CN109214179B - Program module security detection method and device - Google Patents
Program module security detection method and device Download PDFInfo
- Publication number
- CN109214179B CN109214179B CN201710524905.2A CN201710524905A CN109214179B CN 109214179 B CN109214179 B CN 109214179B CN 201710524905 A CN201710524905 A CN 201710524905A CN 109214179 B CN109214179 B CN 109214179B
- Authority
- CN
- China
- Prior art keywords
- function
- character string
- program module
- list
- import
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/563—Static detection by source code analysis
Abstract
The invention discloses a method and a device for detecting the safety of a program module, which are used for analyzing an import function name list and a character string list from a target program module; judging whether an import function related to log output exists in an import function name list, if so, generating a first judgment result, and otherwise, generating a second judgment result; judging whether a preset core function exists in the import function name list, if so, generating a third judgment result, and otherwise, generating a fourth judgment result; judging whether the character string list contains a preset character string, if so, generating a fifth judgment result, and otherwise, generating a sixth judgment result; and if at least one judgment result of the first judgment result, the third judgment result and the fifth judgment result is generated, determining that the target program module is unsafe. The invention solves the technical problem of low reliability of detecting the components of the application program in the prior art.
Description
Technical Field
The invention relates to the field of security detection of application components, in particular to a method for detecting the security of a program module.
Background
Currently, for application programs, componentization development is performed, each component of the application program is an independent program module, and the components can be more easily tested and updated by using componentization. Meanwhile, some functions can use a program module independently relative to the independent or basic functions, and other modules can complete more complex functions by calling the functions of the basic module. And for some more important program modules, final safety function tests are required to be carried out on the developed codes. Check to see if there are some insecure holes, etc. For example, for a login module, it is important to protect the password information of a user, and it is not easy to steal the account and password information by a virus. And checking whether the important security module has a security vulnerability.
At present, the component is detected from the source code level, but because a module developed by other personnel is sometimes used, the source code cannot be acquired, so that the reliability of detecting the component of the application program is not high.
Disclosure of Invention
The embodiment of the invention provides a method and a device for detecting the safety of a program module, and solves the technical problem that the reliability of detecting components of an application program is not high in the prior art.
In a first aspect, an embodiment of the present invention provides a method for detecting security of a program module, including:
analyzing an import function name list and a character string list from a target program module, wherein the import function name list comprises names of system functions imported into the target program module, and the character string list comprises all character strings in the target program module;
judging whether an import function related to log output exists in the import function name list, if so, generating a first judgment result, and otherwise, generating a second judgment result;
judging whether a preset core function exists in the import function name list, if so, generating a third judgment result, and otherwise, generating a fourth judgment result;
judging whether the character string list contains a preset character string or not, if so, generating a fifth judgment result, and otherwise, generating a sixth judgment result;
and if at least one judgment result of the first judgment result, the third judgment result and the fifth judgment result is generated, determining that the target program module is unsafe.
Optionally, the parsing the import function name list and the character string list from the target program module includes:
loading module header information of the target program module into a memory, wherein the module header information comprises indexes of all pieces of information existing in the target program module;
loading the information of each segment into the memory according to the index;
extracting the data content of each piece of information from each piece of information;
and extracting the import function name list and the character string list from the data content of each piece of information.
Optionally, if the import function related to the log output is a formatted output function for formatting an output character string to a terminal, the determining whether the import function related to the log output exists in the import function name list includes:
reading the name of a first import function from the import function name list;
judging whether the name of the currently read import function is the name of the formatted output function;
if so, generating the first judgment result, otherwise, continuously reading the name of the next import function from the import function name list, and returning to the step of judging whether the currently read name of the import function is the name of the formatted output function;
and if the name of the last import function read from the import function name list is not the name of the formatted output function, generating the second judgment result.
Optionally, the determining whether there is a predetermined core function in the import function name list to generate a second determination result includes:
reading the name of a first import function from the import function name list;
judging whether the name of the currently read import function belongs to the preset core function or not;
if so, generating a third judgment result, otherwise, continuously reading the name of the next import function from the import function name list, and returning to the step of judging whether the currently read name of the import function belongs to the preset core function;
and if the name of the last import function read from the import function name list does not belong to the preset core function, generating the fourth judgment result.
