CN110516447B - Method and equipment for identifying terminal simulator - Google Patents

Method and equipment for identifying terminal simulator Download PDF

Info

Publication number
CN110516447B
CN110516447B CN201910774713.6A CN201910774713A CN110516447B CN 110516447 B CN110516447 B CN 110516447B CN 201910774713 A CN201910774713 A CN 201910774713A CN 110516447 B CN110516447 B CN 110516447B
Authority
CN
China
Prior art keywords
instruction
virtualization
behavior information
machine
equipment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910774713.6A
Other languages
Chinese (zh)
Other versions
CN110516447A (en
Inventor
郑伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Lianshang Network Technology Co Ltd
Original Assignee
Shanghai Lianshang Network Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Lianshang Network Technology Co Ltd filed Critical Shanghai Lianshang Network Technology Co Ltd
Priority to CN201910774713.6A priority Critical patent/CN110516447B/en
Publication of CN110516447A publication Critical patent/CN110516447A/en
Application granted granted Critical
Publication of CN110516447B publication Critical patent/CN110516447B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45591Monitoring or debugging support
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/034Test or assess a computer or a system

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Stored Programmes (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The application aims to provide a method and equipment for identifying a terminal simulator, wherein the method comprises the following steps: analyzing and executing one or more virtualization instructions through a virtual machine in the user equipment, wherein each virtualization instruction corresponds to a machine instruction and is obtained by executing virtualization processing on the machine instruction; matching first instruction behavior information of the virtualization instruction in the analyzed execution process with second instruction behavior information of the virtualization instruction in the reference equipment in the analyzed execution process; and acquiring the equipment type information of the reference equipment, and identifying the user equipment as the terminal simulator if the equipment type information indicates that the reference equipment is the terminal simulator and the first instruction behavior information is matched with the second instruction behavior information. The method and the device can increase the accuracy of the terminal simulator and achieve the effect that a hacker cannot walk around.

Description

Method and equipment for identifying terminal simulator
Technical Field
The present application relates to the field of communications, and in particular, to a technique for identifying a terminal simulator.
Background
With the development of the times, more and more terminal simulators appear on the market, the terminal simulators can simulate the behaviors of actual terminal equipment, the terminal simulators are easy to be utilized by hackers to make some behaviors (for example, order brushing) for breaking the normal order, and how to accurately identify the terminal simulators becomes an important problem. In the prior art, a scheme of scanning key files and key attributes is generally adopted to identify the terminal simulator, and a hacker can easily bypass such a scheme by modifying the key files or key attributes.
Disclosure of Invention
An object of the present application is to provide a method and apparatus for identifying a terminal simulator.
According to an aspect of the present application, there is provided a method of identifying a terminal simulator, the method including:
analyzing and executing one or more virtualization instructions through a virtual machine in the user equipment, wherein each virtualization instruction corresponds to a machine instruction and is obtained by executing virtualization processing on the machine instruction;
matching first instruction behavior information of the virtualization instruction in the analyzed execution process with second instruction behavior information of the virtualization instruction in the reference equipment in the analyzed execution process;
and acquiring the equipment type information of the reference equipment, and identifying the user equipment as the terminal simulator if the equipment type information indicates that the reference equipment is the terminal simulator and the first instruction behavior information is matched with the second instruction behavior information.
According to an aspect of the present application, there is provided an apparatus for identifying a terminal simulator, the apparatus including:
a module, configured to parse and execute one or more virtualization instructions through a virtual machine in the user equipment, where each virtualization instruction corresponds to a machine instruction and is obtained by performing virtualization processing on the machine instruction;
a second module, configured to match first instruction behavior information of the virtualization instruction in the analysis execution process with second instruction behavior information of the virtualization instruction in the reference device in the analysis execution process;
and the third module is used for acquiring the equipment type information of the reference equipment, and identifying that the user equipment is the terminal simulator if the equipment type information indicates that the reference equipment is the terminal simulator and the first instruction behavior information is matched with the second instruction behavior information.
According to an aspect of the present application, there is provided an apparatus for recognizing a terminal simulator, wherein the apparatus includes:
analyzing and executing one or more virtualization instructions through a virtual machine in the user equipment, wherein each virtualization instruction corresponds to a machine instruction and is obtained by executing virtualization processing on the machine instruction;
matching first instruction behavior information of the virtualization instruction in the analyzed execution process with second instruction behavior information of the virtualization instruction in the reference equipment in the analyzed execution process;
and acquiring the equipment type information of the reference equipment, and identifying the user equipment as the terminal simulator if the equipment type information indicates that the reference equipment is the terminal simulator and the first instruction behavior information is matched with the second instruction behavior information.
According to one aspect of the application, there is provided a computer-readable medium storing instructions that, when executed, cause a system to:
analyzing and executing one or more virtualization instructions through a virtual machine in the user equipment, wherein each virtualization instruction corresponds to a machine instruction and is obtained by executing virtualization processing on the machine instruction;
matching first instruction behavior information of the virtualization instruction in the analyzed execution process with second instruction behavior information of the virtualization instruction in the reference equipment in the analyzed execution process;
and acquiring the equipment type information of the reference equipment, and identifying the user equipment as the terminal simulator if the equipment type information indicates that the reference equipment is the terminal simulator and the first instruction behavior information is matched with the second instruction behavior information.
Compared with the prior art, the method and the device have the advantages that the machine instruction is subjected to virtualization processing to obtain the virtualization instruction, the virtualization instruction is interpreted and executed in the virtual machine of the user equipment, the instruction behavior information of the virtualization instruction in the analyzed and executed process is compared with the reference instruction behavior information of the virtualization instruction in the reference equipment, and whether the user equipment is the terminal simulator or not is detected, so that the accuracy of recognizing the terminal simulator can be improved, and the effect that a hacker cannot bypass the terminal simulator can be achieved.
Drawings
Other features, objects and advantages of the present application will become more apparent upon reading of the following detailed description of non-limiting embodiments thereof, made with reference to the accompanying drawings in which:
FIG. 1 illustrates a flow diagram of a method of identifying a terminal simulator according to some embodiments of the present application;
FIG. 2 illustrates an apparatus structure diagram of an identification terminal simulator according to some embodiments of the present application;
FIG. 3 illustrates an exemplary system that can be used to implement the various embodiments described in this application.
The same or similar reference numbers in the drawings identify the same or similar elements.
Detailed Description
The present application is described in further detail below with reference to the attached figures.
In a typical configuration of the present application, the terminal, the device serving the network, and the trusted party each include one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device.
The device referred to in this application includes, but is not limited to, a user device, a network device, or a device formed by integrating a user device and a network device through a network. The user equipment includes, but is not limited to, any mobile electronic product, such as a smart phone, a tablet computer, etc., capable of performing human-computer interaction with a user (e.g., human-computer interaction through a touch panel), and the mobile electronic product may employ any operating system, such as an android operating system, an iOS operating system, etc. The network device includes an electronic device capable of automatically performing numerical calculation and information processing according to a preset or stored instruction, and hardware thereof includes, but is not limited to, a microprocessor, an Application Specific Integrated Circuit (ASIC), a Programmable Logic Device (PLD), a Field Programmable Gate Array (FPGA), a Digital Signal Processor (DSP), an embedded device, and the like. The network device includes but is not limited to a computer, a network host, a single network server, a plurality of network server sets or a cloud of a plurality of servers; here, the Cloud is composed of a large number of computers or web servers based on Cloud Computing (Cloud Computing), which is a kind of distributed Computing, one virtual supercomputer consisting of a collection of loosely coupled computers. Including, but not limited to, the internet, a wide area network, a metropolitan area network, a local area network, a VPN network, a wireless Ad Hoc network (Ad Hoc network), etc. Preferably, the device may also be a program running on the user device, the network device, or a device formed by integrating the user device and the network device, the touch terminal, or the network device and the touch terminal through a network.
Of course, those skilled in the art will appreciate that the foregoing is by way of example only, and that other existing or future devices, which may be suitable for use in the present application, are also encompassed within the scope of the present application and are hereby incorporated by reference.
In the description of the present application, "a plurality" means two or more unless specifically limited otherwise.
Fig. 1 shows a flowchart of a method for identifying a terminal simulator according to an embodiment of the present application, the method including steps S11, S12, and S13. In step S11, the user equipment parses and executes one or more virtualization instructions through a virtual machine in the user equipment, where each virtualization instruction corresponds to a machine instruction and is obtained by performing virtualization processing on the machine instruction; in step S12, the user device matches the first instruction behavior information of the virtualization instruction during the parsed execution with the second instruction behavior information of the virtualization instruction during the parsed execution in the reference device; in step S13, the user equipment obtains the device type information of the reference device, and if the device type information indicates that the reference device is a terminal simulator and the first instruction behavior information matches the second instruction behavior information, identifies that the user equipment is the terminal simulator.
In step S11, the user device parses, by a virtual machine in the user device, one or more virtualization instructions, where each virtualization instruction corresponds to a machine instruction and is obtained by performing virtualization processing on the machine instruction. In some embodiments, the virtual machine is a complete system running in a completely isolated environment with complete hardware system functions, which can be used to interpret and run bytecodes, including bytecodes such as processor, register, stack, and heap, etc., and can be used as a separate module in a target application, and the virtualized instructions are obtained by performing virtualization processing on machine instructions as the target application is installed on a user device, wherein the machine instructions include, but are not limited to, instructions in instruction sets such as arm, stem 32, arm64, such as MOV, XOR, CMP, RET, etc., the virtualization processing includes, but is not limited to, replacing the machine instructions with a set of virtualized instructions in custom bytecodes, such as custom bytecodes "0 xa 0", replacing the machine instructions MOV, the virtualized instructions are interpreted and executed in the virtual machine, the interpreting and executing operation at least comprises executing reverse virtualization processing on the virtualization instruction, obtaining a machine instruction corresponding to the virtualization instruction and executing the machine instruction.
In step S12, the user device matches the first instruction behavior information of the virtualization instruction during the parsing execution with the second instruction behavior information of the virtualization instruction during the parsing execution in the reference device. In some embodiments, the instruction behavior information includes, but is not limited to, an execution result of the instruction, an intermediate variable generated during the execution of the instruction, a change of an instruction execution environment of a register, a stack, a heap, or the like during the execution of the instruction, the reference device may be a terminal simulator or an actual terminal device, and whether the first instruction behavior information and the second instruction behavior information match is determined by matching a first instruction behavior information during the interpretation execution of the virtualized instruction on the user device with a second instruction behavior information during the interpretation execution of the virtualized instruction on the reference device by comparing whether a similarity between the first instruction behavior information and the second instruction behavior information is greater than or equal to a predetermined similarity threshold (e.g., 90%), wherein the second instruction behavior information during the interpretation execution of the virtualized instruction on the reference device is known, the request can be stored in the user equipment in advance or can be requested to be obtained from a corresponding server in real time.
In step S13, the user equipment obtains the device type information of the reference device, and if the device type information indicates that the reference device is a terminal simulator and the first instruction behavior information matches the second instruction behavior information, identifies that the user equipment is the terminal simulator. In some embodiments, the device type information of the reference device is used to indicate whether the reference device is a terminal simulator and a type of architecture used when the reference device is the terminal simulator (e.g., an arm architecture, an x86 architecture, etc.), and if the device type information indicates that the reference device is the terminal simulator and a similarity between the first instruction behavior information and the second instruction behavior information is greater than or equal to a predetermined similarity threshold (e.g., 90%), it may be determined that the first instruction behavior information matches the second instruction behavior information, thereby identifying the user device as the terminal simulator.
In some embodiments, the method further comprises at least any one of: if the device type information indicates that the reference device is an actual terminal device and the first instruction behavior information is mismatched with the second instruction behavior information, identifying the user device as a terminal simulator; if the device type information indicates that the reference device is a terminal simulator and the first instruction behavior information is mismatched with the second instruction behavior information, identifying the user device as an actual terminal device; and if the device type information indicates that the reference device is an actual terminal device and the first instruction behavior information is matched with the second instruction behavior information, identifying that the user device is the actual terminal device. For example, if the predetermined similarity threshold is 90, and if the device type information indicates that the reference device is an actual terminal device and the similarity between the first instruction behavior information and the second instruction behavior information is 80%, which is smaller than the predetermined similarity threshold, the first instruction behavior information and the second instruction behavior information are not matched, the user device may be identified as a terminal simulator; if the device type information indicates that the reference device is a terminal simulator and the similarity between the first instruction behavior information and the second instruction behavior information is 70% and is smaller than a preset similarity threshold value, the first instruction behavior information is not matched with the second instruction behavior information, and the user device can be identified as an actual terminal device; if the device type information indicates that the reference device is an actual terminal device, and the similarity between the first instruction behavior information and the second instruction behavior information is 95% and is greater than a predetermined similarity threshold, the first instruction behavior information is matched with the second instruction behavior information, and the user device can be identified as the actual terminal device.
In some embodiments, the method further includes step S14 (not shown), and in step S14, the user equipment determines the device type information of the terminal simulator according to the device type information of the reference device. For example, if the user equipment has been identified as a terminal emulator, if the device type information indicates that the architecture of the reference device is an arm architecture terminal emulator, it may be determined that the architecture of the terminal emulator is also an arm architecture, or if the device type information indicates that the architecture of the reference device is an x86 architecture terminal emulator, it may be determined that the architecture of the terminal emulator is also an x86 architecture.
In some embodiments, the step S13 includes: and acquiring the equipment type information of the reference equipment, and identifying that the user equipment is the terminal simulator based on the intel architecture if the equipment type information indicates that the reference equipment is the terminal simulator based on the intel architecture and the first instruction behavior information is matched with the second instruction behavior information. In some embodiments, the terminal simulator based on intel architecture is the mainstream terminal simulator in the market at present, and includes the HAXM (hardware accelerated execution manager of intel), the HAXM is a hardware-assisted virtualization engine using VT (intel virtualization technology), which can greatly improve the performance and the running speed of the terminal simulator, since the HAXM will affect the execution of the machine instruction on the virtual machine, so that the first instruction behavior information of the same machine instruction on the intel-based terminal simulator is different from the second instruction behavior information on the actual terminal device, and if the first instruction behavior information is matched with the second instruction behavior information, the user equipment is identified as the terminal simulator based on the intel architecture.
In some embodiments, the method further includes step S15 (not shown), in step S15, if the ue is a terminal simulator, sending a detection result to a network device, so that the network device marks one or more device behaviors corresponding to the ue. In some embodiments, when the detection result indicates that the user equipment is a terminal simulator, the detection result is sent to a corresponding server, where the detection result includes, but is not limited to, identification information (such as a mac address) capable of uniquely identifying the user equipment, and after receiving the detection result, the server marks device behaviors corresponding to the identification information stored in a database, a file, or a server cache, where the marked device behaviors may have a certain security risk because the marked device behaviors are terminal simulator behaviors rather than actual terminal device behaviors, and marks the device behaviors for the server to perform security analysis on the device behaviors subsequently, where the device behaviors include, but are not limited to, voting behaviors, billing behaviors, behaviors related to value-added services, and the like.
In some embodiments, if the virtual machine is located in a target application on the user equipment; wherein the method further comprises step S16 (not shown), in step S16, if the user equipment is a terminal simulator, disabling one or more functions in the target application. In some embodiments, if the virtual machine is a module, plug-in, or hosted program installed in a target application on the user device, when the user device is a terminal emulator, the user is prohibited from using one or more functions in the target application, including but not limited to functions related to value-added services, functions related to internet banking or virtual currency, to enhance the security of the target application.
In some embodiments, the step S11 includes: the method comprises the steps that the user equipment analyzes and executes one or more virtualization instructions through a virtual machine in the user equipment, wherein each virtualization instruction corresponds to one machine instruction and is obtained by executing virtualization processing on the machine instruction, and the number of the virtualization instructions meets a preset number threshold. In some embodiments, only when the number of the virtualization instructions interpreted and executed by the virtual machine exceeds a predetermined number threshold (for example, 5), a relatively correct detection result can be obtained, and the first instruction behavior information corresponding to the plurality of virtualization instructions in the process of being interpreted and executed is matched with the second instruction behavior information when the plurality of virtualization instructions are interpreted and executed in the reference device (for example, the ratio of the number of the virtualization instructions matched with the second instruction behavior information to the total number of the virtualization instructions interpreted and executed exceeds 90%, the user equipment can be accurately identified as the terminal simulator), so that the correctness of the identification result can be ensured, and the probability of errors is reduced as much as possible.
In some embodiments, if the virtual machine is located in a target application on the user equipment; wherein the step S11 includes: and the user equipment responds to the installation completion event of the target application, and analyzes and executes one or more virtualization instructions through a virtual machine in the user equipment, wherein each virtualization instruction corresponds to a machine instruction and is obtained by executing virtualization processing on the machine instruction. In some embodiments, when the target application is installed on the user equipment for the first time, the virtual machine in the target application interprets and executes one or more virtualization instructions to detect whether the user equipment is a terminal emulator.
In some embodiments, if the virtual machine is located in a target application; wherein the step S11 includes: and the user equipment responds to the update completion event of the target application, and analyzes and executes one or more virtualization instructions through a virtual machine in the user equipment, wherein each virtualization instruction corresponds to a machine instruction and is obtained by executing virtualization processing on the machine instruction. In some embodiments, when each version update of the target application on the user equipment is completed, the virtual machine in the target application interprets and executes one or more virtualization instructions to detect whether the user equipment is a terminal emulator.
In some embodiments, the performing, by the virtual machine resolution in the user equipment, one or more virtualization instructions comprises: executing reverse virtualization processing on one or more virtualization instructions through a virtual machine in the user equipment, and interpreting to obtain one or more machine instructions corresponding to the virtualization instructions; executing, by the virtual machine, the machine instruction; wherein the step S12 includes: and the user equipment matches the first instruction behavior information of the machine instruction in the executed process with the second instruction behavior information of the virtualization instruction in the reference equipment when the virtualization instruction is analyzed and executed. For example, the virtualized instruction is "Oxa 0", the virtual machine performs inverse virtualization processing on the virtualized instruction to obtain a corresponding machine instruction MOV, then executes the machine instruction MOV in the virtual machine, matches first instruction behavior information of the machine instruction MOV in the process of being executed with corresponding second instruction behavior information of the machine instruction MOV in the reference device, and determines whether the first instruction behavior information and the second instruction behavior information match by comparing whether the similarity between the first instruction behavior information and the second instruction behavior information is greater than or equal to a predetermined similarity threshold (e.g., 90%)
Fig. 2 shows an apparatus for identifying a terminal simulator according to an embodiment of the present application, which includes a one-module 11, a two-module 12, and a three-module 13. A module 11, configured to parse and execute one or more virtualization instructions through a virtual machine in the user equipment, where each virtualization instruction corresponds to a machine instruction and is obtained by performing virtualization processing on the machine instruction; a second module 12, configured to match first instruction behavior information of the virtualized instruction in the process of being analyzed and executed with second instruction behavior information of the virtualized instruction in the reference device when being analyzed and executed; and a third module 13, configured to obtain device type information of the reference device, and identify that the user device is a terminal simulator if the device type information indicates that the reference device is a terminal simulator and the first instruction behavior information matches the second instruction behavior information.
A module 11, configured to parse and execute one or more virtualization instructions through a virtual machine in the user equipment, where each virtualization instruction corresponds to a machine instruction and is obtained by performing virtualization processing on the machine instruction. In some embodiments, the virtual machine is a complete system running in a completely isolated environment with complete hardware system functions, which can be used to interpret and run bytecodes, including bytecodes such as processor, register, stack, and heap, etc., and can be used as a separate module in a target application, and the virtualized instructions are obtained by performing virtualization processing on machine instructions as the target application is installed on a user device, wherein the machine instructions include, but are not limited to, instructions in instruction sets such as arm, stem 32, arm64, such as MOV, XOR, CMP, RET, etc., the virtualization processing includes, but is not limited to, replacing the machine instructions with a set of virtualized instructions in custom bytecodes, such as custom bytecodes "0 xa 0", replacing the machine instructions MOV, the virtualized instructions are interpreted and executed in the virtual machine, the interpreting and executing operation at least comprises executing reverse virtualization processing on the virtualization instruction, obtaining a machine instruction corresponding to the virtualization instruction and executing the machine instruction.
A second module 12, configured to match first instruction behavior information of the virtualization instruction in the analysis execution process with second instruction behavior information of the virtualization instruction in the reference device in the analysis execution process. In some embodiments, the instruction behavior information includes, but is not limited to, an execution result of the instruction, an intermediate variable generated during the execution of the instruction, a change of an instruction execution environment of a register, a stack, a heap, or the like during the execution of the instruction, the reference device may be a terminal simulator or an actual terminal device, and whether the first instruction behavior information and the second instruction behavior information match is determined by matching a first instruction behavior information during the interpretation execution of the virtualized instruction on the user device with a second instruction behavior information during the interpretation execution of the virtualized instruction on the reference device by comparing whether a similarity between the first instruction behavior information and the second instruction behavior information is greater than or equal to a predetermined similarity threshold (e.g., 90%), wherein the second instruction behavior information during the interpretation execution of the virtualized instruction on the reference device is known, the request can be stored in the user equipment in advance or can be requested to be obtained from a corresponding server in real time.
And a third module 13, configured to obtain device type information of the reference device, and identify that the user device is a terminal simulator if the device type information indicates that the reference device is a terminal simulator and the first instruction behavior information matches the second instruction behavior information. In some embodiments, the device type information of the reference device is used to indicate whether the reference device is a terminal simulator and a type of architecture used when the reference device is the terminal simulator (e.g., an arm architecture, an x86 architecture, etc.), and if the device type information indicates that the reference device is the terminal simulator and a similarity between the first instruction behavior information and the second instruction behavior information is greater than or equal to a predetermined similarity threshold (e.g., 90%), it may be determined that the first instruction behavior information matches the second instruction behavior information, thereby identifying the user device as the terminal simulator.
In some embodiments, the apparatus is further for at least any one of: if the device type information indicates that the reference device is an actual terminal device and the first instruction behavior information is mismatched with the second instruction behavior information, identifying the user device as a terminal simulator; if the device type information indicates that the reference device is a terminal simulator and the first instruction behavior information is mismatched with the second instruction behavior information, identifying the user device as an actual terminal device; and if the device type information indicates that the reference device is an actual terminal device and the first instruction behavior information is matched with the second instruction behavior information, identifying that the user device is the actual terminal device. Here, the related operations are the same as or similar to those of the embodiment shown in fig. 1, and therefore are not described again, and are included herein by reference.
In some embodiments, the apparatus further comprises a quad module 14 (not shown), and the quad module 14 is configured to determine the device type information of the terminal simulator according to the device type information of the reference device. Here, the specific implementation of a quad-module 14 is the same as or similar to the embodiment related to step S14 in fig. 1, and therefore, the detailed description is omitted, and the detailed implementation is incorporated herein by reference.
In some embodiments, the one-three module 13 is configured to: and acquiring the equipment type information of the reference equipment, and identifying that the user equipment is the terminal simulator based on the intel architecture if the equipment type information indicates that the reference equipment is the terminal simulator based on the intel architecture and the first instruction behavior information is matched with the second instruction behavior information. Here, the related operations are the same as or similar to those of the embodiment shown in fig. 1, and therefore are not described again, and are included herein by reference.
In some embodiments, the device further includes a quad-module 14 (not shown), where the quad-module 14 is configured to send the detection result to the network device if the user equipment is a terminal simulator, so that the network device marks one or more device behaviors corresponding to the user equipment. Here, the specific implementation of a quad-module 14 is the same as or similar to the embodiment related to step S14 in fig. 1, and therefore, the detailed description is omitted, and the detailed implementation is incorporated herein by reference.
In some embodiments, if the virtual machine is located in a target application on the user equipment; wherein the device further comprises a five-module 15 (not shown), the five-module 15 being configured to disable one or more functions in the target application if the user equipment is a terminal emulator. Here, the specific implementation manner of the fifth module 15 is the same as or similar to the embodiment related to step S15 in fig. 1, and therefore, the detailed description is not repeated here, and is incorporated herein by reference.
In some embodiments, the module 11 is configured to: and analyzing and executing one or more virtualization instructions through a virtual machine in the user equipment, wherein each virtualization instruction corresponds to one machine instruction and is obtained by executing virtualization processing on the machine instruction, and the number of the virtualization instructions meets a preset number threshold. Here, the related operations are the same as or similar to those of the embodiment shown in fig. 1, and therefore are not described again, and are included herein by reference.
In some embodiments, if the virtual machine is located in a target application on the user equipment; wherein, the one-to-one module 11 is configured to: and analyzing and executing one or more virtualization instructions through a virtual machine in the user equipment in response to the installation completion event of the target application, wherein each virtualization instruction corresponds to one machine instruction and is obtained by executing virtualization processing on the machine instruction. Here, the related operations are the same as or similar to those of the embodiment shown in fig. 1, and therefore are not described again, and are included herein by reference.
In some embodiments, if the virtual machine is located in a target application; wherein, the one-to-one module 11 is configured to: and responding to the update completion event of the target application, and analyzing and executing one or more virtualization instructions through a virtual machine in the user equipment, wherein each virtualization instruction corresponds to one machine instruction and is obtained by executing virtualization processing on the machine instruction. Here, the related operations are the same as or similar to those of the embodiment shown in fig. 1, and therefore are not described again, and are included herein by reference.
In some embodiments, the performing, by the virtual machine resolution in the user equipment, one or more virtualization instructions comprises: executing reverse virtualization processing on one or more virtualization instructions through a virtual machine in the user equipment, and interpreting to obtain one or more machine instructions corresponding to the virtualization instructions; executing, by the virtual machine, the machine instruction; wherein the second module 12 is configured to: and matching the first instruction behavior information of the machine instruction in the executed process with the second instruction behavior information of the virtualization instruction in the reference equipment when the virtualization instruction is analyzed and executed. Here, the related operations are the same as or similar to those of the embodiment shown in fig. 1, and therefore are not described again, and are included herein by reference.
FIG. 3 illustrates an exemplary system that can be used to implement the various embodiments described in this application.
In some embodiments, as illustrated in FIG. 3, the system 300 can be implemented as any of the devices in the various embodiments described. In some embodiments, system 300 may include one or more computer-readable media (e.g., system memory or NVM/storage 320) having instructions and one or more processors (e.g., processor(s) 305) coupled with the one or more computer-readable media and configured to execute the instructions to implement modules to perform the actions described herein.
For one embodiment, system control module 310 may include any suitable interface controllers to provide any suitable interface to at least one of processor(s) 305 and/or any suitable device or component in communication with system control module 310.
The system control module 310 may include a memory controller module 330 to provide an interface to the system memory 315. Memory controller module 330 may be a hardware module, a software module, and/or a firmware module.
System memory 315 may be used, for example, to load and store data and/or instructions for system 300. For one embodiment, system memory 315 may include any suitable volatile memory, such as suitable DRAM. In some embodiments, the system memory 315 may include a double data rate type four synchronous dynamic random access memory (DDR4 SDRAM).
For one embodiment, system control module 310 may include one or more input/output (I/O) controllers to provide an interface to NVM/storage 320 and communication interface(s) 325.
For example, NVM/storage 320 may be used to store data and/or instructions. NVM/storage 320 may include any suitable non-volatile memory (e.g., flash memory) and/or may include any suitable non-volatile storage device(s) (e.g., one or more Hard Disk Drives (HDDs), one or more Compact Disc (CD) drives, and/or one or more Digital Versatile Disc (DVD) drives).
NVM/storage 320 may include storage resources that are physically part of the device on which system 300 is installed or may be accessed by the device and not necessarily part of the device. For example, NVM/storage 320 may be accessible over a network via communication interface(s) 325.
Communication interface(s) 325 may provide an interface for system 300 to communicate over one or more networks and/or with any other suitable device. System 300 may wirelessly communicate with one or more components of a wireless network according to any of one or more wireless network standards and/or protocols.
For one embodiment, at least one of the processor(s) 305 may be packaged together with logic for one or more controller(s) (e.g., memory controller module 330) of the system control module 310. For one embodiment, at least one of the processor(s) 305 may be packaged together with logic for one or more controller(s) of the system control module 310 to form a System In Package (SiP). For one embodiment, at least one of the processor(s) 305 may be integrated on the same die with logic for one or more controller(s) of the system control module 310. For one embodiment, at least one of the processor(s) 305 may be integrated on the same die with logic for one or more controller(s) of the system control module 310 to form a system on a chip (SoC).
In various embodiments, system 300 may be, but is not limited to being: a server, a workstation, a desktop computing device, or a mobile computing device (e.g., a laptop computing device, a holding computing device, a tablet, a netbook, etc.). In various embodiments, system 300 may have more or fewer components and/or different architectures. For example, in some embodiments, system 300 includes one or more cameras, a keyboard, a Liquid Crystal Display (LCD) screen (including a touch screen display), a non-volatile memory port, multiple antennas, a graphics chip, an Application Specific Integrated Circuit (ASIC), and speakers.
The present application also provides a computer readable storage medium having stored thereon computer code which, when executed, performs a method as in any one of the preceding.
The present application also provides a computer program product, which when executed by a computer device, performs the method of any of the preceding claims.
The present application further provides a computer device, comprising:
one or more processors;
a memory for storing one or more computer programs;
the one or more computer programs, when executed by the one or more processors, cause the one or more processors to implement the method of any preceding claim.
It should be noted that the present application may be implemented in software and/or a combination of software and hardware, for example, implemented using Application Specific Integrated Circuits (ASICs), general purpose computers or any other similar hardware devices. In one embodiment, the software programs of the present application may be executed by a processor to implement the steps or functions described above. Likewise, the software programs (including associated data structures) of the present application may be stored in a computer readable recording medium, such as RAM memory, magnetic or optical drive or diskette and the like. Additionally, some of the steps or functions of the present application may be implemented in hardware, for example, as circuitry that cooperates with the processor to perform various steps or functions.
In addition, some of the present application may be implemented as a computer program product, such as computer program instructions, which when executed by a computer, may invoke or provide methods and/or techniques in accordance with the present application through the operation of the computer. Those skilled in the art will appreciate that the form in which the computer program instructions reside on a computer-readable medium includes, but is not limited to, source files, executable files, installation package files, and the like, and that the manner in which the computer program instructions are executed by a computer includes, but is not limited to: the computer directly executes the instruction, or the computer compiles the instruction and then executes the corresponding compiled program, or the computer reads and executes the instruction, or the computer reads and installs the instruction and then executes the corresponding installed program. Computer-readable media herein can be any available computer-readable storage media or communication media that can be accessed by a computer.
Communication media includes media by which communication signals, including, for example, computer readable instructions, data structures, program modules, or other data, are transmitted from one system to another. Communication media may include conductive transmission media such as cables and wires (e.g., fiber optics, coaxial, etc.) and wireless (non-conductive transmission) media capable of propagating energy waves such as acoustic, electromagnetic, RF, microwave, and infrared. Computer readable instructions, data structures, program modules, or other data may be embodied in a modulated data signal, for example, in a wireless medium such as a carrier wave or similar mechanism such as is embodied as part of spread spectrum techniques. The term "modulated data signal" means a signal that has one or more of its characteristics set or changed in such a manner as to encode information in the signal. The modulation may be analog, digital or hybrid modulation techniques.
By way of example, and not limitation, computer-readable storage media may include volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer-readable instructions, data structures, program modules or other data. For example, computer-readable storage media include, but are not limited to, volatile memory such as random access memory (RAM, DRAM, SRAM); and non-volatile memory such as flash memory, various read-only memories (ROM, PROM, EPROM, EEPROM), magnetic and ferromagnetic/ferroelectric memories (MRAM, FeRAM); and magnetic and optical storage devices (hard disk, tape, CD, DVD); or other now known media or later developed that can store computer-readable information/data for use by a computer system.
An embodiment according to the present application comprises an apparatus comprising a memory for storing computer program instructions and a processor for executing the program instructions, wherein the computer program instructions, when executed by the processor, trigger the apparatus to perform a method and/or a solution according to the aforementioned embodiments of the present application.
It will be evident to those skilled in the art that the present application is not limited to the details of the foregoing illustrative embodiments, and that the present application may be embodied in other specific forms without departing from the spirit or essential attributes thereof. The present embodiments are therefore to be considered in all respects as illustrative and not restrictive, the scope of the application being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein. Any reference sign in a claim should not be construed as limiting the claim concerned. Furthermore, it is obvious that the word "comprising" does not exclude other elements or steps, and the singular does not exclude the plural. A plurality of units or means recited in the apparatus claims may also be implemented by one unit or means in software or hardware. The terms first, second, etc. are used to denote names, but not any particular order.

Claims (12)

1. A method for identifying a terminal simulator, applied to user equipment, wherein the method comprises the following steps:
analyzing and executing one or more virtualization instructions through a virtual machine in the user equipment, wherein each virtualization instruction corresponds to a machine instruction and is obtained by executing virtualization processing on the machine instruction, and the virtualization processing comprises replacing the machine instruction with a set of virtualization instructions in a self-defined bytecode form;
matching first instruction behavior information of the virtualization instruction in the analyzed execution process with second instruction behavior information of the virtualization instruction in the reference equipment, wherein the analyzed execution process comprises executing reverse virtualization processing on the virtualization instruction, obtaining a machine instruction corresponding to the virtualization instruction and executing the machine instruction;
acquiring the device type information of the reference device, and identifying the user device as a terminal simulator if the device type information indicates that the reference device is a terminal simulator and the first instruction behavior information is matched with the second instruction behavior information;
wherein the first instruction behavior information or the second instruction behavior information comprises at least one of:
an instruction execution result;
intermediate variables generated during instruction execution;
and changing the instruction running environment in the instruction running process.
2. The method of claim 1, wherein the method further comprises at least any one of:
if the device type information indicates that the reference device is an actual terminal device and the first instruction behavior information is mismatched with the second instruction behavior information, identifying the user device as a terminal simulator;
if the device type information indicates that the reference device is a terminal simulator and the first instruction behavior information is mismatched with the second instruction behavior information, identifying the user device as an actual terminal device;
and if the device type information indicates that the reference device is an actual terminal device and the first instruction behavior information is matched with the second instruction behavior information, identifying that the user device is the actual terminal device.
3. The method of claim 1, wherein the method further comprises:
and determining the equipment type information of the terminal simulator according to the equipment type information of the reference equipment.
4. The method of claim 1, wherein the obtaining the device type information of the reference device, and if the device type information indicates that the reference device is a terminal simulator and the first instruction behavior information matches the second instruction behavior information, identifying the user device as the terminal simulator comprises:
and acquiring the equipment type information of the reference equipment, and identifying that the user equipment is the terminal simulator based on the intel architecture if the equipment type information indicates that the reference equipment is the terminal simulator based on the intel architecture and the first instruction behavior information is matched with the second instruction behavior information.
5. The method of claim 1, wherein the method further comprises:
and if the user equipment is a terminal simulator, sending a detection result to network equipment so that the network equipment marks one or more equipment behaviors corresponding to the user equipment.
6. The method of claim 1, wherein if the virtual machine is located in a target application on the user equipment;
wherein the method further comprises:
and if the user equipment is a terminal simulator, disabling one or more functions in the target application.
7. The method of claim 1, wherein performing one or more virtualization instructions by virtual machine parsing in the user equipment, wherein each virtualization instruction corresponds to a machine instruction and results from performing virtualization processing on the machine instruction, comprises:
and analyzing and executing one or more virtualization instructions through a virtual machine in the user equipment, wherein each virtualization instruction corresponds to one machine instruction and is obtained by executing virtualization processing on the machine instruction, and the number of the virtualization instructions meets a preset number threshold.
8. The method of claim 1, wherein if the virtual machine is located in a target application on the user equipment;
the analyzing and executing one or more virtualization instructions through a virtual machine in the user equipment, where each virtualization instruction corresponds to a machine instruction and is obtained by performing virtualization processing on the machine instruction, includes:
and analyzing and executing one or more virtualization instructions through a virtual machine in the user equipment in response to the installation completion event of the target application, wherein each virtualization instruction corresponds to one machine instruction and is obtained by executing virtualization processing on the machine instruction.
9. The method of claim 1, wherein if the virtual machine is located in a target application;
the analyzing and executing one or more virtualization instructions through a virtual machine in the user equipment, where each virtualization instruction corresponds to a machine instruction and is obtained by performing virtualization processing on the machine instruction, includes:
and responding to the update completion event of the target application, and analyzing and executing one or more virtualization instructions through a virtual machine in the user equipment, wherein each virtualization instruction corresponds to one machine instruction and is obtained by executing virtualization processing on the machine instruction.
10. The method of claim 8 or 9, wherein the executing, by the virtual machine resolution in the user equipment, one or more virtualization instructions comprises:
executing reverse virtualization processing on one or more virtualization instructions through a virtual machine in the user equipment, and interpreting to obtain one or more machine instructions corresponding to the virtualization instructions;
executing, by the virtual machine, the machine instruction;
wherein the matching of the first instruction behavior information of the virtualization instruction in the analysis execution process with the second instruction behavior information of the virtualization instruction in the reference device in the analysis execution process includes:
and matching the first instruction behavior information of the machine instruction in the executed process with the second instruction behavior information of the virtualization instruction in the reference equipment when the virtualization instruction is analyzed and executed.
11. An apparatus for identifying a terminal simulator, wherein the apparatus comprises:
a processor; and
a memory arranged to store computer executable instructions that, when executed, cause the processor to perform the operations of the method of any of claims 1 to 10.
12. A computer-readable medium storing instructions that, when executed, cause a system to perform the operations of any of the methods of claims 1-10.
CN201910774713.6A 2019-08-21 2019-08-21 Method and equipment for identifying terminal simulator Active CN110516447B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910774713.6A CN110516447B (en) 2019-08-21 2019-08-21 Method and equipment for identifying terminal simulator

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910774713.6A CN110516447B (en) 2019-08-21 2019-08-21 Method and equipment for identifying terminal simulator

Publications (2)

Publication Number Publication Date
CN110516447A CN110516447A (en) 2019-11-29
CN110516447B true CN110516447B (en) 2022-02-11

Family

ID=68627085

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910774713.6A Active CN110516447B (en) 2019-08-21 2019-08-21 Method and equipment for identifying terminal simulator

Country Status (1)

Country Link
CN (1) CN110516447B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112379967B (en) * 2020-11-12 2023-11-03 抖音视界有限公司 Simulator detection method, device, equipment and medium
CN112559328A (en) * 2020-12-04 2021-03-26 北京字节跳动网络技术有限公司 Method, device, equipment and medium for judging instruction simulation engine
CN113282304B (en) * 2021-05-14 2022-04-29 杭州云深科技有限公司 System for identifying virtual machine based on app installation list
CN114706630A (en) * 2022-04-14 2022-07-05 上海上讯信息技术股份有限公司 Method and system for identifying simulator based on file format

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102254120A (en) * 2011-08-09 2011-11-23 成都市华为赛门铁克科技有限公司 Method, system and relevant device for detecting malicious codes
CN103902910A (en) * 2013-12-30 2014-07-02 北京奇虎科技有限公司 Method and device for detecting malicious codes in intelligent terminal
CN107704760A (en) * 2017-09-30 2018-02-16 北京梆梆安全科技有限公司 A kind of simulator detection method, device and equipment based on bottom instruction

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10410492B2 (en) * 2017-09-18 2019-09-10 Comcast Cable Communications, Llc Automatic presence simulator for security systems
CN107908952B (en) * 2017-10-25 2021-04-02 阿里巴巴(中国)有限公司 Method and device for identifying real machine and simulator and terminal
CN109948308A (en) * 2019-03-13 2019-06-28 智者四海(北京)技术有限公司 Code security guard method, device, electronic equipment and computer readable storage medium

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102254120A (en) * 2011-08-09 2011-11-23 成都市华为赛门铁克科技有限公司 Method, system and relevant device for detecting malicious codes
CN103902910A (en) * 2013-12-30 2014-07-02 北京奇虎科技有限公司 Method and device for detecting malicious codes in intelligent terminal
CN107704760A (en) * 2017-09-30 2018-02-16 北京梆梆安全科技有限公司 A kind of simulator detection method, device and equipment based on bottom instruction

Also Published As

Publication number Publication date
CN110516447A (en) 2019-11-29

Similar Documents

Publication Publication Date Title
CN110516447B (en) Method and equipment for identifying terminal simulator
KR102324336B1 (en) User device and integrity verification method for the same
US10102373B2 (en) Method and apparatus for capturing operation in a container-based virtualization system
CN104137076A (en) Validation of applications for graphics processing unit
CN110290557B (en) Method and equipment for loading page tags in application
US20230035104A1 (en) Verification method, apparatus and device, and storage medium
CN110597597B (en) Method, system, device and storage medium for virtualization of hardware
US10482034B2 (en) Remote attestation model for secure memory applications
CN110286920B (en) Method and device for installing application
US20160092313A1 (en) Application Copy Counting Using Snapshot Backups For Licensing
CN113868174B (en) Verification platform building method and device and storage medium
CN111796731B (en) Method and equipment for automatically arranging icons
US20170337112A1 (en) Code update based on detection of change in runtime code during debugging
Zhao et al. Semantic-informed driver fuzzing without both the hardware devices and the emulators
CN110941437A (en) Method and equipment for installing application
CN107861795B (en) Method, system and device for simulating physical TCM chip and readable storage medium
CN112486496A (en) Method and equipment for generating and operating so file
CN111079039B (en) Method and equipment for collecting books
CN114153535A (en) Method, apparatus, medium, and program product for jumping pages on an open screen page
CN114296651A (en) Method and equipment for storing user-defined data information
CN113438273A (en) User-level simulation method and device for application program in Internet of things equipment
US10747644B2 (en) Method of executing instructions of core, method of debugging core system, and core system
CN114363893B (en) Method and equipment for determining hotspot sharing password failure
CN103914650A (en) Method and device for virus detection
CN115048289A (en) Method, equipment and medium for testing letter template

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant