[ detailed description ] embodiments
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
It should be noted that, if not conflicted, the various features of the embodiments of the invention may be combined with each other within the scope of protection of the invention. Additionally, while functional block divisions are performed in the device diagrams, with logical sequences shown in the flowcharts, in some cases, the steps shown or described may be performed in a different order than the block divisions in the device diagrams, or the flowcharts.
Referring to fig. 1, fig. 1 is a schematic diagram of a real-time environment related to a method for detecting an ELF file according to an embodiment of the present invention. The implementation environment includes a server 100 and a terminal 200.
The server 100 is an application server, and is configured to receive an application program issued by an application developer, and store and issue the application program. In this embodiment, the server 100 may generate an ELF file including security information such as a digital signature, which is mainly to embed the security information such as the digital signature of the original ELF file in the header table of the ELF file.
The terminal 200 may be a smart phone, a tablet computer, a personal computer, etc., and the present embodiment does not specifically limit the product form of the terminal 200, and various application programs, such as a video playing application, a social contact application, a shopping application, a navigation application, etc., are installed in the terminal 200. In this embodiment, after acquiring the ELF file including the security information such as the digital signature from the server 100, the terminal 200 verifies the ELF file, and the process mainly verifies the ELF file according to the ELF file including the security information such as the digital signature.
In this embodiment, the server 100 and the terminal 200 may also perform self-check on the ELF file, and the self-check is performed mainly according to the ELF file including security information such as a digital signature.
The server 100 and the terminal 200 may communicate with each other through a wired network or a wireless network.
For a better understanding of the embodiments of the present invention, the ELF file will be described below.
The ELF file mainly includes three types of object files: (1) relocatable file (relocatable file) which primarily stores code and related data used in conjunction with other target files to create an executable file or a shared target file, e.g., files suffixed with a and o in Linux systems; (2) an executable file (executable file) which mainly stores a program capable of being executed; (3) the shared object file, which may also be referred to as a shared library, primarily holds code and related data for the link.
The format of the executable ELF file may be as follows, and mainly includes a header format of an ELF file of a 32-bit system and a header format of an ELF file of a 64-bit system.
Header of 32-bit system:
header of 64-bit system:
referring to fig. 2A and 2B, the ELF file mainly includes the following four parts: (1) an ELF header 10 for indicating organization information of the ELF file, such as version information, a type of the target file, an entry address of a program header table, an entry address of a section header table, a machine architecture, a processor architecture (which may also be referred to as an instruction set), a number of sections, and the like; (2) a program header table 11 for indicating how to create the process image; (3) a section 12 or a segment 13, configured to provide various items of information of a target file, such as instructions, data, a symbol table, a character string table, a hash table, relocation information, and the like, where a segment is one or more sections, and a section may also be referred to as a section area; (4) a section header table 14 for indicating information of each section in the ELF file, such as an entry of the section, a name of the section, a type of the section, a size of the section, a number of the sections, and the like.
Specifically, for example, referring to fig. 2C, a schematic diagram of an ELF file is provided, where the ELF file includes an ELF file header, an ELF section header table, and a section header table string table, and shows an offset of the ELF file header and an offset of the ELF section header table, where the section header table includes the section header string table. The ELF file format is specifically an ELF file format of a 64-bit system, and the file structure is as follows:
next, a method for detecting an ELF file according to an embodiment of the present invention will be described.
Referring to fig. 3, fig. 3 is an interaction diagram of a method for detecting an ELF file according to an embodiment of the present invention, where the method is applied to the server 100 and the terminal 200.
Specifically, as shown in fig. 3, the method includes:
s11, the server generates a first ELF file containing a target storage space, and the target storage space stores first verification information.
The first verification information may be a digital signature, and the first verification information may also be information such as a website, a unique identification code, and the like, other than the digital signature.
The first ELF file refers to an original ELF file containing the first verification information, and the first ELF file is obtained by adding the first verification information into the original ELF file. Specifically, as shown in fig. 4, the generating, by the server, the first ELF file including the target storage space specifically includes:
and S111, generating a second ELF file containing a target storage space, wherein the target storage space stores default values.
In this embodiment, the process of generating the second ELF file including the target storage space includes: adding a preset code into a source code corresponding to an original ELF file, compiling the source code containing the preset code by a compiler to obtain the second ELF file, where the second ELF file has a special section, and the section corresponds to a default value, and the default value may be represented by placeholders with different lengths, for example, when an MD5 digest algorithm is adopted, the default value may be set as: 000000000000000000000000, the length of the placeholder may be different when other algorithms are used. The special section and a default value corresponding to the special section form the target storage space, and the target storage space is used for storing the default value or the first check information.
The preset code may be, for example, the following code:
for example: voltaile const static __ attribute __ ((unused, section (". SO _ SIGN"))) char SO _ SIGN [ ] [ "00000000000000000000000000000000"; // default value, placeholder
And S112, generating first verification information of the second ELF file.
Wherein the first verification information of the second ELF file may be generated according to the preset algorithm (such as MD5, SHA1, HMAC, etc.). The first verification information may specifically be a digital signature, that is, a digital signature is generated for the second ELF file including the target storage space according to a digest algorithm. Assuming that the digest algorithm is MD5, generating a digital signature for the second ELF file using MD5 includes generating a digest for the second ELF file information using MD5 algorithm and encrypting the digest using a private key to generate the digital signature. The detailed process can refer to the prior art and is not described herein.
S113, writing the first verification information into the target storage space and replacing the default value to generate a first ELF file.
In this embodiment, the second ELF file including the target storage space may be modified by a preset first independent program, and the first verification information is mainly replaced with the default value of the special section, so as to obtain a new ELF file, that is, the first ELF file. The first independent program is a proprietary program preset by a developer, the first independent program is used for analyzing and retrieving the second ELF file, and acquiring the position and the corresponding value of the special section, and the first independent program further has a function of operating the ELF file, for example, changing a default value corresponding to the special section in the second ELF file.
As shown in fig. 5, the writing the first check information into the target storage space and replacing the default value to generate a first ELF file includes:
s1131, analyzing a file structure of the second ELF file to obtain an offset of a section head table of the second ELF file, the number of entries in the section head table and a section head character string table, wherein the section head table comprises the section head character string table;
s1132, traversing the sections in the section head table of the second ELF file according to the offset of the section head table of the second ELF file to find the target storage space in the section head character string table of the second ELF file;
s1133, writing the first verification information into the target storage space and replacing the default value in the target storage space to generate the first ELF file.
In this embodiment, first, the position of the header table in the second ELF file is determined according to the offset of the header table of the second ELF file; then, after the position of the section head table in the second ELF file is determined, traversing the section head character string table in the determined section head table to find a character string with the same name corresponding to the target storage space in the section head character string table, wherein the target storage space can be named through a character string; and determining a section corresponding to the character string, and further determining the position of the value of the section, wherein the position is the target storage space. And after the target storage space is found, replacing the default value with the first verification information so as to obtain the first ELF file.
For example, assume that the first check information is SIGN, the target storage space is named as SO _ SIGN, the corresponding section is section, and the default value is value. As shown in fig. 2C, when generating the first ELF file, first obtaining an offset e _ shoff of the node head table, and determining a position of the node head table according to the offset e _ shoff of the node head table; wherein the section head table comprises a section head character string table, the section head character string table comprises a plurality of character strings, and the section head character string table comprises the names of all sections. And traversing the section head character string table to find a character string named as SO _ SIGN in the section head character string table, further finding a section corresponding to the character string, and acquiring the position of the section, namely the target storage space. And finally, replacing the value with the sign to obtain the first ELF file.
S12, the server sends the first ELF file to the terminal.
The server can send the first ELF file to the terminal in a wireless or wired communication mode.
S13, the terminal replaces the first verification information stored in the target storage space with a default value to generate a second ELF file.
As shown in fig. 6, the replacing the first verification information in the target storage space with a default value to generate a second ELF file includes:
s131, analyzing the file structure of the first ELF file to obtain the offset of a section head table of the first ELF file, the number of entries in the section head table and a section head character string table, wherein the section head table comprises the section head character string table;
s132, traversing the sections in the section head table of the first ELF file according to the offset of the section head table of the first ELF file to determine the target storage space in the section head character string table of the first ELF file;
s133, modifying the first verification information in the target storage space storage to the default value to generate the second ELF file.
The essence of the process of generating the second ELF file according to the first ELF file is to replace the first verification information in the first ELF file with the default value, so as to obtain the ELF file containing the default value, that is, the second ELF file. Wherein the file structure of the first ELF file can be parsed by a second independent program. The second independent program is also a proprietary program preset by developers, and is used for analyzing and retrieving the first ELF file to obtain the position and the corresponding value of the special section, and the second independent program also has the functions of generating signature information and comparing the signature information.
The specific process of S131 to S133 may refer to the process of replacing the default value with the first verification information.
The first independent program and the second independent program may be two functions of one independent program, or two functions corresponding to the two independent programs.
S14, the terminal generates second check information of the second ELF file, and checks the integrity of the first ELF file according to the first check information and the second check information.
Wherein generating second check-up information of the second ELF file comprises: and acquiring ciphertext information of the second ELF file by adopting a digest algorithm (such as MD5, SHA1, HMAC and the like) on the second ELF file through the second independent program, wherein the ciphertext information is the second check-up information.
For example, the MD5 algorithm is used to generate the first check information of the second ELF file, if the first check information is a digital signature, the server sends the second ELF file information itself and the digest corresponding to the first check information to the terminal, the terminal also generates a new digest, which is the second check information, for the received second ELF file information itself by using the MD5 algorithm, and then the terminal can determine whether the ELF file is tampered by comparing the first check information and the second check information.
Wherein the detecting the integrity of the first ELF file according to the first check information and the second check information includes:
and judging whether the first check information and the second check information are the same, namely comparing whether the first check information and the second check information are completely consistent.
And if the first check information is the same as the second check information, the first ELF file is complete. If the first check information and the second check information are not the same, it is indicated that the ELF file is incomplete, that is, it indicates that the ELF file may be tampered.
Referring to fig. 3 as well, when detecting that the first ELF file is complete, the terminal is further configured to execute the following step S15; when detecting that the first ELF file is incomplete, the terminal is further configured to perform step S16 described below.
S15, the terminal modifies the default value in the target storage space into the first verification information so as to restore the second ELF file to the first ELF file.
And S16, deleting the second ELF file and exiting the program.
When the first ELF file is not complete, the method further comprises sending prompt information to the server, so that the tampered ELF file is prevented from affecting the safety of a user.
The above process is a process of verifying the first ELF file after the terminal receives the first ELF file, and the process solves the problem of how to judge that the code segment in the ELF file is modified after the ELF file is downloaded or upgraded. By the method, the security of the ELF file is improved, and unnecessary downloading is reduced.
Since the ELF file carries a digital signature, the ELF file has a self-checking function. The ELF file self-checking process may be implemented on the server or the terminal.
Therefore, in some embodiments, referring also to fig. 3, when detecting that the first ELF file is complete, the terminal is further configured to perform step S17 described below.
And S17, after the first ELF file is operated, performing self-check through the first ELF file to recheck the integrity of the first ELF file.
As shown in fig. 7, the self-checking by the first ELF file includes:
s171, copying the first ELF file to generate a third ELF file;
s172, analyzing the third ELF file through the running first ELF file to obtain the offset of a section head table of the third ELF file, the number of items in the section head table and a section head character string table;
s173, traversing the sections in the section head table of the third ELF file through the running first ELF file according to the offset of the section head table of the third ELF file to obtain a target storage space of the third ELF file and third verification information stored in the target storage space of the third ELF file;
the detailed process of obtaining the target storage space of the third ELF file and the third verification information may refer to the above method embodiment.
S174, modifying the third verification information into a default value of the third ELF file to generate a fourth ELF file;
the default value of the third ELF file is also the default value of the first ELF file, and the default value may be the same as the default value in the above embodiment. For example, when the MD5 digest algorithm is used, the default values may be set as: 000000000000000000000000, the length of the placeholder may be different when other algorithms are used.
S175, generating fourth verification information of the fourth ELF file through the running first ELF file;
for example, a digest algorithm (such as MD5, SHA1, HMAC, etc.) may be applied to the fourth ELF file by the running first ELF file to obtain ciphertext information of the fourth ELF file, where the ciphertext information is the fourth check information.
S176, comparing the third verification information with the fourth verification information through the running first ELF file, if the third verification information is the same as the fourth verification information, determining that the first ELF file is complete, and if not, determining that the first ELF file is incomplete.
And S177, deleting the third ELF file after the first ELF file is determined to be complete.
In this embodiment, the first ELF file includes the verification logic of the second independent program, and therefore, the self-verification process of the first ELF file can be implemented by running the first ELF file.
In the embodiment of the invention, the ELF file has a verification function, so that the ELF file can be prevented from being maliciously modified after being downloaded and verified successfully, and the safety of the ELF file is further improved.
It should be noted that, the above-mentioned process of performing self-check on the first ELF file may also be performed at the server side, and specifically, please refer to fig. 3 as well, the method further includes:
and S18, the terminal sends a confirmation instruction that the first ELF file is a complete ELF file to the server.
The terminal can send a confirmation instruction that the first ELF file is a complete ELF file to the server in a wired or wireless mode.
S19, the server receives the confirmation instruction, runs the first ELF file, and performs self-checking through the running first ELF file to recheck the integrity of the first ELF file.
For a detailed process of the server performing self-checking through the running first ELF file, reference may be made to the above S171 to S177, which is not described herein again.
Referring to fig. 8, fig. 8 is a schematic structural diagram of an apparatus for detecting an ELF file according to an embodiment of the present invention, and as shown in fig. 8, the apparatus 40 may be applied to the terminal. The device 40 comprises: a first obtaining module 41, a first generating module 42, a second obtaining module 43, and a detecting module 44.
The first obtaining module 41 is configured to obtain a first ELF file including a target storage space, where first verification information is stored in the target storage space; the first generating module 42 is configured to replace the first verification information stored in the target storage space with a default value to generate a second ELF file; the second obtaining module 43 is configured to generate second check-up information of the second ELF file; the detecting module 44 is configured to check integrity of the first ELF file according to the first check information and the second check information.
The first generating module 42 includes an analyzing unit 421, an obtaining unit 422, and a processing unit 423. The parsing unit 421 is configured to parse the file structure of the first ELF file to obtain an offset of a section header table of the first ELF file, an item number in the section header table, and a section header character string table, where the section header table includes the section header character string table; the obtaining unit 422 is configured to traverse the sections in the section header table of the first ELF file according to the offset of the section header table of the first ELF file, so as to determine the target storage space in the section header character string table of the first ELF file; the processing unit 423 is configured to modify the first check information in the target storage space storage to the default value, so as to generate the second ELF file.
Wherein the detection module 44 is specifically configured to: judging whether the first check information and the second check information are the same; if so, the first ELF file is complete; and if not, the first ELF file is incomplete.
Optionally, the detection module 44 is further configured to: when the first ELF file is complete, the default value in the target storage space is modified into the first verification information, so that the second ELF file is restored to the first ELF file; and when the first ELF file is not complete, deleting the second ELF file and quitting the program, or sending prompt information.
In some embodiments, referring to fig. 8 as well, the apparatus 40 further includes a self-test module 45, where the self-test module 45 is configured to perform a self-test on the first ELF file after the first ELF file is run when the first ELF file is determined to be complete, so as to re-verify the integrity of the first ELF file. The self-checking module 45 is specifically configured to: when a program is started, self-checking is carried out according to the first ELF file so as to detect the integrity of the ELF file; or periodically carrying out self-checking according to the first ELF file so as to detect the integrity of the ELF file.
The self-checking module 45 is further specifically configured to:
copying the first ELF file to generate a third ELF file;
analyzing the third ELF file through the running first ELF file to obtain the offset of a section head table, the number of items in the section head table and a section head character string table of the third ELF file;
according to the offset of the section head table of the third ELF file, traversing the sections in the section head table of the third ELF file through the running first ELF file to acquire a target storage space of the third ELF file and third verification information stored in the target storage space of the third ELF file;
modifying the third verification information into a default value of the third ELF file to generate a fourth ELF file;
generating fourth verification information of the fourth ELF file through the running first ELF file;
comparing the third verification information with the fourth verification information through the running first ELF file, if the third verification information is the same as the fourth verification information, determining that the first ELF file is complete, otherwise, determining that the first ELF file is incomplete;
and deleting the third ELF file after the first ELF file is determined to be complete.
It should be noted that the apparatus for detecting an ELF file provided in this embodiment can execute the method for detecting an ELF file provided in the foregoing embodiment, and has corresponding functional modules and beneficial effects of the execution method. Technical details that are not described in detail in the embodiment of the apparatus for detecting an ELF file may be referred to a method for detecting an ELF file provided in the embodiment of the present invention.
Referring to fig. 9, fig. 9 is a schematic structural diagram of an apparatus for detecting an ELF file according to an embodiment of the present invention, and as shown in fig. 9, the apparatus 50 may be applied to the server. The apparatus 50 comprises: a first generation module 51, a verification information generation module 52 and a second generation module 52.
The first generating module 51 is configured to generate a second ELF file including a target storage space, where the target storage space stores a default value; the verification information generating module 52 is configured to generate first verification information of the second ELF file; the second generating module 52 is configured to write the first verification information into the target storage space and replace the default value, so as to generate a first ELF file.
The second generating module 52 is specifically configured to:
analyzing the file structure of the second ELF file to obtain the offset of a section head table of the second ELF file, the number of entries in the section head table and a section head character string table, wherein the section head table comprises the section head character string table;
traversing the sections in the section head table of the second ELF file according to the offset of the section head table of the second ELF file to find the target storage space in the section head character string table of the second ELF file;
and writing the first check information into the target storage space and replacing the default value in the target storage space to generate the first ELF file.
It should be noted that the apparatus for detecting an ELF file provided in this embodiment can execute the method for detecting an ELF file provided in the foregoing embodiment, and has corresponding functional modules and beneficial effects of the execution method. Technical details that are not described in detail in the embodiment of the apparatus for detecting an ELF file may be referred to a method for detecting an ELF file provided in the embodiment of the present invention.
Referring to fig. 10, fig. 10 is a schematic structural diagram of an electronic device 60 according to an embodiment of the present invention, where the electronic device 60 may be used to execute the method for detecting an ELF file as described above, and as shown in fig. 10, the electronic device 60 includes:
one or more processors 61 and a memory 62, with one processor 61 being an example in fig. 10.
The processor 61 and the memory 62 may be connected by a bus or other means, and fig. 10 illustrates the connection by a bus as an example.
The memory 62, which is a non-volatile computer-readable storage medium, may be used for storing non-volatile software programs, non-volatile computer-executable programs, and modules, such as program instructions/modules (e.g., the respective modules shown in fig. 8 and 9) corresponding to the method for detecting ELF files in the embodiment of the present invention. The processor 61 executes various functional applications and data processing of the apparatus for detecting ELF files, that is, implements the method for detecting ELF files of the above-described method embodiments, by executing the nonvolatile software programs, instructions, and modules stored in the memory 62.
The memory 62 may include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created according to use of a device that detects an ELF file, and the like. Further, the memory 62 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device. In some embodiments, the memory 62 optionally includes a memory remotely located from the processor 61, and these remote memories may be connected to the means for detecting ELF files via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The one or more modules are stored in the memory 62, and when executed by the one or more processors 61, perform the method for detecting ELF files in any of the above-described method embodiments, for example, perform the above-described method steps S11 to S19 in fig. 3, method steps S111 to S113 in fig. 4, method steps S1131 to S1133 in fig. 5, method steps S131 to S133 in fig. 6, implement method steps S171 to S177 in fig. 7, implement the functions of the modules 41 to 45, the unit 421 and 423 in fig. 8, and the modules 51 to 52 in fig. 9.
The product can execute the method provided by the embodiment of the invention, and has corresponding functional modules and beneficial effects of the execution method. For technical details that are not described in detail in this embodiment, reference may be made to the method provided by the embodiment of the present invention.
The electronic device of the embodiment of the invention exists in various forms, including but not limited to mobile terminals, servers and other electronic devices with data interaction functions.
Embodiments of the present invention provide a non-volatile computer-readable storage medium storing computer-executable instructions for an electronic device to perform the method for detecting ELF files in any of the above-mentioned method embodiments, for example, the method steps S11 to S19 in fig. 3, the method steps S111 to S113 in fig. 4, the method steps S1131 to S1133 in fig. 5, and the method steps S131 to S133 in fig. 6 described above are performed, the method steps S171 to S177 in fig. 7 are implemented, and the functions of the modules 41 to 45, the unit 421 and 423 in fig. 8, and the modules 51 to 52 in fig. 9 are implemented.
Embodiments of the present invention provide a computer program product comprising a computer program stored on a non-volatile computer-readable storage medium, the computer program comprising program instructions that, when executed by a computer, cause the computer to perform the method for detecting an ELF file in any of the above-described method embodiments, for example, perform the above-described method steps S11 to S19 in fig. 3, method steps S111 to S113 in fig. 4, method steps S1131 to S1133 in fig. 5, method steps S131 to S133 in fig. 6, implement method steps S171 to S177 in fig. 7, implement the functions of modules 41 to 45, unit 421 and 423 in fig. 8, and modules 51 to 52 in fig. 9.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a general hardware platform, and certainly can also be implemented by hardware. It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware related to instructions of a computer program, which can be stored in a computer readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), or the like.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; within the idea of the invention, also technical features in the above embodiments or in different embodiments may be combined, steps may be implemented in any order, and there are many other variations of the different aspects of the invention as described above, which are not provided in detail for the sake of brevity; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present invention.