Optionally, the predetermined kernel function includes: one or more of a function for formatting the output string to a buffer, a function for returning the length of the string.
Optionally, the determining whether the character string list includes a predetermined character string includes:
reading a first character string from the predetermined character string;
judging whether the currently read character string belongs to the preset character string;
if so, generating a fifth judgment result, otherwise, continuing to read the next character string from the character string list, and returning to the step of judging whether the currently read character string belongs to the preset character string;
and if the last character string read from the character string list does not belong to the preset character string, generating the sixth judgment result.
Optionally, the predetermined character string includes: one or more of a string indicating a password, a string indicating a key, a string indicating an encryption operation, a string indicating a decryption operation, a string indicating an encryption standard, and a string indicating a type of encryption algorithm.
In a second aspect, an embodiment of the present invention provides a program module security detection apparatus, including:
the analysis unit is used for analyzing an import function name list and a character string list from a target program module, wherein the import function name list comprises names of system functions imported into the target program module, and the character string list comprises all character strings in the target program module;
the log output judging unit is used for judging whether an import function related to log output exists in the import function name list or not, if the import function related to the log output exists in the import function name list, a first judging result is generated, and if the import function related to the log output does not exist in the import function name list, a second judging result is generated;
a core function judging unit, configured to judge whether a predetermined core function exists in the import function name list, if it is judged that the predetermined core function exists in the import function name list, generate a third judgment result, and otherwise, generate a fourth judgment result;
the character string judging unit is used for judging whether the character string list contains a preset character string or not, if so, generating a fifth judging result, and otherwise, generating a sixth judging result;
a security determination unit, configured to determine that the target program module is not secure if at least one of the first determination result, the third determination result, and the fifth determination result is generated.
Optionally, the parsing unit is specifically configured to:
loading module header information of the target program module into a memory, wherein the module header information comprises indexes of all pieces of information existing in the target program module;
loading the information of each segment into the memory according to the index;
extracting the data content of each piece of information from each piece of information;
and extracting the import function name list and the character string list from the data content of each piece of information.
Optionally, if the import function related to the log output is a formatting output function for formatting an output character string to the terminal, the log output determining unit is specifically configured to:
reading the name of a first import function from the import function name list;
judging whether the name of the currently read import function is the name of the formatted output function;
if yes, generating the first judgment result; if not, continuing to read the name of the next import function from the import function name list, and returning to the step of judging whether the currently read name of the import function is the name of the formatted output function;
and if the name of the last import function read from the import function name list is not the name of the formatted output function, generating the second judgment result.
Optionally, the predetermined core function includes a plurality of core functions, and the core function determining unit is specifically configured to:
reading the name of a first import function from the import function name list;
judging whether the name of the currently read import function belongs to the preset core function or not;
if yes, generating the third judgment result; if not, continuing to read the name of the next import function from the import function name list, and returning to the step of judging whether the currently read name of the import function belongs to the preset core function;
and if the name of the last import function read from the import function name list does not belong to the preset core function, generating the fourth judgment result.
Optionally, the predetermined kernel function includes: one or more of a function for formatting the output string to a buffer, a function for returning the length of the string.
Optionally, the character string determining unit includes:
reading a first character string from the predetermined character string;
judging whether the currently read character string belongs to the preset character string;
if so, generating the fifth judgment result; if not, continuing to read the next character string from the character string list, and returning to the step of judging whether the currently read character string belongs to the preset character string;
and if the last character string read from the character string list does not belong to the preset character string, generating the sixth judgment result.
Optionally, the predetermined character string includes: one or more of a string indicating a password, a string indicating a key, a string indicating an encryption operation, a string indicating a decryption operation, a string indicating an encryption standard, and a string indicating a type of encryption algorithm.
In a third aspect, an embodiment of the present invention provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps described in any of the embodiments of the first aspect.
In a fourth aspect, an embodiment of the present invention provides a computer device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, where the processor implements the steps described in any of the embodiments of the first aspect when executing the program.
One or more technical solutions provided in the embodiments of the present invention have at least the following technical effects or advantages:
the import function name list and the character string list are analyzed from the target program module; whether the imported function and the preset core function related to log output exist in the imported function name list or not is judged, whether the preset character string exists in the character string list or not is judged, whether the target program module is safe or not is judged according to the judgment result, the target program module which is compiled and even finally issued is detected, the method is transparent to developers, meanwhile, the detection can be performed under the condition that the source code of the program module does not exist, the source code does not need to be acquired, and therefore the compiled and issued program module is detected more conveniently and more reliably.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on the drawings without creative efforts.
FIG. 1 is a flowchart of a method for detecting security of a program module according to an embodiment of the present invention;
FIG. 2 is a schematic structural diagram of a security detection apparatus for program modules according to an embodiment of the present invention;
FIG. 3 is a schematic structural diagram of a computer-readable storage medium according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of a computer device according to an embodiment of the present invention.
Detailed Description
The embodiment of the invention provides a method and a device for detecting the safety of a program module, and solves the technical problem that the reliability of detecting components of an application program is not high in the prior art.
In order to solve the technical problems, the embodiment of the invention has the following general idea:
analyzing an import function name list and a character string list from a target program module; and judging whether the import function and the preset core function related to log output exist in the import function name list or not, and judging whether the character string list contains a preset character string or not so as to determine whether the target program module is safe or not according to a judgment result.
By the technical scheme, the compiled and even finally issued target program module is detected, the detection is transparent for developers, and meanwhile, the detection can be performed under the condition that the source code of the program module does not exist, and the source code does not need to be acquired, so that the compiled and issued program module is more convenient and reliable to detect.
In order to better understand the technical solution, the technical solution will be described in detail with reference to the drawings and the specific embodiments.
Referring to fig. 1, a method for detecting program module security according to an embodiment of the present invention includes:
s101, an import function name list and a character string list are analyzed from the target program module, wherein the import function name list comprises names of system functions imported into the target program module, and the character string list comprises all character strings in the target program module.
It should be noted that, for the PC client, if the PC client is a Windows operating system, the target program module is a DLL file, and if the PC client is a linux operating system, the target program module is an SO file. It should be noted that the code level mentioned below is exemplified and described by a DLL file of which the target program module is based on a Windows operating system, but the invention is not limited to be implemented only by the DLL file of the Windows operating system.
First, the module header information includes an index for each piece of information, so that each piece of information after the module header information can be acquired. Because a module file is formed by combining header information and a plurality of segment information, and each segment has a gap and different gap sizes, loading an object program module into a memory requires reading in the module header information and each segment information after the module header information in sequence according to the file format.
In an embodiment, S101 specifically includes the following sub-steps to obtain a name list and a string list of an import function:
first, S1011 is executed to load module header information of the target program module into the memory, where the module header information includes an index of each piece of information existing in the target program module.
For example, in step S1011, the system function CreateFile is first called to open the target program module to be loaded, wherein the parameter Name is the Name of the target program module, and other parameters are omitted herein. The concrete implementation is as follows:
HANDLE hFile=CreateFile(Name,GENERIC_READ);
then, the system function ReadFile is called to read the module header information of the target program module into the variable dosHeader. The specific implementation can be as follows
IMAGE_DOS_HEADER dosHeader;
ReadFile(hFile,&dosHeader);
And S1012, loading each piece of information into a memory according to the index.
Specifically, the method comprises the following steps: the number of segments, the data size of the module header, and the header information of the segments can be obtained through the module header information.
S1013, the data content of each piece of segment information is extracted from each piece of segment information.
With the information of each segment, the name, size, etc. of each segment can be obtained, so that the data content of each segment can be read into the memory, and the specific implementation is as follows:
s1014 extracts the import function name list and the character string list from the data content of each piece of information.
Each segment includes a lead-in segment, table information of the lead-in segment is acquired from data content of each segment information, and offset values of the start address of the lead-in segment in the target program module are included in module header information, so that the table information of the lead-in segment can be acquired. And traversing the table information of the lead-in section to acquire the information of all the lead-in functions in the lead-in section.
The specific implementation can be as follows:
DWORD dwIat=pNtHeader->OptionalHeader.DataDirectory
[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress;
where dwIat is the offset value of the lead-in at the target program module.
More specifically, table information of the lead-in is determined by an offset value of the lead-in at the target program module and a start value of the target program module. Then, by using the format of the import section, an import function name list of names of all the import functions included in the import section can be enumerated, and specific implementation can be as follows:
PIMAGE_IMPORT_DESCRIPTOR pImport=Start+dwIat;
and obtaining the table information of the lead-in section through the offset value and the starting value of the target program module. Then, the list of the names of all the import functions included in the import section is enumerated according to the format of the import section.
And acquiring the information of the data segment according to the offset value of the module header information including the initial address of the data segment in the target program module, and traversing the constants in all the data segments to obtain a character string list including all the constants in the target program module.
After S101, steps S102, S103, and S104 are executed. In the specific implementation process, the execution can be performed simultaneously or sequentially.
S102, judging whether an import function related to log output exists in the import function name list or not, if so, generating a first judgment result, and otherwise, generating a second judgment result.
Specifically, if a formatted output function print log for formatting the output character string to the terminal is called, it is determined whether the name of the formatted output function for formatting the output character string to the terminal exists in the import function name list.
For example, the formatted output function may be a printf function, and in other operating systems, the formatted output function may be other specific functions.
In an embodiment, the specific implementation process of determining whether the name of the formatted output function for formatting the output character string to the terminal exists in the import function name list includes the following steps S1021 to S1024:
s1021, reading the name of the first import function from the import function name list;
s1022, determine whether the name of the currently read import function is the name of the formatted output function.
It should be noted that the names of the currently read import functions are different at different times, and are sequentially the name of the first import function to the name of the last import function in the order in the import function name list.
S1023, if yes, generating a first judgment result and finishing reading; otherwise, continuing to read the name of the next import function from the import function name list, and returning to step S1022;
and S1024, if the name of the last import function read from the import function name list is not the name of the formatted output function, generating a second judgment result.
In an embodiment, if the first determination result is generated, the embodiment further includes a step of deleting the formatted output function to prevent printing of the log and outputting of the debugging information, thereby improving the security of the program module.
For the target program module, if log information or debugging information is printed, a hacker may analyze the function of the target program module and locate the key code of the target program module through the log information or the debugging information. For example, when a file is read in an application program, if the file cannot be read, a log is printed, which indicates that the file does not exist, and then a hacker can know the file that the module will read through the log, for example, HASH specific data or encrypt the file, print start information, for example, the start information of printing is to call MD5 to calculate HASH, and then quickly locate MD5 calculation logic of the application program through the log. By performing security detection in S102, a relevant vulnerability can be detected.
S103, judging whether a preset core function exists in the import function name list or not, if so, generating a third judgment result, and otherwise, generating a fourth judgment result.
It should be noted that the predetermined kernel function may be one or include a plurality of kernel functions.
In one embodiment, S103 includes the following steps S1031 to S1034:
s1031, reading the name of the first import function from the import function name list;
s1032, judging whether the name of the currently read import function belongs to a preset core function.
It should be noted that the names of the currently read import functions in S1032 are different at different times, and are sequentially the name of the first import function to the name of the last import function in the order in the import function name list.
S1033, if yes, generating a third judgment result and finishing reading; otherwise, continuing to read the name of the next import function from the import function name list, and returning to step S1033;
s1034, if the name of the last import function read from the import function name list does not belong to the predetermined core function, generating a fourth determination result.
In this embodiment, the predetermined kernel function includes: one or more of a function for formatting the output string to the buffer and a function for returning the length of the string. The function for formatting the output character string to the buffer area comprises a snprintf function and a sprintf function; the function that returns the string length is the Strlen function.
More specifically, for the core functions in the object program module, such as: the KEY value used for calculating the video stream authentication is used for encrypting data, if the function for encrypting the data calls a system function, the system function can be hooked through a HOOK tool, and therefore the call data of the system function can be acquired from the HOOK. Examples are as follows:
it is assumed that a pre-existing function is the KEY value used to compute the authentication of the video stream address.
The method comprises the steps of calculating the MD5 value by the SKEY of the private key of the client, the IP of the client and the user Token of the client. The final information in the algorithm is the protection of SKEY of the private key of the client, and various encryption and decryption algorithms may be used for protection. Finally, if the system function is called when the authentication KEY value is finally calculated, the authentication KEY value can be easily obtained by a hacker through a HOOK tool, so that the previous protection function is disabled, and the method is unsafe.
The specific implementation method is to search whether the character string functions exist in the import function list acquired in the step (1), and if the character string functions exist, the character string functions are considered to be unsafe. Meanwhile, other unsafe functions can be added to the system as detection objects, and self-considered unsafe functions can also be added. The specific implementation is to search from the import function of the module, and if the function is found, the module uses the function.
In a preferred embodiment, more insecure functions may also be added to the predetermined kernel function. And correspondingly adding unsafe functions, searching the import function name list, and if the unsafe functions exist, indicating that the target program module uses the unsafe functions.
In a preferred embodiment, when a function belonging to a predetermined core function is currently read from the import function name list and determined to exist in the target program module, the core function of the corresponding non-called system function is matched from the pre-written core function library and replaced.
In a preferred embodiment, if the third determination result is generated, a reminding message is output to remind that the predetermined core function exists.
S104, judging whether the character string list contains the preset character string, if so, generating a fifth judgment result, and otherwise, generating a sixth judgment result.
Specifically, the predetermined character string may be a single character string or a set of a plurality of character strings. In one embodiment, S104 includes the following steps S1041 to S1044:
s1041, reading a first character string from the character string list;
s1042, judging whether the currently read character string belongs to a preset character string;
s1043, if yes, generating a fifth judgment result; if not, continuing to read the next character string from the character string list, and returning to the step of judging whether the currently read character string belongs to the preset character string;
s1044, if the last character string read from the character string list does not belong to the predetermined character string, generating a sixth determination result.
In a particular embodiment, the predetermined string includes one or more of:
a string "password" indicating a password, a string "key" indicating a key, a string "encrypt" indicating an encryption operation, a string "decrypt" indicating a decryption operation, a string indicating an encryption standard such as "MD 5", and a string indicating a type of encryption algorithm such as "DES".
In a string, such things as: the information "password", "KEY", "encrypt", "decrypt", "MD 5", "DES", and "AES" may include a password, a KEY value for encryption and decryption, a name of an encryption function, a name of a decryption function, a name of a specific HASH algorithm, a name of a specific encryption and decryption algorithm, and the like. The safety thereof is lowered. For example: the encryption algorithm name "AES" indicates that encryption is performed in the target program module using the AES encryption algorithm.
Further, if the information is detected, the module can be informed of the risk of some characters, so that further modification can be carried out to ensure the safety of the final module.
After all of S102 to S104 are executed, S105 is executed: and if at least one judgment result of the first judgment result, the third judgment result and the fifth judgment result is generated, determining that the target program module is unsafe.
Based on the same inventive concept, an embodiment of the present invention provides a program module security detection apparatus, as shown in fig. 2, including:
an analyzing unit 201, configured to analyze an import function name list and a character string list from a target program module, where the import function name list includes names of system functions imported into the target program module, and the character string list includes all character strings in the target program module;
a log output judging unit 202, configured to judge whether an import function related to log output exists in the import function name list, generate a first judgment result if it is judged that an import function related to the log output exists in the import function name list, and generate a second judgment result if it is not judged that the import function related to the log output exists in the import function name list;
a core function determining unit 203, configured to determine whether a predetermined core function exists in the import function name list, generate a third determination result if the predetermined core function exists in the import function name list, and generate a fourth determination result if the predetermined core function does not exist in the import function name list;
a character string determining unit 204, configured to determine whether the character string list includes a predetermined character string, generate a fifth determination result if the character string list includes the predetermined character string, and generate a sixth determination result if the character string list does not include the predetermined character string;
a security determining unit 205, configured to determine that the target program module is not secure if at least one of the first determination result, the third determination result, and the fifth determination result is generated.
Optionally, the parsing unit 201 is specifically configured to:
loading module header information of the target program module into a memory, wherein the module header information comprises indexes of all pieces of information existing in the target program module;
loading the information of each segment into the memory according to the index;
extracting the data content of each piece of information from each piece of information;
and extracting the import function name list and the character string list from the data content of each piece of information.
Optionally, if the import function related to the log output is a formatting output function for formatting an output character string to the terminal, the log output determining unit 202 is specifically configured to:
reading the name of a first import function from the import function name list;
judging whether the name of the currently read import function is the name of the formatted output function;
if yes, generating the first judgment result; if not, continuing to read the name of the next import function from the import function name list, and returning to the step of judging whether the currently read name of the import function is the name of the formatted output function;
and if the name of the last import function read from the import function name list is not the name of the formatted output function, generating the second judgment result.
Optionally, the predetermined core function includes a plurality of core functions, and the core function determining unit 203 is specifically configured to:
reading the name of a first import function from the import function name list;
judging whether the name of the currently read import function belongs to the preset core function or not;
if yes, generating the third judgment result; if not, continuing to read the name of the next import function from the import function name list, and returning to the step of judging whether the currently read name of the import function belongs to the preset core function;
and if the name of the last import function read from the import function name list does not belong to the preset core function, generating the fourth judgment result.
Optionally, the predetermined kernel function includes: one or more of a function for formatting the output string to a buffer, a function for returning the length of the string.
Optionally, the character string determining unit 204 is specifically configured to:
reading a first character string from the predetermined character string;
judging whether the currently read character string belongs to the preset character string;
if so, generating the fifth judgment result; if not, continuing to read the next character string from the character string list, and returning to the step of judging whether the currently read character string belongs to the preset character string;
and if the last character string read from the character string list does not belong to the preset character string, generating the sixth judgment result.
Optionally, the predetermined character string includes: one or more of a string indicating a password, a string indicating a key, a string indicating an encryption operation, a string indicating a decryption operation, a string indicating an encryption standard, and a string indicating a type of encryption algorithm.
Based on the same inventive concept, an embodiment of the present invention provides a computer-readable storage medium 301, as shown in fig. 3, on which a computer program 302 is stored, where the program 302, when executed by a processor, implements the steps in any of the foregoing method for detecting the security of the program module.
Based on the same inventive concept, the embodiment of the present invention provides a computer device 400, which is shown in fig. 4 and includes a memory 410, a processor 430 and a computer program 420 stored in the memory 410 and running on the processor 430, wherein the processor 430 executes the computer program 420 to implement the steps in any one of the foregoing program module security detection methods.
Since the apparatus, the storage medium, and the computer device described in this embodiment are devices used for implementing the method for detecting the security of the program module in the embodiment of the present invention, based on the method for detecting the security of the program module described above, those skilled in the art can understand specific embodiments and various variations of the apparatus, the storage medium, and the computer device in this embodiment, so that how to implement the method for detecting the security of the program module described above for the apparatus, the storage medium, and the computer device is not described in detail here. As long as those skilled in the art implement the electronic device used in the method for detecting the security of the program module in the embodiment of the present invention, the electronic device is within the scope of the present invention.
The technical scheme in the embodiment of the invention at least has the following technical effects or advantages:
the import function name list and the character string list are analyzed from the target program module; whether the imported function and the preset core function related to log output exist in the imported function name list or not is judged, whether the preset character string exists in the character string list or not is judged, whether the target program module is safe or not is judged according to the judgment result, the target program module which is compiled and even finally issued is detected, the method is transparent to developers, meanwhile, the detection can be performed under the condition that the source code of the program module does not exist, the source code does not need to be acquired, and therefore the compiled and issued program module is detected more conveniently and more reliably.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While preferred embodiments of the present invention have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all such alterations and modifications as fall within the scope of the invention.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.
Claims (10)
1. A method for detecting security of a program module, comprising:
under the condition that a source code of an object program module does not exist, sequentially reading in module header information and each piece of segment information after the module header information according to a file format of the object program module, wherein the module header information comprises indexes of each piece of segment information, and analyzing an import function name list and a character string list from the compiled and issued object program module, wherein the import function name list comprises names of system functions imported into the object program module, the character string list comprises all character strings in the object program module, and the object program module is a component of an application program;
judging whether an import function related to log output exists in the import function name list, if so, generating a first judgment result, and otherwise, generating a second judgment result;
judging whether a preset core function exists in the import function name list, if so, generating a third judgment result, and otherwise, generating a fourth judgment result;
judging whether the character string list contains a preset character string or not, if so, generating a fifth judgment result, and otherwise, generating a sixth judgment result;
and if at least one judgment result of the first judgment result, the third judgment result and the fifth judgment result is generated, determining that the target program module is unsafe.
2. The method for detecting program module security as claimed in claim 1, wherein parsing out the import function name list and the character string list in the target program module includes:
loading module header information of the target program module into a memory, wherein the module header information comprises indexes of all pieces of information existing in the target program module;
loading the information of each segment into the memory according to the index;
extracting the data content of each piece of information from each piece of information;
and extracting the import function name list and the character string list from the data content of each piece of information.
3. The method for detecting security of a program module according to claim 1, wherein if the import function related to the log output is a formatted output function for formatting an output character string to a terminal, said determining whether the import function related to the log output exists in the import function name list comprises:
reading the name of a first import function from the import function name list;
judging whether the name of the currently read import function is the name of the formatted output function;
if so, generating the first judgment result, otherwise, continuously reading the name of the next import function from the import function name list, and returning to the step of judging whether the currently read name of the import function is the name of the formatted output function;
and if the name of the last import function read from the import function name list is not the name of the formatted output function, generating the second judgment result.
4. The method for detecting the security of a program module according to claim 1, wherein the predetermined core function includes a plurality of core functions, and the determining whether the predetermined core function exists in the list of the names of the import functions includes:
reading the name of a first import function from the import function name list;
judging whether the name of the currently read import function belongs to the preset core function or not;
if so, generating a third judgment result, otherwise, continuously reading the name of the next import function from the import function name list, and returning to the step of judging whether the currently read name of the import function belongs to the preset core function;
and if the name of the last import function read from the import function name list does not belong to the preset core function, generating the fourth judgment result.
5. The program module security detection method of claim 4, wherein the predetermined kernel function comprises: one or more of a function for formatting the output string to a buffer, a function for returning the length of the string.
6. The program module security detection method of claim 1, wherein the determining whether the character string list includes a predetermined character string comprises:
reading a first character string from the predetermined character string;
judging whether the currently read character string belongs to the preset character string;
if so, generating a fifth judgment result, otherwise, continuing to read the next character string from the character string list, and returning to the step of judging whether the currently read character string belongs to the preset character string;
and if the last character string read from the character string list does not belong to the preset character string, generating the sixth judgment result.
7. The program module security detection method of claim 1, wherein the predetermined character string includes: one or more of a string indicating a password, a string indicating a key, a string indicating an encryption operation, a string indicating a decryption operation, a string indicating an encryption standard, and a string indicating a type of encryption algorithm.
8. A program module security detection apparatus, comprising:
the analysis unit is used for sequentially reading in module header information and each piece of segment information after the module header information according to a file format of an object program module under the condition that a source code of the object program module does not exist, wherein the module header information comprises indexes of each piece of segment information, and an import function name list and a character string list are analyzed from the compiled and issued object program module, the import function name list comprises names of system functions imported into the object program module, the character string list comprises all character strings in the object program module, and the object program module is a component of an application program;
the log output judging unit is used for judging whether an import function related to log output exists in the import function name list or not, if so, generating a first judging result, and otherwise, generating a second judging result;
a core function judging unit, configured to judge whether a predetermined core function exists in the import function name list, generate a third judgment result if it is judged that the predetermined core function exists in the import function name list, and generate a fourth judgment result if it is not judged that the predetermined core function exists in the import function name list;
the character string judging unit is used for judging whether the character string list contains a preset character string or not, if so, generating a fifth judging result, and otherwise, generating a sixth judging result;
a security determination unit, configured to determine that the target program module is not secure if at least one of the first determination result, the third determination result, and the fifth determination result is generated.
9. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the method of any one of claims 1 to 7.
10. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the method of any of claims 1-7 when executing the program.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710524905.2A CN109214179B (en) | 2017-06-30 | 2017-06-30 | Program module security detection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710524905.2A CN109214179B (en) | 2017-06-30 | 2017-06-30 | Program module security detection method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109214179A CN109214179A (en) | 2019-01-15 |
| CN109214179B true CN109214179B (en) | 2021-04-27 |
Family
ID=64977164
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710524905.2A Active CN109214179B (en) | 2017-06-30 | 2017-06-30 | Program module security detection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109214179B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110675256B (en) * | 2019-08-30 | 2020-08-21 | 阿里巴巴集团控股有限公司 | Method and device for deploying and executing intelligent contracts |
| US10783082B2 (en) | 2019-08-30 | 2020-09-22 | Alibaba Group Holding Limited | Deploying a smart contract |
| CN112632550B (en) * | 2021-03-05 | 2021-06-29 | 北京邮电大学 | Method for detecting application security of password and secret key and electronic equipment thereof |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1607533A (en) * | 2003-07-31 | 2005-04-20 | 索尼株式会社 | Content distributing system, content distributing method, content distributing server, and terminal unit |
| CN106203120A (en) * | 2016-07-15 | 2016-12-07 | 北京邮电大学 | A kind of multiple spot Hook reverse method for Android reinforcement application |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP4776050B2 (en) * | 1999-07-13 | 2011-09-21 | ソニー株式会社 | Delivery content generation method, content delivery method and apparatus, and code conversion method |
| CN102663286B (en) * | 2012-03-21 | 2015-05-06 | 北京奇虎科技有限公司 | Method and device for identifying virus APK (android package) |
| CN104715199A (en) * | 2012-03-21 | 2015-06-17 | 北京奇虎科技有限公司 | Method and device for identifying viral APK (Android application package file) |
| CN102945347B (en) * | 2012-09-29 | 2016-02-24 | 中兴通讯股份有限公司 | A kind of method, system and equipment detecting Android malware |
-
2017
- 2017-06-30 CN CN201710524905.2A patent/CN109214179B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1607533A (en) * | 2003-07-31 | 2005-04-20 | 索尼株式会社 | Content distributing system, content distributing method, content distributing server, and terminal unit |
| CN106203120A (en) * | 2016-07-15 | 2016-12-07 | 北京邮电大学 | A kind of multiple spot Hook reverse method for Android reinforcement application |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109214179A (en) | 2019-01-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8291500B1 (en) | Systems and methods for automated malware artifact retrieval and analysis | |
| US10387648B2 (en) | Ransomware key extractor and recovery system | |
| JP4732484B2 (en) | Exploit code analysis method and apparatus in non-executable file using virtual environment | |
| CN109376078B (en) | Mobile application testing method, terminal equipment and medium | |
| JP5852676B2 (en) | Method, computer program, and system for determining vulnerability of a computer software application to an elevation of privilege attack | |
| WO2017086837A1 (en) | Method for detecting malicious programs and elements | |
| TW201629832A (en) | Method and device for identifying computer virus variants | |
| CN102043915B (en) | Method and device for detecting malicious code contained in non-executable file | |
| TWI541669B (en) | Detection systems and methods for static detection applications, and computer program products | |
| US10783246B2 (en) | Comparing structural information of a snapshot of system memory | |
| CN110929264B (en) | Vulnerability detection method and device, electronic equipment and readable storage medium | |
| CN107689940B (en) | WebShell detection method and device | |
| WO2011053637A1 (en) | System and method for detecting executable machine instructions in a data stream | |
| CN109214179B (en) | Program module security detection method and device | |
| JP6000465B2 (en) | Process inspection apparatus, process inspection program, and process inspection method | |
| US20170126715A1 (en) | Detection device, detection method, and detection program | |
| CN112115473A (en) | Method for security detection of Java open source assembly | |
| JP2006330864A (en) | Control method for server computer system | |
| CN105791250B (en) | Application program detection method and device | |
| CN106407815B (en) | Vulnerability detection method and device | |
| CN111027072B (en) | Kernel Rootkit detection method and device based on elf binary standard analysis under Linux | |
| US10931693B2 (en) | Computation apparatus and method for identifying attacks on a technical system on the basis of events of an event sequence | |
| CN115310087A (en) | Website backdoor detection method and system based on abstract syntax tree | |
| US20160210474A1 (en) | Data processing apparatus, data processing method, and program | |
| JP6258189B2 (en) | Specific apparatus, specific method, and specific program |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |