CN109684846A - A kind of file extraction method and device - Google Patents
A kind of file extraction method and device Download PDFInfo
- Publication number
- CN109684846A CN109684846A CN201811625896.7A CN201811625896A CN109684846A CN 109684846 A CN109684846 A CN 109684846A CN 201811625896 A CN201811625896 A CN 201811625896A CN 109684846 A CN109684846 A CN 109684846A
- Authority
- CN
- China
- Prior art keywords
- file destination
- application
- load
- file
- classloader
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Stored Programmes (AREA)
Abstract
The invention discloses a kind of file extraction methods, to solve in actual use, since the method provided using the prior art can not carry out the extraction of dex file to Android installation kit, and then lead to not carry out static analysis to the application code after reinforcing or shell adding.Method include: judge system currently load using whether be file destination to be extracted target application;If it is determined that then obtaining the method for Classloader load file destination from Classloader when the current load application is the target application;The file destination is extracted using the method for the Classloader load file destination got.The invention also discloses a kind of file extraction element and readable storage medium storing program for executing.
Description
Technical field
The present invention relates to computer application security fields more particularly to a kind of file extraction method and devices.
Background technique
In order to guarantee the safety of mobile terminal, it usually needs carry out safety detection to application program, correspond in the related technology
Dynamic analysis and static analysis two ways are broadly divided into the safety detection of program, wherein since static analysis can be right
When application program carries out safety detection, the mistake of application program is checked rapidly, dramatically reduces development cost, institute
With when carrying out safety detection to application program, static analysis is more favored by people.So-called static analysis, refers to and passes through correspondence
It is scanned with the code of program, whether the indexs such as normalization, safety is met with Validation Code, and then determine that application program is
A kind of no safe code analysis techniques.However, due to application program code after compiling major storage in executable text
In part (dex file), so, static analysis is carried out to the code to application program, it is necessary first to first get dex file.
In the prior art, dex file can be obtained and then directly parsing to Android installation package file, however in reality
Pair in use, the safety in order to protect Android installation kit, developer would generally reinforce to Android installation kit or shell adding, i.e.,
The key message of Android installation kit makees protection processing, and uses the prior art can not be to the Android installation kit text after consolidation process
Part is directly parsed, and causes the method provided using the prior art that can not carry out the extraction of dex file to Android installation kit, in turn
Lead to not carry out static analysis to the application code after reinforcing or shell adding.
Therefore, a kind of Android installation kit for after reinforcing or shell adding is needed at present, still can extract dex file, from
And realize the method that static analysis is carried out to the application code after reinforcing or shell adding.
Summary of the invention
The embodiment of the present invention provides a kind of method that the Android installation kit for after reinforcing or shell adding extracts dex file, uses
To solve using the prior art due to can not directly be parsed to the Android installation kit after reinforcing or shell adding, and can not extract
Dex file, and then lead to not the problem of static analysis is carried out to the application code after reinforcing or shell adding.
The embodiment of the present invention also provides a kind of file extraction element, to solve using the prior art due to can not be to reinforcing
Or the Android installation kit after shell adding is directly parsed, and dex file can not be extracted, and then lead to not to after reinforcing or shell adding
Application code carry out static analysis the problem of.
The embodiment of the present invention adopts the following technical solutions:
A kind of file extraction method, comprising:
Judge system currently load using whether be file destination to be extracted target application;
If it is determined that then obtaining Classloader load from Classloader when the current load application is the target application
The method of file destination;
The file destination is extracted using the method for the Classloader load file destination got.
A kind of file extraction element, comprising:
Judgment module, for judge system currently load using whether be file destination to be extracted target application;
Module is obtained, is used for if it is determined that then being obtained from Classloader when the current load application is the target application
The method for taking Classloader load file destination;
File destination extraction module, for extracting the mesh using the method for the Classloader load file destination got
Mark file.
At least one above-mentioned technical solution used in the embodiment of the present invention can reach it is following the utility model has the advantages that
Due to needing dex file when Android system operation, so no matter application program is handled by any (for example, reinforcing
Or shell adding processing), one dex file of release, which is finally required, for system runs (system loads), and system loads dex file
In method include the extracting method of dex file, therefore it may only be necessary to which the method for getting system loads dex file is i.e. extractable
Dex file.Method due to providing through the embodiment of the present invention, the available method to Classloader load dex file, from
And can from Classloader load dex file method in obtain dex file extracting method, and according to the extracting method from
Reinforce or shell adding after Android installation kit extract dex file, therefore solve using the prior art due to can not to reinforce or add
Android installation kit after shell is directly parsed, and can not extract dex file, and then lead to not to answering after reinforcing or shell adding
The problem of carrying out static analysis with program code.
Detailed description of the invention
The drawings described herein are used to provide a further understanding of the present invention, constitutes a part of the invention, this hair
Bright illustrative embodiments and their description are used to explain the present invention, and are not constituted improper limitations of the present invention.In the accompanying drawings:
Fig. 1 is a kind of specific implementation flow schematic diagram of file extraction method provided in an embodiment of the present invention;
Fig. 2 is to judge whether system loads application is wait mention in a kind of file extraction method provided in an embodiment of the present invention
Take the specific implementation flow schematic diagram of the target application method of file destination;
Fig. 3 is to obtain Classloader in slave Classloader in a kind of file extraction method provided in an embodiment of the present invention to add
Carry the specific implementation flow schematic diagram of the method for file destination;
Fig. 4 is to load target text using the Classloader in a kind of file extraction method provided in an embodiment of the present invention
The method of part extracts the specific implementation flow schematic diagram of the file destination;
Fig. 5 is a kind of concrete structure schematic diagram of file extraction element provided in an embodiment of the present invention.
Specific embodiment
To make the object, technical solutions and advantages of the present invention clearer, below in conjunction with the specific embodiment of the invention and
Technical solution of the present invention is clearly and completely described in corresponding attached drawing.Obviously, described embodiment is only the present invention one
Section Example, instead of all the embodiments.Based on the embodiments of the present invention, those of ordinary skill in the art are not doing
Every other embodiment obtained under the premise of creative work out, shall fall within the protection scope of the present invention.
The technical solution provided below in conjunction with attached drawing, each embodiment that the present invention will be described in detail.
Embodiment 1
The embodiment of the invention provides a kind of file extraction method, to solve using the prior art due to can not be to reinforcing
Or the Android installation kit after shell adding is directly parsed, and dex file can not be extracted, and then lead to not to after reinforcing or shell adding
Application code carry out static analysis the problem of.
File extraction method provided in an embodiment of the present invention, the executing subject of this method can be, but not limited to as mobile phone, put down
Plate computer, PC (Personal Computer, PC), smart television and any terminal that can run application program
At least one of equipment.In addition, the executing subject of this method, is also possible to server, for example, for file destination dex into
The server (be properly termed as dex file and extract server) that row extracts, etc..
For ease of description, hereafter executing subject in this way is for dex file extracts server, to the reality of this method
The mode of applying is introduced.It is appreciated that it is that one kind is illustratively said that the executing subject of this method, which is dex file extraction server,
It is bright, it is not construed as the restriction to this method.
The specific implementation flow chart of this method is as shown in Figure 1, mainly include the following steps:
Step 11, judge system currently load using whether be file destination to be extracted target application;
In the embodiment of the present invention, judge system loads application whether be file destination to be extracted target application, specifically such as
May include following five sub-steps shown in Fig. 2:
Sub-step 111, creation one currently loads the interface of application for monitoring system;
In the embodiment of the present invention, interface refers to java interface, wherein one java interface of creation is primarily in system
When load application, the java interface can be called currently to load the relevant information of application to system, and (such as system currently adds
Carry and apply packet name) it is monitored, and when the system that monitors currently is loaded using being the target application of file destination to be obtained, lead to
Know that dex file extracts server, executes subsequent operation so that dex file extracts server.
However, to realize the calling to interface, it is necessary first to the function of interface is write or defined, it usually can be with
Interface is write with realizing by way of interface method rewriteeing in development kit, for example, to modify system framework service
It, can be by rewriteeing Xposed Development of Framework packet for (Xposed installer, Xposed frame)
Interface method in XposedBridgeApi-xx.jar, so that interface can currently load application with monitoring system, and will be wait obtain
It takes the packet name of the target application of file destination to be written in interface method, and then realizes and currently load application to system when interface monitoring
For file destination to be obtained target application when, notice dex file extract server, so as to dex file extract server execute
Subsequent operation.
It should be noted that Xposed development kit XposedBridgeApi-xx.jar is only one kind of the embodiment of the present invention
Illustrative explanation, does not cause to limit, Xposed development kit ratio in the embodiment of the present invention to a specific embodiment of the invention
It such as can be with XposedBridgeApi-42.jar, XposedBridgeApi-54.jar, XposedBridgeApi-89.jar.
Sub-step 112 determines the packet name of the target application of the file destination to be extracted;
Wherein, the packet name of the target application of file destination to be extracted is unique ID of application program, to be extracted by determination
The packet name of the target application of file destination is that can determine the target application of file destination to be extracted.In the embodiment of the present invention such as also
It can be by determining that other can uniquely characterize the characteristic information of application program, and then determine that the target of file destination to be extracted is answered
With.For example, it is assumed that the packet of the target application of file destination to be extracted is entitled " android.Thunder " in the embodiment of the present invention,
Determine that the packet name of the target application of file destination to be extracted can be in the following way: the target for obtaining file destination to be extracted is answered
Apply label;The target application of file destination to be extracted is determined according to the mapping relations of application label and preset tag library
Packet name.In addition to determining that the target of file destination to be extracted is answered according to the above-mentioned mapping relations using label and preset tag library
Outside packet name, the embodiment of the present invention can also carry out conversed analysis by the target application packet to file destination to be obtained, obtain
To the core function for carrying return address information, the packet of the target application of file destination to be obtained is then determined according to core function
Name.
Sub-step 113 currently loads using monitoring system using the interface, is answered with determining that system currently loads
Packet name;
New interface is created according to step 111 currently to load using monitoring, to determine that system currently loads system
The packet name of application;For example, the handleLoadPackage of monitoring IXposedHookLoadPackage interface can be passed through
Then (LoadPackageParam lpparam) function determines that system currently loads the packet of application according to the function listened to
, in the embodiment of the present invention, it is assumed that the function listened to is " android.Thunder ", can determine that system currently loads and answer
Packet is entitled " android.Thunder ".
Sub-step 114, judge the system currently load target application described in the Bao Mingyu of application packet name it is whether consistent,
When the judgment result is yes, it is determined that system is currently loaded using the target application for being file destination to be extracted.
Examples detailed above is continued to use, can determine that the packet of the target application of file destination to be extracted is entitled according to step 112
" android.Thunder ", the function listened to by step 113 interface, the system that can determine currently load the packet name of application
It is determined as " android.Thunder ", the Bao Mingyi of the Bao Mingyu target application of application is currently loaded by comparing the system of determination
It causes.
According to the judging result of above-mentioned steps 114 it is found that system currently loads the packet name of the Bao Mingyu target application of application
Unanimously, it can determine that system is currently loaded using the target application for being file destination to be extracted.
Step 12, however, it is determined that when the current load application is the target application of the file destination to be extracted, then from class
The method of Classloader load file destination is obtained in loader;
In the embodiment of the present invention, for example, can use function hooks up method, from the corresponding application program of the target application
The method of Classloader load file destination is obtained in packet as shown in figure 3, can specifically include following sub-step:
Sub-step 121 determines the packet name and class name of the target application of the file destination to be extracted;
Wherein, the packet name of the target application of file destination to be extracted can be directly true according to the method for above-mentioned sub-step 112
It is fixed;The class name of the target application of file destination to be extracted can be direct by third party software (for example, checking packet name class name)
It is checked.
Sub-step 122 is based on the packet name and class name, it is corresponding from the target application to hook up method using function
The method of Classloader load file destination is obtained in application package.
Wherein, method being hooked up using function, Classloader load is obtained from the corresponding application package of the target application
Before the method for file destination, needs first to create one and hook up function, when creation hooks up function (hook method), system meeting
A data structure is first created in memory, and it is corresponding to hook up the objective function that function to be hooked up by data structure preservation
The relevant informations such as packet name and class name, and a hook chained list is created, then the data structure is added to the hook of creation
In chained list, for subsequent calls.
For example, the JNI hook method (hook method) that can be created according to Android system obtains Classloader and loads mesh
The method for marking file specifically can be using the findAndHookMethod of XposedBridge class in Xposed frame as hook
The function for taking the method for Classloader load file destination, passes through XC-MethodHook or XC-MethodReplacement
The packet name of the target application of determining file destination to be extracted and class name are saved in number by one data structure of method construct
According in structure, and a hook chained list is created, then the data structure is added in the hook chained list of creation, and then according to hook
The method that data structure information in child list obtains Classloader load file destination from Classloader.
It should be noted that including BootClassLoader, PathClassLoader, DexClassLoader in Android
Equal Classloaders, wherein BootClassLoader is that virtual machine loading system class needs are used, and PathClassLoader is
What the class that App loads in itself dex file was used, it directly or indirectly includes dex file that DexClassLoader, which can be loaded,
File, such as APK, wherein the Classloader used in the embodiment of the present invention is can be above-mentioned Classloader any.
The embodiment of the present invention hooks up method using the function of Xposed frame, based on hooking up mechanism, target application for the first time
When starting, the method that Classloader load file destination can be obtained directly from Classloader avoids base in the prior art
Method hardly shadow is hooked up in the function of the cumbersome disadvantage of polling mode process, and Xposed frame used in the embodiment of the present invention
The performance of acoustic system, and install simply, it is easy to use.
Further, since application program call certain class specific function (for example, OnAttach function, openDEXfile letter
Number) when, file destination dex can be loaded, therefore, in the embodiment of the present invention in addition to can according to Android system create
JNI hook method (hook method) obtains except the method for Classloader load file destination dex, can also be by treating
Obtain the method that the activity of the target application of file destination is monitored and then acquisition Classloader load file destination dex, example
Such as, it hooks up function and monitors destination application calling OnAttach function, then hook up the OnAttach function to obtain dex
Then the file information according to target application process transmission to the parameter of OnAttach function, obtains Classloader;Finally from class
Loader obtains the cookie information for being stored in user local terminal, and then the method for obtaining Classloader load file destination;
Wherein, cookie information includes the method for loading file destination dex.
Step 13, the file destination is extracted using the method for the Classloader load file destination got.
Wherein, due to including the method for extracting file destination in the return value of the method for Classloader load file destination,
Therefore, the method that can use Classloader load file destination extracts the file destination.In the embodiment of the present invention, institute is utilized
The method for stating Classloader load file destination extracts the file destination as shown in figure 4, may include steps of:
Sub-step 131, the method for running the Classloader load file destination, to obtain the Classloader load mesh
Mark the postrun return value of method of file;Wherein, the return value includes the method for extracting file destination;
Preferably, in the embodiment of the present invention, afterHookedMethod pairs of the postposition method of Xposed frame can be passed through
The Classloader load file destination method loadClass operation of acquisition, and then pass through postposition method afterHookedMethod
In getDex () method obtain system java.lang.ClassLoader in loadClass return value.In addition to this,
In the embodiment of the present invention, injection before can also arbitrarily selecting the function in Xposed frame to execute according to actual needs
(beforeHookedMethod) appointing or in code segment (replaceHookedMethod) two methods of replacement function execution
The Classloader load file destination method of a kind of pair of acquisition operates.
In the embodiment of the present invention, the return value of the method loadClass of Classloader load file destination can be
Java.lang.Class type, wherein the method getDex comprising extraction file destination in java.lang.Class type
()。
Sub-step 132 extracts the file destination according to the return value.
As the above analysis, due to the return Value Types of the method loadClass of Classloader load file destination
Method getDex () comprising extraction file destination in java.lang.Class, it is possible to according to return value, extract target
File, wherein due to the text directly extracted after being handled according to the method getDex () for extracting file destination return value
Part is the binary code file that virtual machine is executable in Android system, static analysis can not be directly carried out, therefore, in order to make
The file extracted can directly carry out static analysis, can also proceed as follows:
First, according to the return value, obtain the first object of the file destination;Wherein, first object is peace
The executable binary code of virtual machine in tall and erect system;
For example, obtaining the first object of file destination dex according to the getDex () for including in return value
com.android.dex.Dex。
Second, first object is called to obtain the second object of the file destination by reflection mode;Wherein, institute
State the bytecode that the second object is the file destination;
Wherein, the reflection mode is used to obtain the method set of some class object, mainly includes following several sides
Method: getDeclaredMethods () method, getMethods () method, getMethod, in which:
GetDeclaredMethods () method is used to return all methods of class or interface statement, including public, protection, default
(packet) access and private method, but do not include the method inherited.GetMethods () method is used to return all public affairs of some class
With (public) method, the Public method including its derived class.GetMethod method returns to a specific method, wherein the
One parameter is method name, and subsequent parameter is that the parameter of method corresponds to the object of Class.It, can be in the embodiment of the present invention
The reflection of getMethod method is used to call the getBytes () of the first object com.android.dex.Dex to obtain target text
The bytecode of part dex.
Second object is written on default safe digital card and obtains the dex file, and extracts the dex by third
File.
Using method provided in an embodiment of the present invention, due to needing dex file when Android system operation, so application program
No matter by any processing (for example, reinforcing or shell adding processing), finally requiring one dex file of release for system operation (is
System load), and in the method for system loads dex file include the extracting method of dex file, therefore it may only be necessary to get and be
The i.e. extractable dex file of the method for system load dex file.Method due to providing through the embodiment of the present invention, it is available to arrive
The method that Classloader loads dex file, so as to obtain dex file from the method for Classloader load dex file
Extracting method, and dex file is extracted from the Android installation kit after reinforcing or shell adding according to the extracting method, therefore solve existing
Static state can not be carried out to the application code after reinforcing or shell adding for the Android installation kit after reinforcing or shell adding by having in technology
The problem of analysis.
Embodiment 2
The embodiment of the invention provides a kind of file extraction element 50, to solve due to can not be to adding using the prior art
Gu or the Android installation kit after shell adding is directly parsed, and the problem of causing dex file that can not extract.The specific knot of the device
Structure schematic diagram is as shown in Figure 5, comprising: judgment module 51 obtains module 52 and file destination extraction module 53.Wherein, each mould
Block function is as follows:
Judgment module 51, for judge system currently load using whether be file destination to be extracted target application;
It include creating unit, packet name extraction unit in judgment module 51, using the determining list of packet name in the embodiment of the present invention
Member, judging unit and target application determination unit, wherein each unit function is as follows:
Creating unit is used for the interface that monitoring system currently loads application for creating one;
Packet name extraction unit, the packet name of the target application for determining the file destination to be extracted;
Using packet name determination unit, for currently being loaded to system using the interface using monitoring, to determine system
The packet name of the current load application of system;
Judging unit, for judge the system currently load target application described in the Bao Mingyu of application packet name whether one
It causes;
Target application determination unit, for when the judgment result is yes, it is determined that it is to be extracted that system, which is currently loaded and applied,
The target application of file destination.
Module 52 is obtained, is used for if it is determined that when current load application is the target application, then from Classloader
The method for obtaining Classloader load file destination;
Preferably, in the embodiment of the present invention, obtaining module 52 includes determination unit and acquiring unit, wherein is determined single
Member, for determining the packet name and class name of the target application of the file destination to be extracted;Acquiring unit, for based on described
Packet name and class name, hook up method using function and obtain Classloader from the corresponding application package of the target application and add
The method for carrying file destination.
In the embodiment of the present invention, obtaining module 52 can also be used in: it monitors destination application and calls OnAttach function,
It hooks up the OnAttach function then to obtain dex the file information, then, gives OnAttach letter according to target application process transmission
Several parameters obtains Classloader;Cookie information is obtained from Classloader;Wherein, cookie information includes load target text
The method of part dex.Or call openDEXfile function when monitoring destination application, then hook up the openDEXfile
Function is to obtain dex the file information, then, to the parameter of openDEXfile function that dex is literary according to target application process transmission
Part information is loaded into caching, and the method for load file destination dex is obtained from the caching.
File destination extraction module 53, described in being extracted using the method for the Classloader load file destination got
File destination.
Preferably, in the embodiment of the present invention, include in file destination extraction module 53, running unit and extraction unit,
Middle each unit function is as follows:
Running unit, the method for running the load file destination, the method to obtain the load file destination
Postrun return value;Wherein, the method in the return value comprising extracting the file destination;
Extraction unit, for extracting the file destination according to the return value.
Using file extraction element provided in an embodiment of the present invention, due to needing dex file when Android system operation, so
No matter application program finally requires release one dex file for system by any processing (for example, reinforcing or shell adding processing)
It runs (system loads), and in the method for system loads dex file includes the extracting method of dex file, therefore it may only be necessary to obtain
Get the i.e. extractable dex file of method of system loads dex file.It, can be with due to the device provided through the embodiment of the present invention
The method for getting Classloader load dex file, so as to obtain dex from the method for Classloader load dex file
The extracting method of file, and dex file is extracted from the Android installation kit after reinforcing or shell adding according to the extracting method, therefore solve
Determined in the prior art for reinforce or shell adding after Android installation kit can not to the application code after reinforcing or shell adding into
The problem of row static analysis.
In addition, the generating means of the application program installation kit may include processor and storage medium etc..
Wherein, the memory is for storing program instruction;The processor, is coupled to memory, described for reading
The program instruction of memory storage, and in response, it performs the following operations: judging that system currently loads whether application is to be extracted
The target application of file destination;If it is determined that then being obtained from Classloader when the current load application is the target application
The method of Classloader load file destination;The target text is extracted using the method for Classloader load file destination
Part.
In embodiments of the present invention, the processor, for judging that system currently loads whether application is target to be extracted
The target application of file, creation one currently loads the interface of application for monitoring system;Determine the mesh of file destination to be extracted
Mark the packet name of application;System is currently loaded using monitoring, to determine that system currently loads the packet name of application using interface;
Judge the system currently load target application described in the Bao Mingyu of application packet name it is whether consistent;When the judgment result is yes,
Then determine that system is currently loaded using the target application for being file destination to be extracted.
In the embodiment of the present invention, the processor, for determine the target application of file destination to be extracted packet name and
Class name;Based on packet name and class name, method is hooked up from the corresponding application package of the target application using function and is obtained
The method for taking Classloader load file destination.
In the embodiment of the present invention, the processor, the method for running load file destination, to obtain load target text
The postrun return value of part method;Wherein, the method in the return value comprising extracting the file destination;According to return value,
Extract the file destination
The embodiment of the present invention also provides a kind of computer readable storage medium, and meter is stored on computer readable storage medium
Calculation machine program, the computer program realize each mistake of above-mentioned file destination dex extracting method embodiment when being executed by processor
Journey, and identical technical effect can be reached, to avoid repeating, which is not described herein again.Wherein, the computer-readable storage medium
Matter, such as read-only memory (Read-Only Memory, abbreviation ROM), random access memory (Random Access
Memory, abbreviation RAM), magnetic or disk etc..
It should be understood by those skilled in the art that, the embodiment of the present invention can provide as method, system or computer program
Product.Therefore, complete hardware embodiment, complete software embodiment or reality combining software and hardware aspects can be used in the present invention
Apply the form of example.Moreover, it wherein includes the computer of computer usable program code that the present invention, which can be used in one or more,
The computer program implemented in usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) produces
The form of product.
The present invention be referring to according to the method for the embodiment of the present invention, the process of equipment (system) and computer program product
Figure and/or block diagram describe.It should be understood that every one stream in flowchart and/or the block diagram can be realized by computer program instructions
The combination of process and/or box in journey and/or box and flowchart and/or the block diagram.It can provide these computer programs
Instruct the processor of general purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices to produce
A raw machine, so that being generated by the instruction that computer or the processor of other programmable data processing devices execute for real
The device for the function of being specified in present one or more flows of the flowchart and/or one or more blocks of the block diagram.
These computer program instructions, which may also be stored in, is able to guide computer or other programmable data processing devices with spy
Determine in the computer-readable memory that mode works, so that it includes referring to that instruction stored in the computer readable memory, which generates,
Enable the manufacture of device, the command device realize in one box of one or more flows of the flowchart and/or block diagram or
The function of being specified in multiple boxes.
These computer program instructions also can be loaded onto a computer or other programmable data processing device, so that counting
Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, thus in computer or
The instruction executed on other programmable devices is provided for realizing in one or more flows of the flowchart and/or block diagram one
The step of function of being specified in a box or multiple boxes.
In a typical configuration, calculating equipment includes one or more processors (CPU), input/output interface, net
Network interface and memory.
Memory may include the non-volatile memory in computer-readable medium, random access memory (RAM) and/or
The forms such as Nonvolatile memory, such as read-only memory (ROM) or flash memory (flash RAM).Memory is computer-readable medium
Example.
Computer-readable medium includes permanent and non-permanent, removable and non-removable media can be by any method
Or technology come realize information store.Information can be computer readable instructions, data structure, the module of program or other data.
The example of the storage medium of computer includes, but are not limited to phase change memory (PRAM), static random access memory (SRAM), moves
State random access memory (DRAM), other kinds of random access memory (RAM), read-only memory (ROM), electric erasable
Programmable read only memory (EEPROM), flash memory or other memory techniques, read-only disc read only memory (CD-ROM) (CD-ROM),
Digital versatile disc (DVD) or other optical storage, magnetic cassettes, tape magnetic disk storage or other magnetic storage devices
Or any other non-transmission medium, can be used for storage can be accessed by a computing device information.As defined in this article, it calculates
Machine readable medium does not include temporary computer readable media (transitory media), such as the data-signal and carrier wave of modulation.
It should also be noted that, the terms "include", "comprise" or its any other variant are intended to nonexcludability
It include so that the process, method, commodity or the equipment that include a series of elements not only include those elements, but also to wrap
Include other elements that are not explicitly listed, or further include for this process, method, commodity or equipment intrinsic want
Element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that including described want
There is also other identical elements in the process, method of element, commodity or equipment.
It will be understood by those skilled in the art that embodiments herein can provide as method, system or computer program product.
Therefore, complete hardware embodiment, complete software embodiment or embodiment combining software and hardware aspects can be used in the application
Form.It is deposited moreover, the application can be used to can be used in the computer that one or more wherein includes computer usable program code
The shape for the computer program product implemented on storage media (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.)
Formula.
The above description is only an example of the present application, is not intended to limit this application.For those skilled in the art
For, various changes and changes are possible in this application.All any modifications made within the spirit and principles of the present application are equal
Replacement, improvement etc., should be included within the scope of the claims of this application.
Claims (12)
1. a kind of file extraction method characterized by comprising
Judge system currently load using whether be file destination to be extracted target application;
If it is determined that the current load application is the target application, then Classloader load target text is obtained from Classloader
The method of part;
The file destination is extracted using the method for the Classloader load file destination got.
2. the method as described in claim 1, which is characterized in that obtain Classloader load file destination from Classloader
Method specifically includes:
Method is hooked up using function, Classloader is obtained from the corresponding application package of the target application and loads file destination
Method.
3. method according to claim 2, which is characterized in that method is hooked up using function, it is corresponding from the target application
The method that Classloader load file destination is obtained in application package, specifically includes:
Determine the packet name and class name of the target application of the file destination to be extracted;
Based on the packet name and class name, method is hooked up from the corresponding application package of the target application using function and is obtained
The method for taking Classloader load file destination.
4. the method as described in claim 1, which is characterized in that utilize the method for the Classloader load file destination got
The file destination is extracted, is specifically included:
The method for running the Classloader load file destination, to obtain the method fortune of the Classloader load file destination
Return value after row;Wherein, the method in the return value comprising extracting the file destination;
According to the return value, the file destination is extracted.
5. the method as described in claim 1, which is characterized in that judge whether system loads application is file destination to be extracted
Target application specifically includes:
Creation one currently loads the interface of application for monitoring system;
Determine the packet name of the target application of the file destination to be extracted;
System is currently loaded using monitoring, to determine that system currently loads the packet name of application using the interface;
Judge the system currently load target application described in the Bao Mingyu of application packet name it is whether consistent;
When the judgment result is yes, it is determined that system is currently loaded using the target application for being file destination to be extracted.
6. a kind of file extraction element characterized by comprising
Judgment module, for judge system currently load using whether be file destination to be extracted target application;
Module is obtained, is used for if it is determined that then obtaining class from Classloader when the current load application is the target application
The method of loader load file destination;
File destination extraction module, for extracting the target text using the method for the Classloader load file destination got
Part.
7. device as claimed in claim 6, which is characterized in that the acquisition module is specifically used for:
If it is determined that method is hooked up using function, from the target application pair when the current load application is the target application
The method of Classloader load file destination is obtained in the application package answered.
8. device as claimed in claim 7, which is characterized in that the acquisition module specifically includes:
Determination unit, for determining the packet name and class name of the target application of the file destination to be extracted;
It is corresponding from the target application to hook up method using function for being based on the packet name and class name for acquiring unit
The method of Classloader load file destination is obtained in application package.
9. device as claimed in claim 6, which is characterized in that the file destination extraction module specifically includes:
Running unit, the method for running the Classloader load file destination, to obtain the Classloader load mesh
Mark the postrun return value of method of file;Wherein, the method in the return value comprising extracting the file destination;
Extraction unit, for extracting the file destination according to the return value.
10. device as claimed in claim 6, which is characterized in that the judgment module specifically includes:
Creating unit is used for the interface that monitoring system currently loads application for creating one;
Packet name extraction unit, the packet name of the target application for determining the file destination to be extracted;
Using packet name determination unit, for currently being loaded system using monitoring, to determine that system is worked as using the interface
The packet name of preceding load application;
Judging unit, for judge the system currently load target application described in the Bao Mingyu of application packet name it is whether consistent;
Target application determination unit, for when the judgment result is yes, it is determined that it is target to be extracted that system, which is currently loaded and applied,
The target application of file.
11. a kind of mobile device characterized by comprising memory, processor and be stored on the memory and can be in institute
The computer program run on processor is stated, such as Claims 1 to 5 is realized when the computer program is executed by the processor
Any one of file extraction method the step of.
12. a kind of computer readable storage medium, which is characterized in that store computer journey on the computer readable storage medium
Sequence is realized when the computer program is executed by processor such as the step of any one of Claims 1 to 5 file extraction method.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811625896.7A CN109684846A (en) | 2018-12-28 | 2018-12-28 | A kind of file extraction method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811625896.7A CN109684846A (en) | 2018-12-28 | 2018-12-28 | A kind of file extraction method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN109684846A true CN109684846A (en) | 2019-04-26 |
Family
ID=66190973
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811625896.7A Pending CN109684846A (en) | 2018-12-28 | 2018-12-28 | A kind of file extraction method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109684846A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112148253A (en) * | 2019-06-26 | 2020-12-29 | 北京达佳互联信息技术有限公司 | Program generation method, Java object replacement method and device |
| CN112445961A (en) * | 2019-09-05 | 2021-03-05 | 腾讯科技(深圳)有限公司 | Information processing method, device, terminal equipment and storage medium |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105574411A (en) * | 2015-12-25 | 2016-05-11 | 北京奇虎科技有限公司 | Dynamic unshelling method, device and equipment |
| CN105631335A (en) * | 2015-12-25 | 2016-06-01 | 北京奇虎科技有限公司 | Dynamic decompression method, device and apparatus |
| CN105975290A (en) * | 2015-10-13 | 2016-09-28 | 乐视致新电子科技(天津)有限公司 | Method and device for analyzing APK document |
| CN107977552A (en) * | 2017-12-04 | 2018-05-01 | 北京奇虎科技有限公司 | A kind of reinforcement means and device of Android application |
| CN108229148A (en) * | 2016-12-21 | 2018-06-29 | 武汉安天信息技术有限责任公司 | A kind of sandbox hulling method and system based on Android virtual machines |
| US20180253298A1 (en) * | 2017-03-03 | 2018-09-06 | Foundation Of Soongsil University-Industry Cooperation | Android dynamic loading file extraction method, recording medium and system for performing the method |
| CN108595226A (en) * | 2018-05-09 | 2018-09-28 | 腾讯科技(深圳)有限公司 | Dynamic loading method, device and computer readable storage medium |
-
2018
- 2018-12-28 CN CN201811625896.7A patent/CN109684846A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105975290A (en) * | 2015-10-13 | 2016-09-28 | 乐视致新电子科技(天津)有限公司 | Method and device for analyzing APK document |
| CN105574411A (en) * | 2015-12-25 | 2016-05-11 | 北京奇虎科技有限公司 | Dynamic unshelling method, device and equipment |
| CN105631335A (en) * | 2015-12-25 | 2016-06-01 | 北京奇虎科技有限公司 | Dynamic decompression method, device and apparatus |
| CN108229148A (en) * | 2016-12-21 | 2018-06-29 | 武汉安天信息技术有限责任公司 | A kind of sandbox hulling method and system based on Android virtual machines |
| US20180253298A1 (en) * | 2017-03-03 | 2018-09-06 | Foundation Of Soongsil University-Industry Cooperation | Android dynamic loading file extraction method, recording medium and system for performing the method |
| CN107977552A (en) * | 2017-12-04 | 2018-05-01 | 北京奇虎科技有限公司 | A kind of reinforcement means and device of Android application |
| CN108595226A (en) * | 2018-05-09 | 2018-09-28 | 腾讯科技(深圳)有限公司 | Dynamic loading method, device and computer readable storage medium |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112148253A (en) * | 2019-06-26 | 2020-12-29 | 北京达佳互联信息技术有限公司 | Program generation method, Java object replacement method and device |
| CN112445961A (en) * | 2019-09-05 | 2021-03-05 | 腾讯科技(深圳)有限公司 | Information processing method, device, terminal equipment and storage medium |
| CN112445961B (en) * | 2019-09-05 | 2024-05-10 | 腾讯科技(深圳)有限公司 | Information processing method, device, terminal equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20150033342A1 (en) | Security detection method and system | |
| US10176327B2 (en) | Method and device for preventing application in an operating system from being uninstalled | |
| Nimodia et al. | Android operating system | |
| CN110442502B (en) | Point burying method, device, equipment and storage medium | |
| CN110569250B (en) | Management method and device for analysis library of Internet of things network element | |
| US20160378447A1 (en) | Selecting application wrapper logic components based on features of a mobile application to be wrapped | |
| CN109784039B (en) | Construction method of safe operation space of mobile terminal, electronic equipment and storage medium | |
| CN109684846A (en) | A kind of file extraction method and device | |
| CN111259382A (en) | Malicious behavior identification method, device and system and storage medium | |
| CN110598419A (en) | Block chain client vulnerability mining method, device, equipment and storage medium | |
| CN105760761A (en) | Software behavior analyzing method and device | |
| CN113253999B (en) | Plug-in data access method, data source management system and interface access method | |
| CN103197950B (en) | Plug-in virtual machine implementation method | |
| CN107133503A (en) | A kind of anti-debug method and apparatus detected based on process status | |
| CN111813460A (en) | Access method, device, equipment and storage medium for application program matching file | |
| CN111538483A (en) | Data processing method, equipment, server and readable storage medium | |
| CN106778270B (en) | Malicious application detection method and system | |
| CN113835748B (en) | Packaging method, system and readable medium for application program based on HTML5 | |
| CN116956272A (en) | Authority calling monitoring method and device and electronic equipment | |
| CN114003603A (en) | Data export method, system and storage medium based on big data platform | |
| CN109783156B (en) | Application starting control method and device | |
| CN113609478A (en) | IOS platform application program tampering detection method and device | |
| CN112925523A (en) | Object comparison method, device, equipment and computer readable medium | |
| US11036618B2 (en) | Tenant code management in multi-tenant systems | |
| CN111124399A (en) | Processing method and device of popup component, storage medium and processor |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190426 |
|
| RJ01 | Rejection of invention patent application after publication |