traverses each node of the abstract syntax tree,
When traversing destination node, antialiasing behaviour is executed to the corresponding scope of the destination node according to the type of the destination node
Make.
In the embodiment of the present invention, sequence is executed according to the logic of the obfuscated data, to each of the abstract syntax tree
Node is sequentially traversed.Here, since abstract syntax tree represents the execution framework of obfuscated data, thus, obfuscated data
What logic execution sequence also determined each node in abstract syntax tree executes sequence.
The type according to the destination node executes antialiasing operation, packet to the corresponding scope of the destination node
It includes:
Identify the scope of the destination node;
According to the type of the destination node, local back mixing is carried out to the target data in the scope of the destination node
Confuse processing, and antialiasing treated as a result, updating the abstract syntax tree according to part.
Here, the antialiasing processing in part includes at least one of following operation:
Variable processing operation, assignment operation, function processing operation, unary operation, dual operation, logical operation, sentence behaviour
Make, member's expression formula processing operation, decryption oprerations.
In above scheme, the type according to destination node is needed, determines which operation needed specifically to execute.
In the embodiment of the present invention, need to be arranged the class for characterizing scope chain, it is described for characterizing the class of scope chain
Including at least following variable: effect domain variable, father's variable, layer variable, wherein
The effect domain variable is used to store the variable data when under prescope;
Father's variable is for storing upper layer variable data;
The layer variable is used to store the number of levels when prescope.
In this way, the tracking of scope may be implemented, specifically:, will be in the effect domain variable when traversing destination node
Data store into father's variable, the variable data under the corresponding scope of the destination node is stored to the effect
In domain variable, and by the layer variable number of levels increase preset step-length.Work as in this way, being stored with always in effect domain variable
Variable data under prescope.
Step 104: the abstract syntax tree being rebuild according to antialiasing operating result.
By taking the type of destination node is function call type as an example, destination node includes the first child node and the second son section
Point, wherein first child node is used to characterize the function called, and second child node is used for characterization parameter.
Specifically, antialiasing operation is carried out to the parameter of second child node characterization;
Corresponding function is executed according to the type of first child node, obtains function processing result;
The function processing result is replaced into the abstract syntax tree on corresponding node.
Step 105: according to the abstract syntax tree of reconstruction, obtaining the former data.
In the embodiment of the present invention, since the abstract syntax tree of reconstruction has been processed by antialiasing, can be to reconstruction
Abstract syntax tree reversely analyzed, obtain former data.
In the technical solution of the embodiment of the present invention, code logic is traversed from abstract syntax tree level, to legal generation
Code logic carries out the antialiasing processing in part, reduces the complexity of code process;In addition, decrypting obscuring under known symmetry algorithm
Ciphertext, the readable source code content of final output so, it is possible to realize for the various obfuscated codes for complicating expression formula automatic
Change, complementary antialiasing conversed analysis, can realize spirit to obfuscated codes in the case where freedom degree certain to analysis personnel
Ground living automated analysis.
Fig. 2 is the antialiasing processing system architecture diagram of the embodiment of the present invention, as shown in Fig. 2, the system includes the following modules:
Syntax parsing module, antialiasing module, scope chain module, code output module, result output module.Below to modules
Function be illustrated respectively, it is notable that in explanation explained below by data be code for:
Syntax parsing module: it can be realized by esprima grammar parser;Syntax parsing module is obscured input
Code carries out morphology syntax parsing, derives and generates abstract syntax tree, so as to subsequent antialiasing procedure treatment.
Antialiasing module: function is executed including abstract syntax tree traversal function and part.Wherein, abstract syntax tree traverses function
Can refer to: the structure based on abstract syntax tree carries out depth-first traversal to each node.It is antialiasing inverse that part, which executes function,
To the core engine of analysis, different types of code logic branch can be handled, be carried out according to node type corresponding
It parses and locally executes operation.Such as: variable declarations, definition, assignment, binary, unitary, logical operation, member variable operation, function
Identification of definition etc..It is above-mentioned to need to identify the scope of present node when carrying out part execution operation, thus need to combine
Scope chain module in the embodiment of the present invention carries out evaluation to local code logic or equivalence transformation is handled, antialiasing for more
Add readable logical construction form, and updates corresponding node in original abstract syntax tree.
Scope chain module: for recording the scope information converting in abstract syntax tree structure partial implementation procedure, and
Variable in implementation procedure is stored for calling.Furthermore it is possible to which customized setting encryption and decryption function is to obscure generation to original
Partial content in code is decrypted.
Code output module: for the abstract syntax tree construction after antialiasing reverse process to be carried out code reverse, finally
The source code of formatting is restored from new abstract syntax tree.
As a result output module: for source code to be saved in specified file and is exported.
Fig. 3 is the flow diagram two of the antialiasing processing method of the embodiment of the present invention, as shown in figure 3, described antialiasing
Processing method the following steps are included:
Step 301: syntax parsing being carried out to the source code of input, exports corresponding abstract syntax tree.
Here, source code is parsed into abstract syntax tree construction so as to the processing of down-stream, in one embodiment,
Syntax parsing is carried out to source code using esprima engine, exports the abstract syntax tree construction of JSON format.
Step 302: abstract syntax tree structural body being traversed, corresponding sentence logic is carried out according to the type of node
Local treatment.
Here, abstract syntax tree structural body is gradually traversed according to the execution of source statement sequence, according to node
Type to corresponding sentence logic carry out Local treatment.
When traversing some node (also referred to as destination node) in abstract syntax tree, need to execute the node as follows
One or more back mixing processing operations in step 303 to step 307.
Step 303: variable processing operation.
Here, variable processing operation includes but is not limited to following operation: the phases such as variable declarations, variable-definition, variable assignments
Close accessing operation.
When concrete application, source code Javascript is based on this, and the node of performance variable processing operation includes
AssignmentExpression、MemberExpression、VariableDeclaration、VariableDeclarator
Equal nodes here carry out that the scope for combining node current is needed specifically to be handled when variable processing operation.
Step 304: function processing operation.
Here, function processing operation includes at least: function declaration operation, function expression processing operation.Executing function
When processing operation, need to carry out the scope tracking operation of node simultaneously.Here, the scope tracking operation of node refers to: when
When traversing first node, when prescope is the scope of first node.When traversing next node, i.e. second node
When, when the scope that prescope is second node.As it can be seen that when prescope needs are realized with the node currently traversed
Tracking switching.
Step 305: member's expression formula processing operation.
Here, local execution is carried out for member's expression formula under certain specific conditions.Such as: the character of global variable statement
Go here and there array, in code directly using numeric suffix quote its value the case where.Many obfuscated codes are mentioned using global aray variable
String content is taken, character string is replaced with into the form of array member variable to carry out code complication processing.
Step 306: unary operation, dual operation, logical operation.
Here, it for the fixed unary operation of some results, dual operation, logical operation, needs to carry out pre-execution processing.
Such as:
Under UnaryExpression node "+" "-" "~" "!" unary operations such as " delete " " void " " typeof ".
The logical operations such as " | | " " && under LogicalExpression node ".
Under BinaryExpression node " | " " ^ " " & " "<<" ">>" ">>>" "==" "!=" "===" " > "
The dual operations such as "<" "≤" ">=" "+" "-" " * " "/" " % ".
Step 307: the processing operation of function call processing operation and encryption and decryption function.
In the present embodiment, local pre-execution evaluation, example are carried out to the function that some inputs are constant, output is fixed value
Such as:
The return value of the methods of the substr/charAt of character string constant;
The array being made of completely character string constant, the return value of the methods of join/reverse/slice;
As a result it is called for the mathematical function of constant, such as Math.sin (3.14);
And the calling of the encryption and decryption function of code preset value.
Here, analysis personnel can according to Manual analysis as a result, the independent function used of some object codes of typing in advance,
Such as customized encryption and decryption function.In the function call node for traversing these preset values, according to analysis personnel's typing
Counterlogic carries out pre-execution processing, and the return value after executing will be replaced at corresponding object code.
Step 308: by above-mentioned back mixing, treated that return value is substituted on corresponding grammer tree node.
Step 309: JavaScript code being regenerated according to new abstract syntax tree, and is output to finger after beautifying format
Determine file.
The process flows such as the variable of the embodiment of the present invention and scope, function call are described further below.
In the technical solution of the embodiment of the present invention, in order to realize automation to code carry out parsing and part execute, become
Amount and scope chain play a key effect.In the embodiment of the present invention, pass through the class of an entitled scope chain (ScopeChain)
To carry out the deposit, reading and the tracking of scope chain of variable.As shown in figure 4, Fig. 4 illustrates the class knot of ScopeChain
Structure.
The scope trace flow of structure based on Fig. 4, the embodiment of the present invention is as follows:
When traversal processing abstract syntax tree, scope variable storage in ScopChain is when all changes under prescope
Data are measured, parent variable then stores all upper layer informations, the level variable storage scope number of levels of current parsing.
When traversing the nodes such as FunctionDeclaration, FunctionExpression, enter method is called, is indicated entry into down
One level scope, and variable scope storage is reinitialized into variable parent, and to scope variable for storing
When the variable information of prescope.It can specifically realize that scope is tracked by following code:
This.parent={ " scope ": this.scope, " parent ": this.parent };
This.scope=Object.create (this.scope).
Variable assignments and access process in the embodiment of the present invention is as follows:
Variable data is stored in the scope variable of ScopeChain by way of dictionary key-value pair, such as:
A=1
After parsing, the value of scope variable is
{"a":1}
According to the syntactic property of JavaScript, there are several crucial syntactic nodes to need to carry out variable processing, comprising:
AssignmentExpression assignment expression, VariableDeclarator variable declarations, VariableDeclaration
Variable declarations sentence.
Since JavaScript syntax can directly be stated without var keyword and use variable, so handling
It may be also required to carry out the operation such as variable initializer show when AssignmentExpression expression formula.
In the embodiment of the present invention, the variable in code is divided into three types: literal type, reference type, identification type.
For literal type, its value is directly deposited into the scope member variable (hereinafter referred to as scope) of ScopeChain
In.
For reference type, need to be quoted storage into scope, such as:
A=[1,2]
B=a
B [1]=5
console.log(a)
The a that output comes is [1,5].
When initialization and storage Reference Type Variable, such as " b=a " in above-mentioned example, process flow are as follows: first in scope
A variable is found, and its value is directly assigned to a variable.
For identification type variable, referring here to syntactic node type is Identifier and the customized change of non-user
Amount, such as document, window, String.Here, a class is used alone to indicate the syntactic information of these variables:
And the example of this IdentifierVar class is stored in scope, the grammer section of the variable is called in its elsewhere
Point restores its original sample.Such as:
A=[1, document]
console.log(a[1])
In above-mentioned code, the corresponding abstract syntax tree node of document variable are as follows: { " type ": "
Identifier","name":"document"}。
After operation processing of the invention, document grammer section will be replaced with as former state at the reference of the second row a [1]
Point.The code exported after antialiasing are as follows:
Code can be carried out complication processing by the function of some fixed input and output by most of Code obfuscation programs,
Such as: the methods of String.fromCharCode, Math.abs come replace it is some number, character strings.To keep Code obfuscation difficult
It reads.The embodiment of the present invention carries out automating local execution to these flower instructions, comprising:
The automatic evaluation of special object attribute, such as: string.length, regex.source, array.length
The automatic calling evaluation of ad hoc approach, such as: string.charCodeAt (), string.replace (),
String.slice (), number.toString (), array.concat () etc.
The static method of certain kinds, such as: String.fromCharCode, Number.parseInt (), Date.parse
(), Math.abs () etc.
It is specific to be always on and some overall situation functions, such as: Number.NaN, Math.E, isFinite (), parseFloat (),
EncodeURIComponent () etc..
The encryption and decryption function of analysis personnel's preset value, also will do it automatic execution.
After the completion of these functions execute, then corresponding function call point replaced with into the return value of function, and is written to pumping
As in syntax tree.
Fig. 5 is the local execution flow chart of the function call expression statement of the embodiment of the present invention, as shown in figure 5, the stream
Journey includes:
Step 501: the node for identifying traversal is the node of CallExpression type, is carried out to the parameter of calling pre-
Processing.
Here, CallExpression node includes two child nodes, and a child node is callee, and callee indicates to adjust
Specific function, another child node are arguments, arguments expression parameter.
Here, incoming parameter is pre-processed.Specifically, parameter is simplified, if in parameter comprising it is some at
Member's expression formula, unary operation, dual operation, logical operation etc. first carry out local execution.Such as:
B=[1,2,3]
test(b[1],2)
Call parameter b [1] incoming when test function that can pre-process as its true value: 2.It is as follows after processing:
test(2,2)
Step 502: classification processing is carried out according to the type of callee.
Here, following steps 503 are carried out to the classification processing described in step 505 according to the type of callee.
Step 503:callee is Identifier type, and corresponding overall situation function calls.
For overall situation function call, further the parameter incoming to its judges: parameter whether be can calculated value (value
For constant or can evaluation variable), and whether discriminant function name can be in pre-execution range of function.It should if it is, executing
Function, and return the result.If it is not, then whether query function name is the preset encryption and decryption function of analysis personnel, if it is hold
It goes and returns the result.
Step 504:callee is MemberExpression, and the static method of corresponding certain kinds calls.
Here, callee MemberExpression, and callee.object is Identifier type,
Callee.property is Identifier type.Such as: String.fromCharCode, Number.parseInt (),
Date.parse () etc..
Step 505:callee is MemberExpression, the ad hoc approach of corresponding certain data types.
Here, callee MemberExpression, and callee.object is Literal type,
Callee.property is Identifier type.Such as: [' a', ' r', ' r', ' a', ' y'] .join (), 2..toString
()、'string'.substr()
Step 506: corresponding function being executed according to specific function call scene, and implementing result is substituted into abstract syntax
In the respective nodes of tree.
The technical solution of the embodiment of the present invention realizes from abstract syntax tree level and fast and automatically changes, is accurately antialiasing
Process flow, it is possible to reduce a large amount of time-consuming and laborious artificial antialiasing work, automatic simplified code remove useless logic.In addition,
It supports to execute the part of function call, analysis personnel can preset encryption and decryption function, the antialiasing degree of flexible control routine.
In conjunction with Manual analysis, can be semi-automatic will some customized asymmetric encryption functions progress batch processings.Also, supporting function
Domain identification, can effectively identify the mark of the same name for distinguishing different role domain, be handled from syntax parsing layer adhesion semanteme, guarantee
The accuracy of operation is effectively reduced and accidentally to handle.The processing that may influence the part execution sentence of code logic is evaded, simultaneously
Also there is preferable scalability, as the process flow of the embodiment of the present invention combines the customized a set of processing rule of specific obfuscation schemes
Then, specific aim automatic processing is carried out.
Fig. 6 is the structure composition schematic diagram of the terminal of the embodiment of the present invention, as shown in fig. 6, the terminal includes:
Acquiring unit 61, for obtaining obfuscated data, the obfuscated data is to carry out obtaining after obscuring processing to former data
Data;
It is corresponding abstract to obtain the obfuscated data for parsing to the obfuscated data for first resolution unit 62
Syntax tree;
Antialiasing unit 63, for the structure based on the abstract syntax tree, to each node of the abstract syntax tree
It is traversed, when traversing destination node, the corresponding scope of the destination node is held according to the type of the destination node
The antialiasing operation of row;
Reconstruction unit 64, for being rebuild according to antialiasing operating result to the abstract syntax tree;
Second resolution unit 65 obtains the former data for the abstract syntax tree according to reconstruction.
In an embodiment of the present invention, the antialiasing unit 63 includes:
Scope tracks subelement 631, for identification the scope of the destination node;
Antialiasing processing subelement 632, for the type according to the destination node, to the scope of the destination node
Interior target data carries out the antialiasing processing in part.
In an embodiment of the present invention, the antialiasing processing subelement 632 is specifically used for: according to the target section
At least one of the type of point, to the target data in the scope of the destination node, perform the following operations:
Variable processing operation, assignment operation, function processing operation, unary operation, dual operation, logical operation, sentence behaviour
Make, member's expression formula processing operation, decryption oprerations.
In an embodiment of the present invention, the terminal further include:
Setting unit 66, for the class for characterizing scope chain to be arranged, the class for characterizing scope chain is at least
Including following variable: effect domain variable, father's variable, layer variable, wherein
The effect domain variable is used to store the variable data when under prescope;
Father's variable is for storing upper layer variable data;
The layer variable is used to store the number of levels when prescope.
In an embodiment of the present invention, the setting unit 66, when being also used to traverse destination node, by the effect
Data in domain variable are stored into father's variable, by the variable data under the corresponding scope of the destination node store to
In the effect domain variable, and by the layer variable number of levels increase preset step-length.
In an embodiment of the present invention, the type of the destination node is function call type, correspondingly, the target
Node include the first child node and the second child node, wherein first child node be used for characterize calling function, described second
Child node is used for characterization parameter;
The antialiasing unit 63, is specifically used for: carrying out antialiasing operation to the parameter of second child node characterization;Root
Corresponding function is executed according to the type of first child node, obtains function processing result;The function processing result is replaced
To corresponding node in the abstract syntax tree.
In an embodiment of the present invention, the antialiasing unit 63, for being executed according to the logic of the obfuscated data
Sequentially, each node of the abstract syntax tree is sequentially traversed.
The technical solution of the embodiment of the present invention is based on abstract syntax tree and parses to obfuscated codes (such as JavaScript),
And combine semantic analysis, it then follows code primary grammer logic carries out reverse process to obfuscated codes, while relying on and locally executing
Thought carries out certain static interpreter to code and executes, to realize the antialiasing automatic processing frame of efficiently and accurately.This
The technical solution of inventive embodiments is not limited to specific Substitution Rules, is executed automatically according to source code according to grammer.
It will be appreciated by those skilled in the art that the realization function of each unit in terminal shown in fig. 6 can refer to it is aforementioned anti-
Obscure the associated description of processing method and understands.The function of each unit in terminal shown in fig. 6 can be by running on processor
On program and realize, can also be realized by specific logic circuit.
If the above-mentioned terminal of the embodiment of the present invention is realized in the form of software function module and is sold as independent product
Or it in use, also can store in a computer readable storage medium.Based on this understanding, the embodiment of the present invention
Substantially the part that contributes to existing technology can be embodied in the form of software products technical solution in other words, the meter
Calculation machine software product is stored in a storage medium, including some instructions are used so that a computer equipment (can be a
People's computer, server or network equipment etc.) execute all or part of each embodiment the method for the present invention.And it is preceding
The storage medium stated includes: USB flash disk, mobile hard disk, read-only memory (ROM, Read Only Memory), magnetic or disk etc.
The various media that can store program code.It is combined in this way, the embodiment of the present invention is not limited to any specific hardware and software.
Correspondingly, the embodiment of the present invention also provides a kind of computer storage medium, wherein being stored with, computer is executable to be referred to
It enables, the above-mentioned antialiasing processing method of the embodiment of the present invention is realized when which is executed by processor.
Fig. 7 is the structure composition schematic diagram of the computer equipment of the embodiment of the present invention, as shown in fig. 7, the computer is set
It is standby to include memory 701, processor 702 and be stored in the computer that run on memory 701 and on processor 702 and can hold
Row instruction, the processor 702 realize following method and step when executing the computer executable instructions:
Obfuscated data is obtained, the obfuscated data is to carry out obscuring the data obtained after processing to former data;
The obfuscated data is parsed, the corresponding abstract syntax tree of the obfuscated data is obtained;
Based on the structure of the abstract syntax tree, each node of the abstract syntax tree is traversed, mesh is traversed
When marking node, antialiasing operation is executed to the corresponding scope of the destination node according to the type of the destination node;
The abstract syntax tree is rebuild according to antialiasing operating result;
According to the abstract syntax tree of reconstruction, the former data are obtained.
Above is referred to the description of computer equipment, be with above method description it is similar, the beneficial effect with method describes,
It does not repeat them here.
It, in the absence of conflict, can be in any combination between technical solution documented by the embodiment of the present invention.
The above description is merely a specific embodiment, but scope of protection of the present invention is not limited thereto, any
Those familiar with the art in the technical scope disclosed by the present invention, can easily think of the change or the replacement, and should all contain
Lid is within protection scope of the present invention.
Claims (15)
1. a kind of antialiasing processing method, which is characterized in that the described method includes:
Obfuscated data is obtained, the obfuscated data is to carry out obscuring the data obtained after processing to former data;
The obfuscated data is parsed, the corresponding abstract syntax tree of the obfuscated data is obtained;
Based on the structure of the abstract syntax tree, each node of the abstract syntax tree is traversed, target section is traversed
When point, antialiasing operation is executed to the corresponding scope of the destination node according to the type of the destination node;
The abstract syntax tree is rebuild according to antialiasing operating result;
According to the abstract syntax tree of reconstruction, the former data are obtained.
2. antialiasing processing method according to claim 1, which is characterized in that the type according to the destination node
Antialiasing operation is executed to the corresponding scope of the destination node, comprising:
Identify the scope of the destination node;
According to the type of the destination node, the antialiasing place in part is carried out to the target data in the scope of the destination node
Reason, and antialiasing treated as a result, updating the abstract syntax tree according to part.
3. antialiasing processing method according to claim 2, which is characterized in that the class according to the destination node
Type carries out the antialiasing processing in part to the target data in the scope of the destination node, comprising:
The target data in the scope of the destination node is performed the following operations according to the type of the destination node
At least one:
Variable processing operation, assignment operation, function processing operation, unary operation, dual operation, logical operation, sentence operation, at
The operation of member's expression processing, decryption oprerations.
4. antialiasing processing method according to claim 1, which is characterized in that the method also includes:
Class for characterizing scope chain is set, and the class for characterizing scope chain includes at least following variable: scope
Variable, father's variable, layer variable, wherein
The effect domain variable is used to store the variable data when under prescope;
Father's variable is for storing upper layer variable data;
The layer variable is used to store the number of levels when prescope.
5. antialiasing processing method according to claim 4, which is characterized in that the method also includes:
When traversing destination node, the data in the effect domain variable are stored into father's variable, by the target section
Variable data under the corresponding scope of point is stored into the effect domain variable, and the number of levels in the layer variable is increased
Add preset step-length.
6. antialiasing processing method according to claim 1, which is characterized in that the type of the destination node is function tune
With type, correspondingly, the destination node includes the first child node and the second child node, wherein first child node is used for
The function called is characterized, second child node is used for characterization parameter;
The type according to the destination node executes antialiasing operation to the corresponding scope of the destination node, comprising:
Antialiasing operation is carried out to the parameter of second child node characterization;
Corresponding function is executed according to the type of first child node, obtains function processing result;
The function processing result is replaced into the abstract syntax tree on corresponding node.
7. antialiasing processing method according to any one of claims 1 to 6, which is characterized in that described based on described abstract
The structure of syntax tree traverses each node of the abstract syntax tree, comprising:
Sequence is executed according to the logic of the obfuscated data, each node of the abstract syntax tree is sequentially traversed.
8. a kind of terminal, which is characterized in that the terminal includes:
Acquiring unit, for obtaining obfuscated data, the obfuscated data is to carry out obscuring the data obtained after processing to former data;
First resolution unit obtains the corresponding abstract syntax tree of the obfuscated data for parsing to the obfuscated data;
Antialiasing unit, each node progress time for the structure based on the abstract syntax tree, to the abstract syntax tree
It goes through, when traversing destination node, back mixing is executed to the corresponding scope of the destination node according to the type of the destination node
Confuse operation;
Reconstruction unit, for being rebuild according to antialiasing operating result to the abstract syntax tree;
Second resolution unit obtains the former data for the abstract syntax tree according to reconstruction.
9. terminal according to claim 8, which is characterized in that the antialiasing unit includes:
Scope tracks subelement, for identification the scope of the destination node;
Antialiasing processing subelement, for the type according to the destination node, to the mesh in the scope of the destination node
It marks data and carries out the antialiasing processing in part.
10. terminal according to claim 9, which is characterized in that the antialiasing processing subelement is specifically used for: according to
At least one of the type of the destination node, to the target data in the scope of the destination node, perform the following operations:
Variable processing operation, assignment operation, function processing operation, unary operation, dual operation, logical operation, sentence operation, at
The operation of member's expression processing, decryption oprerations.
11. terminal according to claim 8, which is characterized in that the terminal further include:
Setting unit, for the class for characterizing scope chain to be arranged, the class for characterizing scope chain is included at least such as
Lower variable: effect domain variable, father's variable, layer variable, wherein
The effect domain variable is used to store the variable data when under prescope;
Father's variable is for storing upper layer variable data;
The layer variable is used to store the number of levels when prescope.
12. terminal according to claim 11, which is characterized in that the setting unit is also used to traverse destination node
When, the data in the effect domain variable are stored into father's variable, it will be under the corresponding scope of the destination node
Variable data is stored into the effect domain variable, and the number of levels in the layer variable is increased preset step-length.
13. terminal according to claim 8, which is characterized in that the type of the destination node is function call type, phase
Ying Di, the destination node include the first child node and the second child node, wherein first child node is used to characterize calling
Function, second child node are used for characterization parameter;
The antialiasing unit, is specifically used for: carrying out antialiasing operation to the parameter of second child node characterization;According to described
The type of first child node executes corresponding function, obtains function processing result;The function processing result is replaced to described
In abstract syntax tree on corresponding node.
14. according to the described in any item terminals of claim 8 to 13, which is characterized in that the antialiasing unit, for according to institute
The logic for stating obfuscated data executes sequence, sequentially traverses to each node of the abstract syntax tree.
15. a kind of computer equipment including memory, processor and stores the meter that can be run on a memory and on a processor
Calculation machine executable instruction, which is characterized in that the processor realizes claim 1-7 when executing the computer executable instructions
Described in any item method and steps.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710432152.2A CN109033764B (en) | 2017-06-09 | 2017-06-09 | Anti-confusion processing method, terminal and computer equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710432152.2A CN109033764B (en) | 2017-06-09 | 2017-06-09 | Anti-confusion processing method, terminal and computer equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109033764A true CN109033764A (en) | 2018-12-18 |
| CN109033764B CN109033764B (en) | 2023-04-11 |
Family
ID=64628745
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710432152.2A Active CN109033764B (en) | 2017-06-09 | 2017-06-09 | Anti-confusion processing method, terminal and computer equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109033764B (en) |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109992935A (en) * | 2019-03-15 | 2019-07-09 | 同盾控股有限公司 | A kind of source code guard method and device |
| CN110209766A (en) * | 2019-05-23 | 2019-09-06 | 招商局金融科技有限公司 | Method for exhibiting data, electronic device and storage medium |
| CN110555291A (en) * | 2019-08-06 | 2019-12-10 | 苏宁云计算有限公司 | webpage script code protection method and device |
| CN110647329A (en) * | 2019-08-13 | 2020-01-03 | 平安科技(深圳)有限公司 | Code obfuscation method, apparatus, computer device and storage medium |
| CN110750789A (en) * | 2019-10-18 | 2020-02-04 | 杭州奇盾信息技术有限公司 | De-obfuscation method, de-obfuscation device, computer apparatus, and storage medium |
| CN111090856A (en) * | 2020-03-23 | 2020-05-01 | 杭州有数金融信息服务有限公司 | Crawler detection method based on browser feature detection and event monitoring |
| CN111475809A (en) * | 2020-04-09 | 2020-07-31 | 杭州奇盾信息技术有限公司 | Script confusion detection method and device, computer equipment and storage medium |
| CN112084498A (en) * | 2020-09-11 | 2020-12-15 | 北京天融信网络安全技术有限公司 | Data anti-aliasing method, device, equipment and storage medium |
| CN112363693A (en) * | 2020-11-09 | 2021-02-12 | 北京字跳网络技术有限公司 | Code text processing method, device, equipment and storage medium |
| CN112804184A (en) * | 2019-11-13 | 2021-05-14 | 阿里巴巴集团控股有限公司 | Data obfuscation method, device and equipment |
| CN112883372A (en) * | 2019-11-29 | 2021-06-01 | 中国电信股份有限公司 | Cross-site scripting attack detection method and device |
| CN116305131A (en) * | 2023-05-20 | 2023-06-23 | 北京长亭科技有限公司 | Static confusion removing method and system for script |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20140344569A1 (en) * | 2013-05-20 | 2014-11-20 | Alibaba Group Holding Limited | Protecting data |
| CN105354449A (en) * | 2015-11-04 | 2016-02-24 | 北京鼎源科技有限公司 | Scrambling and obfuscating method for Lua language and decryption method |
| CN106161381A (en) * | 2014-09-30 | 2016-11-23 | 瞻博网络公司 | Use regular expression signature to make a return journey and obscure scripting language for network invasion monitoring |
-
2017
- 2017-06-09 CN CN201710432152.2A patent/CN109033764B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20140344569A1 (en) * | 2013-05-20 | 2014-11-20 | Alibaba Group Holding Limited | Protecting data |
| CN106161381A (en) * | 2014-09-30 | 2016-11-23 | 瞻博网络公司 | Use regular expression signature to make a return journey and obscure scripting language for network invasion monitoring |
| CN105354449A (en) * | 2015-11-04 | 2016-02-24 | 北京鼎源科技有限公司 | Scrambling and obfuscating method for Lua language and decryption method |
Non-Patent Citations (3)
| Title |
|---|
| CHICHOU: "《使用estools辅助反混淆JavaScript》", 《WEB.ARCHIVE.ORG》 * |
| CONSTELLATION: "《escope/escope.js.html》", 《GITHUB:HTTPS://GITHUB.COM/ESTOOLS/ESCOPE/BLOB/GH-PAGES/ESCOPE.JS.HTML》 * |
| 一颗小行星!: "《反混淆JavaScript》", 《CSDN:HTTPS://BLOG.CSDN.NET/W20101310/ARTICLE/DETAILS/47402523》 * |
Cited By (19)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109992935A (en) * | 2019-03-15 | 2019-07-09 | 同盾控股有限公司 | A kind of source code guard method and device |
| CN110209766A (en) * | 2019-05-23 | 2019-09-06 | 招商局金融科技有限公司 | Method for exhibiting data, electronic device and storage medium |
| CN110555291A (en) * | 2019-08-06 | 2019-12-10 | 苏宁云计算有限公司 | webpage script code protection method and device |
| CN110555291B (en) * | 2019-08-06 | 2021-08-27 | 苏宁云计算有限公司 | Webpage script code protection method and device |
| WO2021027367A1 (en) * | 2019-08-13 | 2021-02-18 | 平安科技(深圳)有限公司 | Code obfuscation method and apparatus, computer device, and storage medium |
| CN110647329A (en) * | 2019-08-13 | 2020-01-03 | 平安科技(深圳)有限公司 | Code obfuscation method, apparatus, computer device and storage medium |
| CN110750789A (en) * | 2019-10-18 | 2020-02-04 | 杭州奇盾信息技术有限公司 | De-obfuscation method, de-obfuscation device, computer apparatus, and storage medium |
| CN112804184A (en) * | 2019-11-13 | 2021-05-14 | 阿里巴巴集团控股有限公司 | Data obfuscation method, device and equipment |
| CN112804184B (en) * | 2019-11-13 | 2023-10-10 | 阿里巴巴集团控股有限公司 | Data confusion method, device and equipment |
| CN112883372A (en) * | 2019-11-29 | 2021-06-01 | 中国电信股份有限公司 | Cross-site scripting attack detection method and device |
| CN112883372B (en) * | 2019-11-29 | 2024-02-09 | 中国电信股份有限公司 | Cross-site scripting attack detection method and device |
| CN111090856A (en) * | 2020-03-23 | 2020-05-01 | 杭州有数金融信息服务有限公司 | Crawler detection method based on browser feature detection and event monitoring |
| CN111475809A (en) * | 2020-04-09 | 2020-07-31 | 杭州奇盾信息技术有限公司 | Script confusion detection method and device, computer equipment and storage medium |
| CN111475809B (en) * | 2020-04-09 | 2023-10-20 | 杭州奇盾信息技术有限公司 | Script confusion detection method, script confusion detection device, computer equipment and storage medium |
| CN112084498A (en) * | 2020-09-11 | 2020-12-15 | 北京天融信网络安全技术有限公司 | Data anti-aliasing method, device, equipment and storage medium |
| CN112084498B (en) * | 2020-09-11 | 2024-03-12 | 北京天融信网络安全技术有限公司 | Data anti-confusion method, device, equipment and storage medium |
| CN112363693A (en) * | 2020-11-09 | 2021-02-12 | 北京字跳网络技术有限公司 | Code text processing method, device, equipment and storage medium |
| CN116305131A (en) * | 2023-05-20 | 2023-06-23 | 北京长亭科技有限公司 | Static confusion removing method and system for script |
| CN116305131B (en) * | 2023-05-20 | 2023-08-11 | 北京长亭科技有限公司 | Static confusion removing method and system for script |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109033764B (en) | 2023-04-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109033764A (en) | Antialiasing processing method and terminal, computer equipment | |
| US11061648B2 (en) | Method and system for arbitrary-granularity execution clone detection | |
| CN110383238B (en) | System and method for model-based software analysis | |
| WO2021061226A1 (en) | Uniform resource locator security analysis using malice patterns | |
| Preda et al. | Testing android malware detectors against code obfuscation: a systematization of knowledge and unified methodology | |
| EP3471008A1 (en) | De-obfuscating scripted language for network intrusion detection using a regular expression signature | |
| Yamaguchi | Pattern-based vulnerability discovery | |
| Howar et al. | Combining black-box and white-box techniques for learning register automata | |
| US11647032B2 (en) | Apparatus and method for classifying attack groups | |
| Chen et al. | Solving string constraints with regex-dependent functions through transducers with priorities and variables | |
| KR101356676B1 (en) | Translating expressions in a computing environment | |
| Medeiros et al. | SEPTIC: detecting injection attacks and vulnerabilities inside the DBMS | |
| EP4111302A1 (en) | Detection of runtime errors using machine learning | |
| David et al. | Neural reverse engineering of stripped binaries | |
| Gupta et al. | A client‐server JavaScript code rewriting‐based framework to detect the XSS worms from online social network | |
| Karuna et al. | Automating cyber threat hunting using NLP, automated query generation, and genetic perturbation | |
| Artuso et al. | In nomine function: Naming functions in stripped binaries with neural networks | |
| Dib et al. | Evoliot: A self-supervised contrastive learning framework for detecting and characterizing evolving iot malware variants | |
| Rahimian et al. | RESource: a framework for online matching of assembly with open source code | |
| Klein et al. | Hand sanitizers in the wild: A large-scale study of custom javascript sanitizer functions | |
| Abaimov et al. | A survey on the application of deep learning for code injection detection | |
| Jaeger et al. | Normalizing security events with a hierarchical knowledge base | |
| Blanc et al. | Characterizing obfuscated JavaScript using abstract syntax trees: Experimenting with malicious scripts | |
| CN115688108A (en) | Webshell static detection method and system | |
| Blanc et al. | A step towards static script malware abstraction: Rewriting obfuscated script with maude |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |