CN109464805A - Malware detection methods, device, electronic equipment and storage medium - Google Patents
Malware detection methods, device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN109464805A CN109464805A CN201811182285.XA CN201811182285A CN109464805A CN 109464805 A CN109464805 A CN 109464805A CN 201811182285 A CN201811182285 A CN 201811182285A CN 109464805 A CN109464805 A CN 109464805A
- Authority
- CN
- China
- Prior art keywords
- target application
- time
- function
- acquisition
- rogue program
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- A—HUMAN NECESSITIES
- A63—SPORTS; GAMES; AMUSEMENTS
- A63F—CARD, BOARD, OR ROULETTE GAMES; INDOOR GAMES USING SMALL MOVING PLAYING BODIES; VIDEO GAMES; GAMES NOT OTHERWISE PROVIDED FOR
- A63F13/00—Video games, i.e. games using an electronically generated display having two or more dimensions
- A63F13/70—Game security or game management aspects
- A63F13/75—Enforcing rules, e.g. detecting foul play or generating lists of cheating players
Landscapes
- Engineering & Computer Science (AREA)
- Multimedia (AREA)
- Business, Economics & Management (AREA)
- Computer Security & Cryptography (AREA)
- General Business, Economics & Management (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention discloses malware detection methods, device, electronic equipment and storage mediums.The described method includes: when being detected to a target application, with predetermined manner acquisition time relevant information;According to the time related information and preset rules of acquisition, judge whether the target application is encroached on by rogue program.The technical solution is not only relied on by autonomous acquisition time relevant information using the temporal information obtained, it may determine that using whether by rogue program acceleration or deceleration, also it indicates that apply and whether receives the infringement of rogue program, it is even more important in inhibiting for game application, maintains the balance and health of game ecology.
Description
Technical field
The present invention relates to information security fields, and in particular to malware detection methods, device, electronic equipment and storage are situated between
Matter.
Background technique
Using especially game application is constantly subjected to the puzzlement that rogue program is encroached on, and many game are plug-in to pass through modification trip
Play speed, obtains different degrees of interests.For example, for barrage game, cool run game etc., by slowing down, game can be lowered
Difficulty obtains higher score;Player can be made to pass through within the set time by accelerating RPG (role playing) game
More outposts, this has all seriously affected game balance.Therefore, it is necessary to one kind effectively to detect the plug-in mode for waiting rogue programs.
Summary of the invention
In view of the above problems, it proposes on the present invention overcomes the above problem or at least be partially solved in order to provide one kind
State malware detection methods, device, electronic equipment and the storage medium of problem.
According to one aspect of the present invention, a kind of malware detection methods are provided, comprising:
When being detected to a target application, with predetermined manner acquisition time relevant information;
According to the time related information and preset rules of acquisition, judge whether the target application is invaded by rogue program
Evil.
Optionally, described to include: with predetermined manner acquisition time relevant information
In the operational process of the target application, current time value is obtained with prefixed time interval;
Whether the time related information and preset rules according to acquisition, judge the target application by rogue program
Infringement includes:
Judge whether the difference of two current time values continuously acquired is consistent with the prefixed time interval, if not being consistent
Then the target application is encroached on by rogue program.
Optionally, described to include: with preset interval acquisition current time value
The return value of clock_gettime function is obtained with preset interval.
Optionally, described to include: with predetermined manner acquisition time relevant information
In the operational process of the target application, when modifying twice recently of specified file is obtained with prefixed time interval
Between difference;
Whether the time related information and preset rules according to acquisition, judge the target application by rogue program
Infringement includes:
Whether the difference of modification time is consistent with the prefixed time interval twice recently for judgement, the mesh if not being consistent
Mark application is encroached on by rogue program.
Optionally, it is described with prefixed time interval obtain specified file the difference of modification time includes: twice recently
In response to the calling of the Update function of the target application MonoBehavior class, execute with prefixed time interval
Obtain the operation of the difference of modification time twice recently of specified file.
Optionally, described to include: with predetermined manner acquisition time relevant information
In the start-up course of the target application, the address of specified function is obtained and records, and answer in the target
In operational process, the address of the specified function is obtained with predetermined manner;Wherein, the specified function is when returning to current
Between the function that is worth;
Whether the time related information and preset rules according to acquisition, judge the target application by rogue program
Infringement includes:
If inconsistent with the address of the address of the specified function of predetermined manner acquisition and the specified function of record, institute
Target application is stated to be encroached on by rogue program.
Optionally, the specified function is System.currentTimeMillis function in the process of the target application
Native function corresponding with System.nanoTime function.
Another aspect according to the present invention provides a kind of rogue program detection device, comprising:
Acquiring unit, when suitable for being detected to a target application, with predetermined manner acquisition time relevant information;
Judging unit, suitable for the time related information and preset rules according to acquisition, judge the target application whether by
It is encroached on to rogue program.
Optionally, the acquiring unit, suitable for being obtained with prefixed time interval in the operational process of the target application
Current time value;
The judging unit, suitable for the difference of two current time values for judging to continuously acquire and the prefixed time interval
Whether it is consistent, the target application is encroached on by rogue program if not being consistent.
Optionally, the acquiring unit, suitable for obtaining the return value of clock_gettime function with preset interval.
Optionally, the acquiring unit, suitable for being obtained with prefixed time interval in the operational process of the target application
The difference of modification time twice recently of specified file;
The judging unit, suitable for judge recently twice the difference of modification time and the prefixed time interval whether phase
Symbol, the target application is encroached on by rogue program if not being consistent.
Optionally, the acquiring unit is adapted for the Update function of the target application MonoBehavior class
Calling, execute with prefixed time interval obtain specified file the operation of the difference of modification time twice recently.
Optionally, the acquiring unit, suitable for obtaining and recording specified function in the start-up course of the target application
Address, and in the operational process of the target application, the address of the specified function is obtained with predetermined manner;Wherein,
The specified function is the function for returning to current time value;
The judging unit, if the specified function suitable for the address of the specified function and record that are obtained with predetermined manner
Address it is inconsistent, then the target application by rogue program encroach on.
Optionally, the specified function is System.currentTimeMillis function in the process of the target application
Native function corresponding with System.nanoTime function.
Another aspect according to the present invention, provides a kind of electronic equipment, comprising: processor;And it is arranged to store
The memory of computer executable instructions, the executable instruction execute the processor such as any of the above-described institute
The method stated.
According to the present invention in another aspect, providing a kind of computer readable storage medium, wherein it is described computer-readable
Storage medium stores one or more programs, and one or more of programs when being executed by a processor, are realized as any of the above-described
The method.
It can be seen from the above, technical solution of the present invention, for determining target application, by with predetermined manner acquisition time
Relevant information judges whether target application is encroached on by rogue program according to the time related information and preset rules of acquisition.It should
Technical solution is not only relied on by autonomous acquisition time relevant information using the temporal information obtained, it can be determined that is applied out
Whether by rogue program acceleration or deceleration, also indicate that using whether the infringement of rogue program is received, for game application
Even more important in inhibiting maintains the balance and health of game ecology.
The above description is only an overview of the technical scheme of the present invention, in order to better understand the technical means of the present invention,
And it can be implemented in accordance with the contents of the specification, and in order to allow above and other objects of the present invention, feature and advantage can
It is clearer and more comprehensible, the followings are specific embodiments of the present invention.
Detailed description of the invention
By reading the following detailed description of the preferred embodiment, various other advantages and benefits are common for this field
Technical staff will become clear.The drawings are only for the purpose of illustrating a preferred embodiment, and is not considered as to the present invention
Limitation.And throughout the drawings, the same reference numbers will be used to refer to the same parts.In the accompanying drawings:
Fig. 1 shows a kind of flow diagram of malware detection methods according to an embodiment of the invention;
Fig. 2 shows a kind of structural schematic diagrams of rogue program detection device according to an embodiment of the invention;
Fig. 3 shows the structural schematic diagram of electronic equipment according to an embodiment of the invention;
Fig. 4 shows the structural schematic diagram of computer readable storage medium according to an embodiment of the invention.
Specific embodiment
Exemplary embodiments of the present disclosure are described in more detail below with reference to accompanying drawings.Although showing the disclosure in attached drawing
Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure without should be by embodiments set forth here
It is limited.On the contrary, these embodiments are provided to facilitate a more thoroughly understanding of the present invention, and can be by the scope of the present disclosure
It is fully disclosed to those skilled in the art.
Fig. 1 shows a kind of flow diagram of malware detection methods according to an embodiment of the invention.Such as Fig. 1
It is shown, this method comprises:
Step S110, when being detected to a target application, with predetermined manner acquisition time relevant information.
For in background technique, the puzzlement of plug-in problem is endured in many game applications to the fullest extent.Many players can pass through evil
Program of anticipating obtains illegitimate benefits to game acceleration or deceleration.For example, the playing method of many barrage game such as thunder and lightning opportunity of combat etc.
It is that player exercises target hides barrage, and the speed of barrage can be continuously increased as time goes by, i.e., difficulty constantly rises.And such as
Fruit slows down to game by plug-in, it is clear that realizes " slow motion " of barrage, player can easily hide barrage.Example again
Such as, the playing method of many game is within the set time (such as one day), and player can challenge certain game transcript, every success one repeatedly
It is secondary to obtain an income.And if accelerating game by rogue program, it just shortens needed for challenge games copy each time
Time, as soon as then day in the number that can challenge of user increase, also obtain more incomes.
The playing method of game application is numerous, and largely and time correlation, therefore plug-in program carries out game application
Accelerate, slow down to be very common, this be also present invention mainly solves the problem of, target application in the embodiment of the present invention can be with
It is the game application based on Unity3D.Certainly, it is easy to deduce, for other application, there is also by rogue program acceleration or deceleration
Risk, such as by decelerated video application, so that user is felt that the Video Applications result of broadcast is bad, influence user and video is answered
Evaluation, etc..
Many target applications oneself can be by determining the time from modes such as system acquisition time return values, this is also permitted
More rogue programs are utilized.It therefore in an embodiment of the present invention, can be to take different modes to obtain from target application
Whether time related information is judged independently using accelerated or slow down.
Whether step S120 judges target application by malice journey according to the time related information and preset rules of acquisition
Sequence infringement.
As it can be seen that method shown in FIG. 1, for determining target application, by with predetermined manner acquisition time relevant information,
According to the time related information and preset rules of acquisition, judge whether target application is encroached on by rogue program.The technical solution
It is not only relied on by autonomous acquisition time relevant information using the temporal information obtained, it can be determined that whether application is disliked out
Meaning program acceleration or deceleration also indicates that using whether the infringement of rogue program is received, is even more to have for game application
Significance maintains the balance and health of game ecology.
It in one embodiment of the invention, include: in mesh with predetermined manner acquisition time relevant information in the above method
In the operational process for marking application, current time value is obtained with prefixed time interval;According to the time related information of acquisition and preset
Rule judges whether target application is included: to judge the difference of two current time values continuously acquired by rogue program infringement
Whether it is consistent with prefixed time interval, target application is encroached on by rogue program if not being consistent.Specifically, of the invention
In one embodiment, in the above method, obtaining current time value with preset interval includes: to obtain clock_ with preset interval
The return value of gettime function.
Clock_gettime function is many approach using acquisition time, which can return to current time value.And
This is also utilized by many rogue programs, and by modifying the return value of the function, the modification to the time may be implemented.Similarly,
For this kind by the rogue program of modification time value, the mode that can be provided through the foregoing embodiment is detected.
For example, the current time value of acquisition in every 10 seconds, then the difference of the current time value obtained twice in succession
It should be also 10 seconds, even if considering error, difference be should also be as close to 10 seconds.If that difference is obviously larger with 10 seconds difference
(such as reaching 0.1 times, in this case, it is 1 second, much larger than the difference of error), then illustrate that the current time value got is modified
, that is, there is rogue program to modify current time value, that is, target application is encroached on by rogue program, such as acceleration or deceleration.
In the specific implementation, a thread can be started on backstage, it is whether different by thread loops detection current time value
Often, such as every 10 seconds obtain current time value from clock_gettime function, and by continuously acquire two current time value phases
Subtract, if be obviously greater than 10 seconds, illustrates that target application is accelerated, it is on the contrary then illustrate that target application is decelerated.
It in one embodiment of the invention, include: in mesh with predetermined manner acquisition time relevant information in the above method
In the operational process for marking application, the difference of modification time twice recently of specified file is obtained with prefixed time interval;According to obtaining
The time related information and preset rules taken judges whether target application is included: to judge recently twice by rogue program infringement
Whether the difference of modification time is consistent with prefixed time interval, and target application is encroached on by rogue program if not being consistent.
For some rogue programs, application time is modified, mainly refreshing frame per second is made and is changed.But to text
The operation of part such as read-write operation, the operation of this kind of modification time are recorded by operating system, are accurately the present embodiment
In just utilize this feature, the difference that the time difference that gets of application is recorded with operating system is compared.
Specifically, in one embodiment of the invention, in the above method, specified file is obtained with prefixed time interval
The difference of modification time includes: calling in response to the Update function of target application MonoBehavior class twice recently,
Execute the operation of the difference of modification time twice recently that specified file is obtained with prefixed time interval.
MonoBehavior class can be used to implement the scene of game of Unity3D game, and game one frame of every refreshing can all be adjusted
With its Update function.If game is accelerated or slows down, the frequency that obvious Update function is called back can also change.
In the present embodiment, it is triggered and is called by Update function, to execute detection logic, that is, detected Fixed Time Interval such as 10 seconds
It is interior, the modification time difference twice recently of certain specified file, if difference error (is referred to sentencing for previous embodiment greatly very much
It is disconnected), then assert that game is encroached on by rogue program.
It in one embodiment of the invention, include: in mesh with predetermined manner acquisition time relevant information in the above method
In the start-up course for marking application, the address of specified function is obtained and records, and in the operational process of target application, with default
Mode obtains the address of specified function;Wherein, specified function is the function for returning to current time value;According to the time correlation of acquisition
Information and preset rules, if judging whether target application is included: the specified letter obtained with predetermined manner by rogue program infringement
The address of the specified function of several address and record is inconsistent, then target application is encroached on by rogue program.
For example, registering specified function by operating system using after actuation, later period application is called, and is by operation
System returns to current time value.Under normal circumstances, specified function is by system registry, but plug-in equal rogue programs can pass through
Specified function is re-registered, realizes " interception " of time value.It, can be using the side in the present embodiment for this kind of rogue program
Method.
After application starting, the address of specified function is first recorded, if this address of later period is modified, illustrates specified letter
Number is re-registered, then target application is encroached on by rogue program.Therefore in the operational process of application can in a predefined manner,
Such as the address of specified function is reacquired within every 10 seconds, it is checked with recorded address.
Specifically, for Android application, in one embodiment of the invention, in the above method, specified function is mesh
Mark System.currentTimeMillis function and the corresponding native letter of System.nanoTime function in the process of application
Number.Then rogue program is registered System.currentTimeMillis function and the reconditioning of System.nanoTime function
It can accurately be detected to the behavior of customized native function since the address of function is changed.
Fig. 2 shows a kind of structural schematic diagrams of rogue program detection device according to an embodiment of the invention.Such as Fig. 2
Shown, rogue program detection device 200 includes:
Acquiring unit 210, when suitable for being detected to a target application, with predetermined manner acquisition time relevant information.
For in background technique, the puzzlement of plug-in problem is endured in many game applications to the fullest extent.Many players can pass through evil
Program of anticipating obtains illegitimate benefits to game acceleration or deceleration.For example, the playing method of many barrage game such as thunder and lightning opportunity of combat etc.
It is that player exercises target hides barrage, and the speed of barrage can be continuously increased as time goes by, i.e., difficulty constantly rises.And such as
Fruit slows down to game by plug-in, it is clear that realizes " slow motion " of barrage, player can easily hide barrage.Example again
Such as, the playing method of many game is within the set time (such as one day), and player can challenge certain game transcript, every success one repeatedly
It is secondary to obtain an income.And if accelerating game by rogue program, it just shortens needed for challenge games copy each time
Time, as soon as then day in the number that can challenge of user increase, also obtain more incomes.
The playing method of game application is numerous, and largely and time correlation, therefore plug-in program carries out game application
Accelerate, slow down to be very common, this be also present invention mainly solves the problem of, target application in the embodiment of the present invention can be with
It is the game application based on Unity3D.Certainly, it is easy to deduce, for other application, there is also by rogue program acceleration or deceleration
Risk, such as by decelerated video application, so that user is felt that the Video Applications result of broadcast is bad, influence user and video is answered
Evaluation, etc..
Many target applications oneself can be by determining the time from modes such as system acquisition time return values, this is also permitted
More rogue programs are utilized.It therefore in an embodiment of the present invention, can be to take different modes to obtain from target application
Whether time related information is judged independently using accelerated or slow down.
Judging unit 220, suitable for the time related information and preset rules according to acquisition, judge target application whether by
Rogue program infringement.
As it can be seen that device shown in Fig. 2, for determining target application, by with predetermined manner acquisition time relevant information,
According to the time related information and preset rules of acquisition, judge whether target application is encroached on by rogue program.The technical solution
It is not only relied on by autonomous acquisition time relevant information using the temporal information obtained, it can be determined that whether application is disliked out
Meaning program acceleration or deceleration also indicates that using whether the infringement of rogue program is received, is even more to have for game application
Significance maintains the balance and health of game ecology.
In one embodiment of the invention, in above-mentioned apparatus, acquiring unit 210, suitable for the operation in target application
Cheng Zhong obtains current time value with prefixed time interval;Judging unit 220, suitable for two current times for judging to continuously acquire
Whether the difference of value is consistent with prefixed time interval, and target application is encroached on by rogue program if not being consistent.Specifically, exist
In one embodiment of the present of invention, in above-mentioned apparatus, acquiring unit 210 is suitable for obtaining clock_gettime letter with preset interval
Several return values.
Clock_gettime function is many approach using acquisition time, which can return to current time value.And
This is also utilized by many rogue programs, and by modifying the return value of the function, the modification to the time may be implemented.Similarly,
For this kind by the rogue program of modification time value, the mode that can be provided through the foregoing embodiment is detected.
For example, the current time value of acquisition in every 10 seconds, then the difference of the current time value obtained twice in succession
It should be also 10 seconds, even if considering error, difference be should also be as close to 10 seconds.If that difference is obviously larger with 10 seconds difference
(such as reaching 0.1 times, in this case, it is 1 second, much larger than the difference of error), then illustrate that the current time value got is modified
, that is, there is rogue program to modify current time value, that is, target application is encroached on by rogue program, such as acceleration or deceleration.
In the specific implementation, a thread can be started on backstage, it is whether different by thread loops detection current time value
Often, such as every 10 seconds obtain current time value from clock_gettime function, and by continuously acquire two current time value phases
Subtract, if be obviously greater than 10 seconds, illustrates that target application is accelerated, it is on the contrary then illustrate that target application is decelerated.
In one embodiment of the invention, in above-mentioned apparatus, acquiring unit 210, suitable for the operation in target application
Cheng Zhong obtains the difference of modification time twice recently of specified file with prefixed time interval;Judging unit 220 is suitable for judgement
Whether the difference of modification time is consistent with prefixed time interval twice recently, and target application is invaded by rogue program if not being consistent
Evil.
For some rogue programs, application time is modified, mainly refreshing frame per second is made and is changed.But to text
The operation of part such as read-write operation, the operation of this kind of modification time are recorded by operating system, are accurately the present embodiment
In just utilize this feature, the difference that the time difference that gets of application is recorded with operating system is compared.
Specifically, in one embodiment of the invention, in above-mentioned apparatus, acquiring unit 210 is adapted for target
Using the calling of the Update function of MonoBehavior class, execute with prefixed time interval obtain specified file recently twice
The operation of the difference of modification time.
MonoBehavior class can be used to implement the scene of game of Unity3D game, and game one frame of every refreshing can all be adjusted
With its Update function.If game is accelerated or slows down, the frequency that obvious Update function is called back can also change.
In the present embodiment, it is triggered and is called by Update function, to execute detection logic, that is, detected Fixed Time Interval such as 10 seconds
It is interior, the modification time difference twice recently of certain specified file, if difference error (is referred to sentencing for previous embodiment greatly very much
It is disconnected), then assert that game is encroached on by rogue program.
In one embodiment of the invention, in above-mentioned apparatus, acquiring unit 210, suitable for the starting in target application
Cheng Zhong obtains and records the address of specified function, and in the operational process of target application, obtains specified letter with predetermined manner
Several addresses;Wherein, specified function is the function for returning to current time value;Judging unit 220, if suitable for being obtained with predetermined manner
Specified function address and record specified function address it is inconsistent, then target application by rogue program encroach on.
For example, registering specified function by operating system using after actuation, later period application is called, and is by operation
System returns to current time value.Under normal circumstances, specified function is by system registry, but plug-in equal rogue programs can pass through
Specified function is re-registered, realizes " interception " of time value.It, can be using the side in the present embodiment for this kind of rogue program
Method.
After application starting, the address of specified function is first recorded, if this address of later period is modified, illustrates specified letter
Number is re-registered, then target application is encroached on by rogue program.Therefore in the operational process of application can in a predefined manner,
Such as the address of specified function is reacquired within every 10 seconds, it is checked with recorded address.
Specifically, for Android application, in one embodiment of the invention, in above-mentioned apparatus, specified function is mesh
Mark System.currentTimeMillis function and the corresponding native letter of System.nanoTime function in the process of application
Number.Then rogue program is registered System.currentTimeMillis function and the reconditioning of System.nanoTime function
It can accurately be detected to the behavior of customized native function since the address of function is changed.
In conclusion technical solution of the present invention, for determining target application, by with predetermined manner acquisition time phase
Information is closed, according to the time related information and preset rules of acquisition, judges whether target application is encroached on by rogue program.The skill
Art scheme not only relies on the temporal information that application obtains by autonomous acquisition time relevant information, it can be determined that applying out is
It is no also to indicate that whether application receives the infringement of rogue program by rogue program acceleration or deceleration, more for game application
It is important in inhibiting, maintains the balance and health of game ecology.
It should be understood that
Algorithm and display be not inherently related to any certain computer, virtual bench or other equipment provided herein.
Various fexible units can also be used together with teachings based herein.As described above, it constructs required by this kind of device
Structure be obvious.In addition, the present invention is also not directed to any particular programming language.It should be understood that can use various
Programming language realizes summary of the invention described herein, and the description done above to language-specific is to disclose this hair
Bright preferred forms.
In the instructions provided here, numerous specific details are set forth.It is to be appreciated, however, that implementation of the invention
Example can be practiced without these specific details.In some instances, well known method, structure is not been shown in detail
And technology, so as not to obscure the understanding of this specification.
Similarly, it should be understood that in order to simplify the disclosure and help to understand one or more of the various inventive aspects,
Above in the description of exemplary embodiment of the present invention, each feature of the invention is grouped together into single implementation sometimes
In example, figure or descriptions thereof.However, the disclosed method should not be interpreted as reflecting the following intention: i.e. required to protect
Shield the present invention claims features more more than feature expressly recited in each claim.More precisely, as following
Claims reflect as, inventive aspect is all features less than single embodiment disclosed above.Therefore,
Thus the claims for following specific embodiment are expressly incorporated in the specific embodiment, wherein each claim itself
All as a separate embodiment of the present invention.
Those skilled in the art will understand that can be carried out adaptively to the module in the equipment in embodiment
Change and they are arranged in one or more devices different from this embodiment.It can be the module or list in embodiment
Member or component are combined into a module or unit or component, and furthermore they can be divided into multiple submodule or subelement or
Sub-component.Other than such feature and/or at least some of process or unit exclude each other, it can use any
Combination is to all features disclosed in this specification (including adjoint claim, abstract and attached drawing) and so disclosed
All process or units of what method or apparatus are combined.Unless expressly stated otherwise, this specification is (including adjoint power
Benefit require, abstract and attached drawing) disclosed in each feature can carry out generation with an alternative feature that provides the same, equivalent, or similar purpose
It replaces.
In addition, it will be appreciated by those of skill in the art that although some embodiments described herein include other embodiments
In included certain features rather than other feature, but the combination of the feature of different embodiments mean it is of the invention
Within the scope of and form different embodiments.For example, in the following claims, embodiment claimed is appointed
Meaning one of can in any combination mode come using.
Various component embodiments of the invention can be implemented in hardware, or to run on one or more processors
Software module realize, or be implemented in a combination thereof.It will be understood by those of skill in the art that can be used in practice
Microprocessor or digital signal processor (DSP) realize one in rogue program detection device according to an embodiment of the present invention
The some or all functions of a little or whole components.The present invention is also implemented as executing method as described herein
Some or all device or device programs (for example, computer program and computer program product).Such realization
Program of the invention can store on a computer-readable medium, or may be in the form of one or more signals.This
The signal of sample can be downloaded from an internet website to obtain, and is perhaps provided on the carrier signal or mentions in any other forms
For.
For example, Fig. 3 shows the structural schematic diagram of electronic equipment according to an embodiment of the invention.The electronic equipment packet
It includes processor 310 and is arranged to the memory 320 of storage computer executable instructions (computer readable program code).Storage
Device 320 can be such as flash memory, EEPROM (electrically erasable programmable read-only memory), EPROM, hard disk or ROM etc
Electronic memory.Memory 320 has the computer-readable program stored for executing any method and step in the above method
The memory space 330 of code 331.For example, the memory space 330 for storing computer readable program code may include difference
For realizing each computer readable program code 331 of the various steps in above method.Computer readable program code
331 can read or be written to the production of this one or more computer program from one or more computer program product
In product.These computer program products include such as hard disk, and the program code of compact-disc (CD), storage card or floppy disk etc carries
Body.Such computer program product is usually computer readable storage medium described in such as Fig. 4.Fig. 4 is shown according to this
A kind of structural schematic diagram of the computer readable storage medium of invention one embodiment.The computer readable storage medium 400 is deposited
The computer readable program code 331 for executing steps of a method in accordance with the invention is contained, it can be by the place of electronic equipment 300
It manages device 310 to read, when computer readable program code 331 is run by electronic equipment 300, the electronic equipment 300 is caused to execute
Each step in method described above, specifically, the computer-readable journey of the computer-readable recording medium storage
Sequence code 331 can execute method shown in any of the above-described embodiment.Computer readable program code 331 can be with appropriate shape
Formula is compressed.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and ability
Field technique personnel can be designed alternative embodiment without departing from the scope of the appended claims.In the claims,
Any reference symbol between parentheses should not be configured to limitations on claims.Word "comprising" does not exclude the presence of not
Element or step listed in the claims.Word "a" or "an" located in front of the element does not exclude the presence of multiple such
Element.The present invention can be by means of including the hardware of several different elements and being come by means of properly programmed computer real
It is existing.In the unit claims listing several devices, several in these devices can be through the same hardware branch
To embody.The use of word first, second, and third does not indicate any sequence.These words can be explained and be run after fame
Claim.
Embodiment of the invention discloses A1, a kind of malware detection methods, comprising:
When being detected to a target application, with predetermined manner acquisition time relevant information;
According to the time related information and preset rules of acquisition, judge whether the target application is invaded by rogue program
Evil.
A2, method as described in a1, wherein described to include: with predetermined manner acquisition time relevant information
In the operational process of the target application, current time value is obtained with prefixed time interval;
Whether the time related information and preset rules according to acquisition, judge the target application by rogue program
Infringement includes:
Judge whether the difference of two current time values continuously acquired is consistent with the prefixed time interval, if not being consistent
Then the target application is encroached on by rogue program.
A3, as described in A2 method, wherein described to include: with preset interval acquisition current time value
The return value of clock_gettime function is obtained with preset interval.
A4, method as described in a1, wherein described to include: with predetermined manner acquisition time relevant information
In the operational process of the target application, when modifying twice recently of specified file is obtained with prefixed time interval
Between difference;
Whether the time related information and preset rules according to acquisition, judge the target application by rogue program
Infringement includes:
Whether the difference of modification time is consistent with the prefixed time interval twice recently for judgement, the mesh if not being consistent
Mark application is encroached on by rogue program.
A5, the method as described in A4, wherein described that when modifying twice recently of specified file is obtained with prefixed time interval
Between difference include:
In response to the calling of the Update function of the target application MonoBehavior class, execute with prefixed time interval
Obtain the operation of the difference of modification time twice recently of specified file.
A6, method as described in a1, wherein described to include: with predetermined manner acquisition time relevant information
In the start-up course of the target application, the address of specified function is obtained and records, and answer in the target
In operational process, the address of the specified function is obtained with predetermined manner;Wherein, the specified function is when returning to current
Between the function that is worth;
Whether the time related information and preset rules according to acquisition, judge the target application by rogue program
Infringement includes:
If inconsistent with the address of the address of the specified function of predetermined manner acquisition and the specified function of record, institute
Target application is stated to be encroached on by rogue program.
A7, the method as described in A6, wherein the specified function is in the process of the target application
System.currentTimeMillis function and the corresponding native function of System.nanoTime function.
The embodiment of the present invention also discloses B8, a kind of rogue program detection device, comprising:
Acquiring unit, when suitable for being detected to a target application, with predetermined manner acquisition time relevant information;
Judging unit, suitable for the time related information and preset rules according to acquisition, judge the target application whether by
It is encroached on to rogue program.
B9, the device as described in B8, wherein
The acquiring unit, suitable in the operational process of the target application, when obtaining current with prefixed time interval
Between be worth;
The judging unit, suitable for the difference of two current time values for judging to continuously acquire and the prefixed time interval
Whether it is consistent, the target application is encroached on by rogue program if not being consistent.
B10, the device as described in B9, wherein
The acquiring unit, suitable for obtaining the return value of clock_gettime function with preset interval.
B11, the device as described in B8, wherein
The acquiring unit, suitable for obtaining specified text with prefixed time interval in the operational process of the target application
The difference of modification time twice recently of part;
The judging unit, suitable for judge recently twice the difference of modification time and the prefixed time interval whether phase
Symbol, the target application is encroached on by rogue program if not being consistent.
B12, device as described in b11, wherein
The acquiring unit is adapted for the calling of the Update function of the target application MonoBehavior class,
Execute the operation of the difference of modification time twice recently that specified file is obtained with prefixed time interval.
B13, the device as described in B8, wherein
The acquiring unit, suitable for obtaining and recording the address of specified function in the start-up course of the target application,
And in the operational process of the target application, the address of the specified function is obtained with predetermined manner;Wherein, described specified
Function is the function for returning to current time value;
The judging unit, if the specified function suitable for the address of the specified function and record that are obtained with predetermined manner
Address it is inconsistent, then the target application by rogue program encroach on.
B14, the device as described in B13, wherein the specified function is in the process of the target application
System.currentTimeMillis function and the corresponding native function of System.nanoTime function.
The embodiment of the present invention also discloses C15, a kind of electronic equipment, wherein the electronic equipment includes: processor;With
And it is arranged to the memory of storage computer executable instructions, the executable instruction when executed holds the processor
Method of the row as described in any one of A1-A7.
The embodiment of the present invention also discloses D16, a kind of computer readable storage medium, wherein described computer-readable
Storage medium stores one or more programs, and one or more of programs when being executed by a processor, are realized as appointed in A1-A7
Method described in one.
Claims (10)
1. a kind of malware detection methods, comprising:
When being detected to a target application, with predetermined manner acquisition time relevant information;
According to the time related information and preset rules of acquisition, judge whether the target application is encroached on by rogue program.
2. the method for claim 1, wherein described include: with predetermined manner acquisition time relevant information
In the operational process of the target application, current time value is obtained with prefixed time interval;
The time related information and preset rules according to acquisition, judges whether the target application is encroached on by rogue program
Include:
Judge whether the difference of two current time values continuously acquired is consistent with the prefixed time interval, the institute if not being consistent
Target application is stated to be encroached on by rogue program.
3. method according to claim 2, wherein described to include: with preset interval acquisition current time value
The return value of clock_gettime function is obtained with preset interval.
4. the method for claim 1, wherein described include: with predetermined manner acquisition time relevant information
In the operational process of the target application, the modification time twice recently of specified file is obtained with prefixed time interval
Difference;
The time related information and preset rules according to acquisition, judges whether the target application is encroached on by rogue program
Include:
Whether the difference of modification time is consistent with the prefixed time interval twice recently for judgement, and the target is answered if not being consistent
It is encroached on by rogue program.
5. method as claimed in claim 4, wherein described to obtain modifying twice recently for specified file with prefixed time interval
The difference of time includes:
In response to the calling of the Update function of the target application MonoBehavior class, execution is obtained with prefixed time interval
The operation of the difference of modification time twice recently of specified file.
6. the method for claim 1, wherein described include: with predetermined manner acquisition time relevant information
In the start-up course of the target application, the address of specified function is obtained and records, and in the target application
In operational process, the address of the specified function is obtained with predetermined manner;Wherein, the specified function is to return to current time value
Function;
The time related information and preset rules according to acquisition, judges whether the target application is encroached on by rogue program
Include:
If inconsistent with the address of the address of the specified function of predetermined manner acquisition and the specified function of record, the mesh
Mark application is encroached on by rogue program.
7. method as claimed in claim 6, wherein the specified function is in the process of the target application
System.currentTimeMillis function and the corresponding native function of System.nanoTime function.
8. a kind of rogue program detection device, comprising:
Acquiring unit, when suitable for being detected to a target application, with predetermined manner acquisition time relevant information;
Judging unit judges whether the target application is disliked suitable for the time related information and preset rules according to acquisition
Program of anticipating infringement.
9. a kind of electronic equipment, wherein the electronic equipment includes: processor;And it is arranged to the executable finger of storage computer
The memory of order, the executable instruction execute the processor as described in any one of claim 1-7
Method.
10. a kind of computer readable storage medium, wherein the computer-readable recording medium storage one or more program,
One or more of programs when being executed by a processor, realize such as method of any of claims 1-7.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811182285.XA CN109464805A (en) | 2018-10-11 | 2018-10-11 | Malware detection methods, device, electronic equipment and storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811182285.XA CN109464805A (en) | 2018-10-11 | 2018-10-11 | Malware detection methods, device, electronic equipment and storage medium |
Publications (1)
Publication Number | Publication Date |
---|---|
CN109464805A true CN109464805A (en) | 2019-03-15 |
Family
ID=65665015
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811182285.XA Pending CN109464805A (en) | 2018-10-11 | 2018-10-11 | Malware detection methods, device, electronic equipment and storage medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109464805A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2023019789A1 (en) * | 2021-08-19 | 2023-02-23 | 完美世界征奇(上海)多媒体科技有限公司 | Plug-in detection method and apparatus, electronic device, and storage medium |
Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104052636A (en) * | 2014-06-23 | 2014-09-17 | 福建天晴数码有限公司 | Clock device, method and system for monitoring plug-in of online game |
CN104123488A (en) * | 2014-08-14 | 2014-10-29 | 北京网秦天下科技有限公司 | Method and device for verifying application program |
CN104461830A (en) * | 2014-12-19 | 2015-03-25 | 北京奇虎科技有限公司 | Method and device for monitored progress |
CN105426751A (en) * | 2015-10-27 | 2016-03-23 | 珠海市君天电子科技有限公司 | Method and device for preventing system time from being tampered |
CN105956467A (en) * | 2016-04-21 | 2016-09-21 | 北京金山安全软件有限公司 | System time setting method and device and electronic equipment |
CN105988927A (en) * | 2015-02-16 | 2016-10-05 | 杭州快迪科技有限公司 | Method for detecting speed-change cheating behavior in operating process of software |
CN106230644A (en) * | 2016-08-31 | 2016-12-14 | 北京像素软件科技股份有限公司 | The detection method that a kind of client is accelerated |
CN107403093A (en) * | 2016-05-20 | 2017-11-28 | 卡巴斯基实验室股份制公司 | The system and method for detecting unnecessary software |
CN107729755A (en) * | 2017-09-28 | 2018-02-23 | 努比亚技术有限公司 | A kind of terminal safety management method, terminal and computer-readable recording medium |
CN108176053A (en) * | 2018-01-04 | 2018-06-19 | 网易(杭州)网络有限公司 | It plays plug-in detection method, device, server, client and storage medium |
-
2018
- 2018-10-11 CN CN201811182285.XA patent/CN109464805A/en active Pending
Patent Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104052636A (en) * | 2014-06-23 | 2014-09-17 | 福建天晴数码有限公司 | Clock device, method and system for monitoring plug-in of online game |
CN104123488A (en) * | 2014-08-14 | 2014-10-29 | 北京网秦天下科技有限公司 | Method and device for verifying application program |
CN104461830A (en) * | 2014-12-19 | 2015-03-25 | 北京奇虎科技有限公司 | Method and device for monitored progress |
CN105988927A (en) * | 2015-02-16 | 2016-10-05 | 杭州快迪科技有限公司 | Method for detecting speed-change cheating behavior in operating process of software |
CN105426751A (en) * | 2015-10-27 | 2016-03-23 | 珠海市君天电子科技有限公司 | Method and device for preventing system time from being tampered |
CN105956467A (en) * | 2016-04-21 | 2016-09-21 | 北京金山安全软件有限公司 | System time setting method and device and electronic equipment |
CN107403093A (en) * | 2016-05-20 | 2017-11-28 | 卡巴斯基实验室股份制公司 | The system and method for detecting unnecessary software |
CN106230644A (en) * | 2016-08-31 | 2016-12-14 | 北京像素软件科技股份有限公司 | The detection method that a kind of client is accelerated |
CN107729755A (en) * | 2017-09-28 | 2018-02-23 | 努比亚技术有限公司 | A kind of terminal safety management method, terminal and computer-readable recording medium |
CN108176053A (en) * | 2018-01-04 | 2018-06-19 | 网易(杭州)网络有限公司 | It plays plug-in detection method, device, server, client and storage medium |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2023019789A1 (en) * | 2021-08-19 | 2023-02-23 | 完美世界征奇(上海)多媒体科技有限公司 | Plug-in detection method and apparatus, electronic device, and storage medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108401176A (en) | A kind of method and apparatus for realizing video personage mark | |
CN107315961B (en) | Program vulnerability detection method and device, computing equipment and storage medium | |
CN108108268A (en) | Reboot process method and apparatus are exited in a kind of video record application | |
CN108200008A (en) | The recognition methods and device that abnormal data accesses | |
CN105100242B (en) | A kind of data processing method and system | |
CN107392018B (en) | Application program shelling method and device | |
CN106815140A (en) | A kind of interface test method and device | |
CN109672909A (en) | Data processing method, device, electronic equipment and readable storage medium storing program for executing | |
CN108495184A (en) | A kind of method and apparatus for adding barrage for video | |
CN109464805A (en) | Malware detection methods, device, electronic equipment and storage medium | |
US20130312110A1 (en) | Protection of applets against hidden-channel analyses | |
JP2019050576A5 (en) | ||
CN105554424A (en) | Method and apparatus for video playing in application | |
US10671456B2 (en) | Method and device for acquiring application information | |
CN110858242B (en) | Page jump method and device | |
CN105242856B (en) | A kind of method and mobile terminal of mobile terminal multisystem data sharing | |
JP2013000226A (en) | Video game processing apparatus and video game processing program | |
KR20170052407A (en) | Apparatus for providing game and method thereof | |
CN107948177A (en) | Verify the generation method and device of questionnaire | |
CN108711192A (en) | A kind of method for processing video frequency and device | |
US9063723B2 (en) | Function-based software comparison method | |
CN108156048A (en) | It is a kind of to realize the method and apparatus that application crashes information is obtained in complex scene | |
CN108111475A (en) | Auth method and device | |
CN109246074A (en) | Identify method, apparatus, server and the readable storage medium storing program for executing of suspicious domain name | |
CN110087120A (en) | The same window switching method and calculating equipment of online list and local list |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |