CN112307468B - Software detection method, software detection device and medium - Google Patents
Software detection method, software detection device and medium Download PDFInfo
- Publication number
- CN112307468B CN112307468B CN201910702140.6A CN201910702140A CN112307468B CN 112307468 B CN112307468 B CN 112307468B CN 201910702140 A CN201910702140 A CN 201910702140A CN 112307468 B CN112307468 B CN 112307468B
- Authority
- CN
- China
- Prior art keywords
- verification
- check
- function
- checking
- software program
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000012795 verification Methods 0.000 claims abstract description 207
- 238000000034 method Methods 0.000 claims abstract description 68
- 230000008569 process Effects 0.000 claims abstract description 26
- 230000002159 abnormal effect Effects 0.000 claims abstract description 14
- 230000006870 function Effects 0.000 claims description 182
- 230000015654 memory Effects 0.000 claims description 165
- 238000012545 processing Methods 0.000 claims description 11
- 230000003993 interaction Effects 0.000 claims description 5
- 238000013522 software testing Methods 0.000 claims description 5
- 241000700605 Viruses Species 0.000 abstract description 17
- 238000004590 computer program Methods 0.000 abstract description 8
- 238000001514 detection method Methods 0.000 abstract description 8
- 238000004891 communication Methods 0.000 description 7
- 238000004458 analytical method Methods 0.000 description 3
- 238000004422 calculation algorithm Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 230000000694 effects Effects 0.000 description 3
- 238000004364 calculation method Methods 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 239000004973 liquid crystal related substance Substances 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000003780 insertion Methods 0.000 description 1
- 230000037431 insertion Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000037361 pathway Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Debugging And Monitoring (AREA)
Abstract
The application provides a software detection method, which can be used for security detection of a computer program and comprises the following steps: obtaining a verification structure; before the software program to be detected runs, the software program to be detected is checked by using a check structure body, and a first check result is obtained; during the running process of the software program to be detected, the software program to be detected is checked by using a check structure body, and a second check result is obtained; when the first checking result is inconsistent with the second checking result, judging that the software program to be detected is abnormal or modified; the embodiment of the application also provides a software detection device, computer equipment and a medium, and the tampered part in the computer program can be timely invented by comparing the first checking result with the second checking result, so that the computer virus or a hacker is prevented from analyzing the software program by setting a software breakpoint, and the safety of the software program is improved.
Description
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a software detection method, a software detection device, and a medium.
Background
Software program breakpoints refer to: as a result of a special event (interrupt event) occurring, the computer pauses the current task (i.e., the software program), proceeds to execute another task (interrupt service routine), and then returns to the original task to continue execution.
Some computer viruses or hackers often analyze the data of the software program by setting breakpoints, thereby achieving the illegal purpose.
In the prior art, a method of anti-debugging or detecting a debugger is generally adopted to prevent a computer virus or a hacker from invading a computer program by utilizing a breakpoint, however, the method is easy to be targeted and counteracted, so that the protection effect is lost.
Therefore, the above-mentioned problems have yet to be resolved.
Disclosure of Invention
In view of the above, the technical solution provided by the present invention is as follows:
a software detection method comprising:
acquiring a verification structure body, wherein the verification structure body is used for verifying a software program to be detected;
before the software program to be detected runs, the software program to be detected is checked by using the check structure body, and a first check result is obtained;
during the running process of the software program to be detected, the checking structure is used for checking the software program to be detected, and a second checking result is obtained;
Comparing the first check result with the second check result;
and when the first checking result is inconsistent with the second checking result, judging that the software program to be detected is abnormal or modified.
A software detection device comprising:
the system comprises an acquisition unit, a verification unit and a verification unit, wherein the acquisition unit is used for acquiring a verification structure body, and the verification structure body is used for verifying a software program to be detected;
the first verification unit is used for verifying the software program to be detected by using the verification structure body acquired by the acquisition unit before the software program to be detected runs, so as to obtain a first verification result;
the second checking unit is used for checking the software program to be detected by using the checking structural body acquired by the acquisition unit in the running process of the software program to be detected to acquire a second checking result;
the comparison unit is used for comparing the first check result obtained by the first check unit with the second check result obtained by the second check unit;
and the judging unit is used for judging that the software program to be detected is abnormal or modified when the comparison unit judges that the first checking result is inconsistent with the second checking result.
Optionally, the verification structure includes: the method comprises the steps of checking a function address, a callback function, a checked memory starting address and the checked memory size, wherein the checked memory is used for storing software codes of the software program to be detected, the checking function address is used for indicating the storage address of the checking function, the checking function is used for checking the software codes, and the callback function is used for verifying whether a checking result of the checking function is correct;
the first verification unit is further configured to:
calling the check function through the check function address;
verifying the software code stored in the verified memory using the verification function;
judging whether the verification result of the verification function is correct or not through the callback function;
and when the callback function judges that the verification result of the verification function is correct, obtaining the first verification result.
Optionally, the software detection device further includes an encryption unit, where the encryption unit is configured to:
encrypting the verification structure body to obtain first encrypted data;
the software detection device further comprises a decryption unit for:
Decrypting the first encrypted data of the data encrypted by the encryption unit to obtain the verification structure;
the second verification unit is further configured to:
and checking the software program to be detected by using the checking structure body to obtain the second checking result.
Optionally, the encryption unit is further configured to:
traversing from the beginning to the end of the check structure memory address to generate a machine codeword Fu Chuanlie;
converting the list of machine codewords into a list of encrypted global characters using AES 128-bit encryption;
the decryption unit is used for:
distributing a first memory space and a second memory space;
storing the global character list into the first memory space and the second memory space respectively;
in the first memory space, obtaining a first check function through AES 128-bit decryption;
in the second memory space, performing AES 128-bit decryption to obtain a first check structure body, wherein the first check structure body comprises a second check function;
and transferring the first check function from the first memory space to the second memory space, and replacing the second check function by the first check function to obtain a second check structure.
Optionally, the decryption unit is further configured to:
and randomly allocating memory spaces as the first memory space and the second memory space at random time points.
Optionally, the second verification unit is further configured to:
acquiring a block list of a software program functional module to be detected;
acquiring a functional module to be checked from the block list;
and verifying the functional module to be verified through the verification structure body to obtain a second verification result.
Optionally, the software detection device further includes a processing unit, where the processing unit is configured to:
reporting the result to the server, and/or forcing the program to be detected to crash through a preset assembly code.
A computer device, the computer device comprising: an interaction device, an input/output (I/O) interface, a processor, and a memory, the memory having program instructions stored therein;
the interaction device is used for acquiring an operation instruction input by a user;
the processor is configured to execute the program instructions stored in the memory and perform the method described above.
A computer readable storage medium comprising instructions which, when run on a computer device, cause the computer device to perform the above method.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only embodiments of the present invention, and that other drawings can be obtained according to the provided drawings without inventive effort for a person skilled in the art.
FIG. 1A is a flowchart of a software detection method according to an embodiment of the present application;
FIG. 1B is a flow chart of one embodiment of a software detection method provided in embodiments of the present application;
FIG. 1C is a flowchart of another embodiment of a software detection method provided in an embodiment of the present application;
FIG. 2A is a flowchart of a specific implementation of a software detection method according to an embodiment of the present application;
FIG. 2B is a flowchart illustrating an embodiment of a method for detecting software according to the embodiments of the present application;
FIG. 2C is a flowchart of another embodiment of a specific implementation of a software detection method according to the embodiments of the present application;
FIG. 2D is a flowchart illustrating another embodiment of a specific implementation of a software testing method according to the embodiments of the present application;
FIG. 2E is a flowchart of another embodiment of a specific implementation of a software detection method according to the embodiments of the present application;
FIG. 2F is a flowchart of another embodiment of a specific implementation of a software detection method according to the embodiments of the present application;
fig. 3 is a schematic structural diagram of a computer device according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of a software detection device according to an embodiment of the present application.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The terms "first," "second," "third," "fourth" and the like in the description and in the claims of this application and in the above-described figures, if any, are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments described herein may be implemented in other sequences than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
A computer software program is a software program running in a computer (e.g., a PC, tablet or smartphone), wherein software program breakpoints in the software program refer to: as a result of a special event (e.g., an interrupt event) occurring, the computer pauses the current task (i.e., the software program), proceeds to execute another task (interrupt service routine), and then returns to the original task to continue execution.
Some computer viruses or hackers often analyze software programs by setting breakpoints, thereby achieving the purpose of illegality.
Anti-debugging or debugger detection is often used to prevent computer viruses or hackers from hacking computer programs using breakpoints, however, this approach is easily countered in a targeted manner, thereby losing the protection effect.
Therefore, in view of the above problems, the embodiment of the present application provides a software detection method, and for convenience of understanding, the control occlusion detection method provided in the embodiment of the present application is described in detail below with reference to the accompanying drawings.
Referring to fig. 1A, as shown in fig. 1A, the software detection method provided in the embodiment of the application includes the following steps:
101. and obtaining a verification structure.
In this embodiment, the verification structure is used for verifying a software program to be detected, and specifically, the verification structure includes: the method comprises the steps of checking a function address, a callback function, a checked memory starting address and the checked memory size, wherein the checked memory is used for storing software codes of the software program to be detected, the checking function address is used for indicating the storage address of the checking function, the checking function is used for checking the software codes, and the callback function is used for verifying whether a checking result of the checking function is correct. Through this check structure body, can make the computer program that carries out software and detect know, need check up how big memory, the initial address of detected memory, after accomplishing through check function check, can also further verify the accuracy of check function check through callback function.
102. Before the software program to be detected runs, the software program to be detected is checked by using a check structure body, and a first check result is obtained.
In this embodiment, before the to-be-detected software program is run, there are two purposes of using the verification structure to verify the to-be-detected software program, firstly, verifying the initial state of the to-be-detected software program before the to-be-detected software program is run, so that if a breakpoint is added in the running process of the to-be-detected software program, the breakpoint can be detected in time; secondly, verifying the correctness of the checking function through the callback function, and ensuring that when the software program to be detected starts to run, the correct checking function is used for checking the software program to be detected.
Optionally, as shown in fig. 1B, before the software program to be detected runs, the checking structure is used to check the software program to be detected, and the workflow for obtaining the first checking result may specifically include the following steps:
1021. and calling a check function through the check function address.
In this embodiment, the check function is stored in a section of memory of the computer, and the computer finds the location of the check function stored in the memory through the check function address, so as to call the check function.
1022. The software code stored in the memory being verified is verified using a verification function.
In this embodiment, the check structure includes the checked memory starting address and the checked memory size, so that the computer can check the codes stored in the section of memory through the check function, and meanwhile, the computer can determine whether the check function checks all the codes stored in the memory according to the checked memory size recorded in the check structure.
1023. Judging whether the verification result of the verification function is correct or not through the callback function.
In this embodiment, after the verification function completes the verification of the code, whether the verification result of the verification function is correct is verified by the callback function, and it should be noted that, in this embodiment of the present application, specific implementation manners of the verification function and the callback function are not limited, and a person skilled in the art may select the verification function and the callback function according to needs.
1024. And when the callback function judges that the verification result of the verification function is correct, obtaining a first verification result.
In this embodiment, when the callback function verifies that the verification result of the verification function is correct, it is indicated that the verification function is the correct function, and the first verification result is reliable, where the first verification result is output for use in the subsequent step.
Further, through steps 1021 to 1024, the computer may determine that the verification structure meets the requirement for subsequent use, and in order to further ensure the security of the software detection method, the verification structure needs to be encrypted to obtain the first encrypted data, so as to prevent a hacker or virus from tampering with the verification structure, thereby bypassing the software detection method. Alternatively, the encryption method may include the following steps.
And traversing from the beginning to the end of the storage address of the check structure body to generate a machine code character string.
In this embodiment, the check structure is converted into the machine codeword Fu Chuanlie by traversing the memory address of the check structure, thereby facilitating the processing of the subsequent steps.
The list of machine codewords is converted to a list of encrypted global characters using AES 128-bit encryption.
In this embodiment, the machine codeword list is converted into the encrypted global character list by AES128 bit encryption, and since the encrypted check structure is not located in the executable code block, it cannot be found by the function list, and since it is a scattered character list, the character string list cannot be found, and by AES encryption, the size and content have changed, and it is not possible to let one associate that is a check function, which is also a core point for preventing malicious analysis. Alternatively, the AES128 bit encryption may be replaced by other encryption methods, which are not limited in this embodiment of the present application.
103. And in the running process of the software program to be detected, the software program to be detected is checked by using a check structure body, and a second check result is obtained.
In the embodiment, in the running process of the software program, the software program to be detected is checked through the checking structural body, so that the real-time monitoring of the software program to be detected is realized. Specifically, an embodiment of verifying a software program to be detected using a verification structure, as shown in fig. 1C, may include the following steps.
1031. And obtaining a block list of the software program functional module to be detected.
In this embodiment, the software program is formed by a plurality of functional modules, each functional module executes a function, so that the plurality of functional modules cooperate to form the whole software program, and a block list is built after the functional modules of the software program to be detected are obtained, so that the situation of each functional module is obtained; specifically, the block list of the functional modules of the software program to be detected may be obtained by obtaining the base addresses of the respective modules.
1032. And acquiring the functional module to be checked from the block list.
In this embodiment, since the software breakpoint affects the executable code blocks, unnecessary blocks need to be filtered out, so that the verification efficiency is improved, and the verification of the module not affected by the software breakpoint is avoided, so that the computing power is affected, and further, the specific implementation manner of obtaining the block to be verified from the block list may be as follows: for an executable, readable, code attribute, non-discardable block, then it is considered a block that needs to be verified. The foregoing is merely an alternative implementation, and those skilled in the art can obtain the module affected by the breakpoint in the block list by using a means in the prior art, so the embodiment of the present application is not limited to a specific implementation of obtaining the functional module to be verified from the block list.
Further, after the functional module to be verified is obtained, the verification structure is required to be called to verify the functional module, and if encryption of the verification structure is performed in the above steps, decryption of the first encrypted data is required to be performed in the present step, so as to obtain the verification structure, and optionally, the decryption work specifically may include the following steps.
And allocating the first memory space and the second memory space.
In this embodiment, the first memory space and the second memory space are both memory spaces in the computer, and the first memory space and the second memory space are allocated by a dynamic allocation manner, specifically, the memory spaces may be allocated randomly at random time points as the first memory space and the second memory space, and the method is notified to ensure that the memory addresses of the verification structures are random each time, so that the virus or a hacker cannot accurately obtain the addresses of the memories of the verification structures, and the concealment of the software detection method is increased.
The global character list is stored in a first memory space and a second memory space respectively;
in this embodiment, the global character list encrypted in the preamble step is stored in the first memory space and the second memory space, that is, the first memory space and the second memory space store a global character list.
In the first memory space, the first check function is obtained through AES 128-bit decryption.
In the first memory space, the check function in the check structure body is obtained through AES128 bit decryption and is recorded as a first check function, and in the decryption process, only the check function is decrypted, but other parts of the check structure body are not decrypted.
And in the second memory space, performing AES 128-bit decryption to obtain a first check structure body.
In this embodiment, the verification structure is obtained by AES128 bit decryption, and is denoted as a first verification structure, where the first verification structure includes: a check function (denoted as a second check function), a callback function, a checked memory starting address, and a checked memory size.
And transferring the first check function into a second memory space from the first memory space, and replacing the second check function by the first check function to obtain a second check structure.
In this embodiment, the software program is checked by the second check structure in the subsequent detection process. According to the method, the check function and the check structure body are decrypted in the first memory space and the second memory space respectively, and then the check function decrypted in the first memory space is transferred into the check structure body in the second memory space, so that analysis errors in the process of decrypting the check structure body in the second memory space can be effectively prevented, and correct decryption of the check function is ensured.
It should be noted that, the first memory space and the second memory space may be actually allocated as a plurality of memory spaces, the plurality of memory spaces may decrypt the verification structures of different portions, and finally, all the decrypted portions are combined together in one memory space to form the verification structure, so the number of allocated memory spaces is not limited in the embodiment of the present application.
1033. And checking the functional module to be checked through the checking structure body to obtain a second checking result.
In this embodiment, the above step 1032 has screened out the functional module to be checked, so the decrypted check structure is used to directly check the functional module to be checked in this step, and the specific checking process can be seen from steps 1021 to 1024, which is unique in that the above steps 1021 to 1024 have another purpose of determining whether the check function is correct, and in the step, the check function has been determined to be correct by steps 1021 to 1024, only the check on the functional module is performed to obtain the second check result.
104. And comparing the first check result with the second check result.
In this embodiment, the first verification result is obtained by verification before the software program runs, the second verification result is obtained by verification during the running process of the software program, and by comparing the first and second verification results, it can be determined whether the software program code is abnormal or modified, optionally, during the running process of the software, the above step 103 may be repeated periodically to obtain multiple verification results in different time periods, and then the verification results obtained in each time period are compared, so as to obtain whether the current software program code is abnormal or modified.
105. And when the first checking result is inconsistent with the second checking result, judging that the software program to be detected is abnormal or modified.
In this embodiment, the first verification result is obtained by verification before the software program runs, and the second verification result is obtained by verification during the running process of the software program, and by comparing the two results, it can be determined whether the software program code is abnormal or modified.
Optionally, when step 105 determines that the software program is abnormal or modified, the following steps may be further performed.
Reporting the result to the server and/or forcing the program to be detected to crash through a preset remittance code.
In this embodiment, when it is determined that the software program code is abnormal or modified, it is indicated that the software program code may be invaded by a virus or a hacker, and at this time, the server or the user needs to be reported to make the server or the user know the situation at the first time to take further measures, optionally, the program to be detected may be forced to crash through a preset assembly code, so that the running security of the software program is ensured, and the virus or the hacker is prevented from further analyzing the software program.
In the working process, the software program is checked through the check structure body, so that the software program is prevented from being tampered, the situation that a hacker or virus analyzes the software program in a breakpoint setting mode is effectively prevented, the check structure body is encrypted to prevent tampering, and in the decryption process, the check functions in the complete check structure body and the check structure body are decrypted respectively, so that the secrecy of the check function is further protected, and the safety performance is improved. For easy understanding, the embodiments of the present application further describe specific embodiments of the software detection method provided in steps 101 to 106 above with reference to the accompanying drawings.
The software detection method provided by the embodiment of the application can be divided into a preparation stage and a verification stage, and the two stages are respectively described in detail below with reference to the accompanying drawings.
1. And (5) a preparation stage.
Referring to fig. 2A, as shown in fig. 2A, the preparation stage of the software testing method provided in the embodiment of the present application includes the following steps when implemented.
201. And obtaining a verification structure.
In this embodiment, as shown in fig. 2B, the step of obtaining the verification structure may specifically include
2011. Dynamically generating a function address;
in this embodiment, the meaning of dynamic generation is: the generated check function is randomly stored in different storage addresses each time, so that the storage addresses of the check function cannot be obtained by computer viruses or hackers, and the safety is improved.
2012. Obtaining a verified callback function;
in this embodiment, according to the verification function obtained in step 2012, a corresponding callback function is obtained and used to detect the verification result of the verification function, and a specific callback function obtaining manner may be that a user designates the callback function.
2013. Acquiring a starting address of a memory section to be checked;
in this embodiment, the starting address of the memory segment to be verified is obtained, so that the verification function in the subsequent operation knows the starting address of the memory where the code to be verified is located.
2014. Acquiring the size of a memory section to be checked;
in this embodiment, the size of the memory segment to be checked is obtained, so that the check function knows the memory size of the memory where the code to be checked is located in the subsequent operation.
202. And executing the verification structure.
In this embodiment, the verification body is executed for two purposes, namely, the verification function is confirmed to be correct by verification, and the initial state of the software program is obtained, as shown in fig. 2C, and the verification structure may specifically include the following steps:
2021. transmitting into a checking structure body;
in this embodiment, the verification structure obtained in step 201 needs to be transferred into the execution memory, so that the verification structure can be executed in the execution memory in the subsequent step.
2022. Executing a verification function;
in this embodiment, the software program code to be detected is verified by executing a verification function.
2023. Obtaining a verification result;
in this embodiment, after the verification function verifies the software program code to be detected, a verification result is obtained.
2024. Executing the callback function after verification;
in this embodiment, after the verification is completed, whether the verification result of the verification function is correct is checked by the callback function.
2025. And returning a verification result.
In this embodiment, when the callback function confirms that the verification result of the verification function is correct, that is, returns a verification result, the verification result is recorded as a first verification result.
203. A machine code is obtained.
In this embodiment, the verification structure obtained in step 201 is converted into a machine code in step 202, and as shown in fig. 2D, the method may specifically include the following steps:
2031. an incoming function address, record length len=0;
in this embodiment, at the initial stage, the function address is input, and the machine code length is recorded as 0.
2032. Obtaining the value of the current address;
in this embodiment, after the function address of the check structure is transmitted, the value of the current address is obtained.
2033. And judging whether the current address is a function ending address.
In this embodiment, if the current address is not the function end address, the following step 2034 is required, and if the current address is the function end address, the final step 2036 is executed.
2034, recording the machine code to the character string list;
in this embodiment, the function address transmitted in step 2031 is recorded as a machine code into a character string list;
2035. the address is shifted by one bit, and the recording length len+1 bits;
In this embodiment, if the current function address is not the end address, it is indicated that there are other addresses to be further converted into machine codes, so after the current machine code is recorded in the string list, the recording length is increased by one to record the next machine code, and then the value of the address of the next bit is obtained, and steps 2032 to 2033 are re-executed until the function end address is reached, and step 2036 is executed.
2036. Return function length (len)
In this embodiment, when the execution is performed to the function end address, it is indicated that all the function addresses have been converted into machine codes and recorded in the string list, and then the function length is returned to obtain the complete machine code.
204. The machine code is encrypted.
In this embodiment, the machine code acquired in the above step 203 needs to be encrypted, as shown in fig. 2E, which specifically includes the following steps:
2041. an incoming machine code;
in this embodiment, the machine code is transferred into the execution memory to execute the subsequent operation.
2042. Performing AES1238 encryption on the machine code;
in this embodiment, the machine code is encrypted by means of AES1238 encryption, and optionally, the encryption method may be other encryption, which is not limited to this embodiment of the present application.
2043. Returning an encrypted character list;
in this embodiment, the machine code encrypted by AES1238 is encrypted into a character list format, so as to encrypt the verification structure, where the encrypted verification structure is presented in a character list manner, and is not easy to crack, and is not easy to think that such a group of character lists is the encrypted verification structure, so that the privacy is improved.
After the preparation phase, the encrypted verification structure is obtained, so that the subsequent verification phase can be started.
2. And (3) checking.
205. A module base address is obtained.
In this embodiment, after the preparation of steps 201 to 204 is completed, the software detection is started, and the module base address, which is the base address of the functional module of the software program, needs to be acquired first.
206. Traversing the block list of the module.
In this embodiment, the functional modules of the software program are shown by way of a block list, so that the block list needs to be traversed to find the module that needs to be checked.
207. And judging whether verification is needed or not.
In this embodiment, for the module that needs to be checked, the specific implementation manner may refer to the above step 1032, which is not repeated herein, for the module that needs to be checked, the following step 208 is executed, and for the module that does not need to be checked, the above step 206 is executed again, that is, the module that needs to be checked is traversed to the next module to continue to determine whether to need to be checked.
208. The software program is checked.
In this embodiment, the verification of the software program is started, as shown in fig. 2F, and the specific verification may include the following procedures:
2081. dynamically allocating memory;
in this embodiment, the specific implementation of dynamically allocating the memory is: and randomly distributing the memory space at random time, wherein at least two memory spaces of the first memory space and the second memory space are distributed.
2082. Setting the memory space as readable, writable and executable;
in this embodiment, the memory allocated in step 2081 needs to be set to be readable, writable and executable, so that the subsequent operations can be performed.
2083. AES128 decrypts the data storage dynamic memory.
In this embodiment, the encrypted machine code obtained in step 204 is stored in the memory allocated in step 2081, where for the verification structure, one copy is stored in the first memory space and the second memory space, respectively.
2084. Decrypting the verification structure;
in this embodiment, the check function in which the encrypted machine code is decrypted by AES128 in the first memory space is denoted as a first check function, and the check structure in which the encrypted machine code is decrypted by AES128 in the second memory space is denoted as a first check structure, wherein the first check structure includes a second check function.
2085. The verification function is transmitted into a verification structure body;
in this embodiment, the verification function decrypted in the first memory space is transferred into the second memory space, so that the first verification function replaces the second verification function to obtain a new second verification structure.
2086. And executing the verification structure.
In this embodiment, for the verification structure obtained by decryption (i.e., the second verification structure described above), verification is performed on the software program code to be detected.
2087. After the verification is finished, releasing the memory;
in this embodiment, after the verification is completed, the memory is released, so that the computer virus or the hacker cannot learn that the verification work is specifically performed in which section of memory, thereby improving the security.
209. And obtaining a verification result.
In this embodiment, after the functional module of the current software is verified, a verification result of the current module is obtained.
210. Judging whether an initial comparability checking result exists.
In this embodiment, if there is no initial comparable verification result, it is indicated that the current verification is recorded as the initial verification, and step 211 is executed at this time: recording an initial verification result; if there is an initial comparability check result, then step 212 is executed: and comparing the initial verification result.
211. And recording an initial verification result.
In this embodiment, the initial verification result is a verification result when the software program just starts to run, and at this time, since the software program just starts to run and is not yet invaded by a computer virus or a hacker, the initial verification result is a reference result.
212. And comparing the initial verification result.
In this embodiment, the verification result obtained in the running process of the subsequent software program needs to be compared with the initial verification result.
213. And judging whether the comparison results are different.
In this embodiment, if the current verification result is the same as the initial verification result, it is indicated that the functional module of the current software program is running normally and is not invaded by a computer virus or a hacker, and the process returns to step 206 to continue traversing the next module, so as to verify the next module to be verified.
214. And executing reporting or crashing operation.
In this embodiment, if the current verification result and the initial verification result are different, it is indicated that the functional module of the current software program may be invaded by a computer virus or a hacker, so that it is required to report, or crash the software program, so as to prevent the computer virus or the hacker from analyzing the software program, thereby ensuring the running security of the software program.
215. And (5) exiting.
In this embodiment, there are two ways to exit the current software test detection method, firstly, the current verification result and the initial verification result are reported through the step 214 to be different or crash software program; and secondly, after traversing all modules of the software program to be detected through the step 206, if no problem is found, exiting the current software testing and detecting method.
In summary, in the embodiments of the present application, a software detection method is provided, which can be used for security detection of a computer program, and includes: obtaining a verification structure; before the software program to be detected runs, the software program to be detected is checked by using a check structure body, and a first check result is obtained; during the running process of the software program to be detected, the software program to be detected is checked by using a check structure body, and a second check result is obtained; when the first checking result is inconsistent with the second checking result, judging that the software program to be detected is abnormal or modified; by comparing the first checking result with the second checking result, the tampered part of the computer program can be invented in time, so that the computer virus or hacker is prevented from analyzing the software program by setting the software breakpoint, and the safety of the software program is improved.
The encryption method related to the software detection method may be, in addition to encryption using the encryption method of AES 128-bit encryption, encryption using a hash value calculation check method, for example: and dynamically creating an executable memory section when a program is initialized, executing a dynamic code section to scan the appointed memory section, carrying out hash value calculation and verification on the appointed memory section in the dynamic code section, then executing a preset callback function, and triggering a detection mechanism after the scanning is completed at an indefinite time. The dynamically created functions in the executable memory can be configured with different hash check functions and detection mechanisms as required.
The software detection method provided by the embodiment of the application can be applied to any client product, user interaction is not needed in the use process, codes are only required to be statically or dynamically linked into the needed product in the application process, and the software detection method can be used by simple code insertion and logic modification on the logic of the original product, so that the effects of self-protecting software and preventing malicious analysis can be achieved.
The above description has been made on the solution provided in the embodiments of the present application. It will be appreciated that the computer device, in order to carry out the functions described above, comprises corresponding hardware structures and/or software modules that perform the respective functions. Those of skill in the art will readily appreciate that the various illustrative modules and algorithm steps described in connection with the embodiments disclosed herein may be implemented as hardware or combinations of hardware and computer software. Whether a function is implemented as hardware or computer software driven hardware depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
The method may be implemented by one entity device, or may be implemented by a plurality of entity devices together, or may be a logic functional module in one entity device, which is not specifically limited in the embodiment of the present application.
For example, the methods described above may all be implemented by the computer device of fig. 3. Fig. 3 is a schematic hardware structure of a computer device according to an embodiment of the present application. The computer device comprises at least one processor 301, communication lines 302, a memory 303 and at least one communication interface 304.
The processor 301 may be a general purpose central processing unit (central processing unit, CPU), microprocessor, application-specific integrated circuit (server IC), or one or more integrated circuits for controlling the execution of programs in accordance with aspects of the present application.
Communication line 302 may include a pathway to transfer information between the above-described components.
Communication interface 304, using any transceiver-like device for communicating with other devices or communication networks, such as ethernet, radio access network (radio access network, RAN), wireless local area network (wireless local area networks, WLAN), etc.
The memory 303 may be, but is not limited to, a read-only memory (ROM) or other type of static storage device that can store static information and instructions, a random access memory (random access memory, RAM) or other type of dynamic storage device that can store information and instructions, an electrically erasable programmable read-only memory (EEPROM), a compact disc-only memory (compact disc read-only memory) or other optical disk storage, a compact disc storage (including compact disc, laser disc, optical disc, digital versatile disc, blu-ray disc, etc.), a magnetic disk storage medium or other magnetic storage device, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer. The memory may be stand alone and be coupled to the processor via communication line 302. The memory may also be integrated with the processor.
The memory 303 is used for storing computer-executable instructions for executing the embodiments of the present application, and is controlled by the processor 301 to execute the instructions. The processor 301 is configured to execute computer-executable instructions stored in the memory 303, thereby implementing the methods provided in the above-described embodiments of the present application.
Alternatively, the computer-executable instructions in the embodiments of the present application may be referred to as application program codes, which are not specifically limited in the embodiments of the present application.
In a particular implementation, as one embodiment, processor 301 may include one or more CPUs, such as CPU0 and CPU1 of FIG. 3.
In a particular implementation, as one embodiment, a computer device may include multiple processors, such as processor 301 and processor 307 in FIG. 3. Each of these processors may be a single-core (single-CPU) processor or may be a multi-core (multi-CPU) processor. A processor herein may refer to one or more devices, circuits, and/or processing cores for processing data (e.g., computer program instructions).
In a specific implementation, as an embodiment, the computer device may also include an output device 305 and an input device 306. The output device 305 communicates with the processor 301 and may display information in a variety of ways. For example, the output device 305 may be a liquid crystal display (liquid crystal display, LCD), a light emitting diode (light emitting diode, LED) display device, a Cathode Ray Tube (CRT) display device, or a projector (projector), or the like. The input device 306 is in communication with the processor 301 and may receive user input in a variety of ways. For example, the input device 306 may be a mouse, keyboard, touch screen device, or sensing device, among others.
The computer device may be a general purpose device or a special purpose device. In particular implementations, the computer device may be a desktop, laptop, web server, palmtop (personal digital assistant, PDA), mobile handset, tablet, wireless terminal device, embedded device, or device having a similar structure as in fig. 3. Embodiments of the present application are not limited in the type of computer device.
The embodiment of the application may divide the functional units of the storage device according to the above method example, for example, each functional unit may be divided corresponding to each function, or two or more functions may be integrated in one processing unit. The integrated units may be implemented in hardware or in software functional units. It should be noted that, in the embodiment of the present application, the division of the units is schematic, which is merely a logic function division, and other division manners may be implemented in actual practice.
For example, in the case where the respective functional units are divided in an integrated manner, fig. 4 shows a schematic diagram of a software detection device.
As shown in fig. 4, the software detection device provided in the embodiment of the present application includes:
An obtaining unit 401, where the obtaining unit 401 is configured to obtain a verification structure, where the verification structure is used to verify a software program to be detected;
the first verification unit 402 is configured to, before the to-be-detected software program runs, verify the to-be-detected software program using the verification structure body acquired by the acquisition unit 401, to obtain a first verification result;
a second checking unit 403, where the second checking unit 403 is configured to check, during the running process of the software program to be detected, the software program to be detected by using the check structure body acquired by the acquiring unit 401, so as to obtain a second checking result;
a comparing unit 404, where the comparing unit 404 is configured to compare the first verification result obtained by the first verifying unit 402 with the second verification result obtained by the second verifying unit 403;
a determining unit 405, where the determining unit 405 is configured to determine that the software program to be detected is abnormal or modified when the comparing unit 404 determines that the first verification result is inconsistent with the second verification result.
Optionally, the verification structure includes: the method comprises the steps of checking a function address, a callback function, a checked memory starting address and the checked memory size, wherein the checked memory is used for storing software codes of the software program to be detected, the checking function address is used for indicating the storage address of the checking function, the checking function is used for checking the software codes, and the callback function is used for verifying whether a checking result of the checking function is correct;
The first checking unit 402 is further configured to:
calling the check function through the check function address;
verifying the software code stored in the verified memory using the verification function;
judging whether the verification result of the verification function is correct or not through the callback function;
and when the callback function judges that the verification result of the verification function is correct, obtaining the first verification result.
Optionally, the software detection device further includes an encryption unit 406, where the encryption unit 406 is configured to:
encrypting the verification structure body to obtain first encrypted data;
the software detection device further comprises a decryption unit 407, the decryption unit 407 being configured to:
decrypting the first encrypted data of the data encrypted by the encryption unit 406 to obtain the verification structure;
the second verification unit 403 is further configured to:
and checking the software program to be detected by using the checking structure body to obtain the second checking result.
Optionally, the encryption unit 406 is further configured to:
traversing from the beginning to the end of the check structure memory address to generate a machine codeword Fu Chuanlie;
converting the list of machine codewords into a list of encrypted global characters using AES 128-bit encryption;
The decryption unit 407 is configured to:
distributing a first memory space and a second memory space;
storing the global character list into the first memory space and the second memory space respectively;
in the first memory space, obtaining a first check function through AES 128-bit decryption;
in the second memory space, performing AES 128-bit decryption to obtain a first check structure body, wherein the first check structure body comprises a second check function;
and transferring the first check function from the first memory space to the second memory space, and replacing the second check function by the first check function to obtain a second check structure.
Optionally, the decryption unit 407 is further configured to:
and randomly allocating memory spaces as the first memory space and the second memory space at random time points.
Optionally, the second verification unit 403 is further configured to:
acquiring a block list of a software program functional module to be detected;
acquiring a functional module to be checked from the block list;
and verifying the functional module to be verified through the verification structure body to obtain a second verification result.
Optionally, the software detection device further comprises a processing unit 408, and the processing unit 408 is configured to:
Reporting the result to the server, and/or forcing the program to be detected to crash through a preset assembly code.
Further, embodiments of the present invention also provide a computer storage medium including instructions that, when executed on a computer device, cause the computer device to perform the above-described method.
The detailed description of the program stored in the computer storage medium according to the embodiments of the present application may refer to the above embodiments, and will not be repeated herein.
In the present specification, each embodiment is described in a progressive manner, and each embodiment is mainly described in a different point from other embodiments, and identical and similar parts between the embodiments are all enough to refer to each other. For the device disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and the relevant points refer to the description of the method section.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative elements and steps are described above generally in terms of functionality in order to clearly illustrate the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. The software modules may be disposed in Random Access Memory (RAM), memory, read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (14)
1. A method of software testing comprising:
acquiring a verification structure body, wherein the verification structure body is used for verifying a software program to be detected;
Before the software program to be detected runs, the software program to be detected is checked by using the check structure body, and a first check result is obtained;
during the running process of the software program to be detected, the checking structure is used for checking the software program to be detected, and a second checking result is obtained;
comparing the first check result with the second check result;
when the first checking result is inconsistent with the second checking result, judging that the software program to be detected is abnormal or modified;
the verification structure includes: the method comprises the steps of checking a function address, a callback function, a checked memory starting address and the checked memory size, wherein the checked memory is used for storing software codes of the software program to be detected, the checking function address is used for indicating the storage address of the checking function, the checking function is used for checking the software codes, and the callback function is used for verifying whether a checking result of the checking function is correct;
before the software program to be detected runs, the software program to be detected is checked by using the check structure body to obtain a first check result, which comprises the following steps:
Calling the check function through the check function address;
verifying the software code stored in the verified memory using the verification function;
judging whether the verification result of the verification function is correct or not through the callback function;
and when the callback function judges that the verification result of the verification function is correct, obtaining the first verification result.
2. The method according to claim 1, wherein before the software program to be detected runs, the checking structure is used to check the software program to be detected, and after obtaining the first checking result, the method further comprises:
encrypting the verification structure body to obtain first encrypted data;
and in the running process of the software program to be detected, checking the software program to be detected by using the checking structural body to obtain a second checking result, wherein the checking result comprises the following steps:
decrypting the first encrypted data to obtain the verification structure;
and checking the software program to be detected by using the checking structure body to obtain the second checking result.
3. The method of claim 2, wherein encrypting the verification structure to obtain first encrypted data comprises:
Traversing from the beginning to the end of the storage address of the check structure body to generate a machine codeword string list;
converting the list of machine codeword strings into a list of encrypted global characters using AES 128-bit encryption;
the decrypting the first encrypted data to obtain the verification structure body includes:
distributing a first memory space and a second memory space;
storing the global character list into the first memory space and the second memory space respectively;
in the first memory space, obtaining a first check function through AES 128-bit decryption;
in the second memory space, performing AES 128-bit decryption to obtain a first check structure body, wherein the first check structure body comprises a second check function;
and transferring the first check function from the first memory space to the second memory space, and replacing the second check function by the first check function to obtain a second check structure.
4. The method of claim 3, wherein the allocating the first memory space and the second memory space comprises:
and randomly allocating memory spaces as the first memory space and the second memory space at random time points.
5. The method according to any one of claims 1 to 4, wherein the verifying the software program to be detected using the verification structure during the running of the software program to be detected, to obtain a second verification result, includes:
acquiring a block list of a software program functional module to be detected;
acquiring a functional module to be checked from the block list;
and verifying the functional module to be verified through the verification structure body to obtain a second verification result.
6. The method according to claim 1, wherein when the first check result is inconsistent with the second check result, after determining that the software program to be detected is abnormal or modified, further comprising:
and reporting the result to a server, and/or forcing the software program to be detected to crash through a preset assembly code.
7. A software testing apparatus, comprising:
the system comprises an acquisition unit, a verification unit and a verification unit, wherein the acquisition unit is used for acquiring a verification structure body, and the verification structure body is used for verifying a software program to be detected;
the first verification unit is used for verifying the software program to be detected by using the verification structure body acquired by the acquisition unit before the software program to be detected runs, so as to obtain a first verification result;
The second checking unit is used for checking the software program to be detected by using the checking structural body acquired by the acquisition unit in the running process of the software program to be detected to acquire a second checking result;
the comparison unit is used for comparing the first check result obtained by the first check unit with the second check result obtained by the second check unit;
the judging unit is used for judging that the software program to be detected is abnormal or modified when the comparing unit judges that the first checking result is inconsistent with the second checking result;
the verification structure includes: the method comprises the steps of checking a function address, a callback function, a checked memory starting address and the checked memory size, wherein the checked memory is used for storing software codes of the software program to be detected, the checking function address is used for indicating the storage address of the checking function, the checking function is used for checking the software codes, and the callback function is used for verifying whether a checking result of the checking function is correct;
the first verification unit is further configured to:
Calling the check function through the check function address;
verifying the software code stored in the verified memory using the verification function;
judging whether the verification result of the verification function is correct or not through the callback function;
and when the callback function judges that the verification result of the verification function is correct, obtaining the first verification result.
8. The apparatus of claim 7, wherein the software detection apparatus further comprises an encryption unit configured to:
encrypting the verification structure body to obtain first encrypted data;
the software detection device further comprises a decryption unit for:
decrypting the first encrypted data of the data encrypted by the encryption unit to obtain the verification structure;
the second verification unit is further configured to:
and checking the software program to be detected by using the checking structure body to obtain the second checking result.
9. The apparatus of claim 8, wherein the encryption unit is further configured to:
traversing from the beginning to the end of the storage address of the check structure body to generate a machine codeword string list;
Converting the list of machine codeword strings into a list of encrypted global characters using AES 128-bit encryption;
the decryption unit is used for:
distributing a first memory space and a second memory space;
storing the global character list into the first memory space and the second memory space respectively;
in the first memory space, obtaining a first check function through AES 128-bit decryption;
in the second memory space, performing AES 128-bit decryption to obtain a first check structure body, wherein the first check structure body comprises a second check function;
and transferring the first check function from the first memory space to the second memory space, and replacing the second check function by the first check function to obtain a second check structure.
10. The apparatus of claim 9, wherein the decryption unit is further configured to:
and randomly allocating memory spaces as the first memory space and the second memory space at random time points.
11. The apparatus according to any one of claims 8 to 10, wherein the second verification unit is further configured to:
acquiring a block list of a software program functional module to be detected;
Acquiring a functional module to be checked from the block list;
and verifying the functional module to be verified through the verification structure body to obtain a second verification result.
12. The apparatus of claim 8, wherein the software detection apparatus further comprises a processing unit configured to:
and reporting the result to a server, and/or forcing the software program to be detected to crash through a preset assembly code.
13. A computer device, the computer device comprising: an interaction device, an input/output (I/O) interface, a processor, and a memory, the memory having program instructions stored therein;
the interaction device is used for acquiring an operation instruction input by a user;
the processor is configured to execute program instructions stored in a memory and to perform the method of any one of claims 1-6.
14. A computer readable storage medium comprising instructions which, when run on a computer device, cause the computer device to perform the method of any of claims 1-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910702140.6A CN112307468B (en) | 2019-07-31 | 2019-07-31 | Software detection method, software detection device and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910702140.6A CN112307468B (en) | 2019-07-31 | 2019-07-31 | Software detection method, software detection device and medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112307468A CN112307468A (en) | 2021-02-02 |
| CN112307468B true CN112307468B (en) | 2024-04-02 |
Family
ID=74485659
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910702140.6A Active CN112307468B (en) | 2019-07-31 | 2019-07-31 | Software detection method, software detection device and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112307468B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101236496A (en) * | 2007-01-29 | 2008-08-06 | 展讯通信(上海)有限公司 | Software consistency detector methods and apparatus |
| CN105260654A (en) * | 2015-11-13 | 2016-01-20 | 浪潮电子信息产业股份有限公司 | Verification method for own integrity of software system |
| CN108898012A (en) * | 2018-05-23 | 2018-11-27 | 华为技术有限公司 | The method and apparatus for detecting illegal program |
-
2019
- 2019-07-31 CN CN201910702140.6A patent/CN112307468B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101236496A (en) * | 2007-01-29 | 2008-08-06 | 展讯通信(上海)有限公司 | Software consistency detector methods and apparatus |
| CN105260654A (en) * | 2015-11-13 | 2016-01-20 | 浪潮电子信息产业股份有限公司 | Verification method for own integrity of software system |
| CN108898012A (en) * | 2018-05-23 | 2018-11-27 | 华为技术有限公司 | The method and apparatus for detecting illegal program |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112307468A (en) | 2021-02-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110263585B (en) | Test supervision method, device, equipment and storage medium | |
| US9836612B2 (en) | Protecting data | |
| TWI575397B (en) | Point-wise protection of application using runtime agent and dynamic security analysis | |
| CN108347361B (en) | Application program testing method and device, computer equipment and storage medium | |
| TWI541669B (en) | Detection systems and methods for static detection applications, and computer program products | |
| CN109284585B (en) | Script encryption method, script decryption operation method and related device | |
| CN110637301B (en) | Reducing disclosure of sensitive data in virtual machines | |
| CN115048652A (en) | End-to-end security for hardware running verified software | |
| CN105956474A (en) | Abnormal behavior detection system of Android platform software | |
| US10733594B1 (en) | Data security measures for mobile devices | |
| CN107145376A (en) | A kind of active defense method and device | |
| CN110138731B (en) | Network anti-attack method based on big data | |
| CN105637516A (en) | Method for verifying integrity of dynamic code using hash | |
| CN105893837B (en) | Application program installation method, security encryption chip and terminal | |
| WO2021137769A1 (en) | Method and apparatus for sending and verifying request, and device thereof | |
| CN111177693A (en) | Method, device, equipment and medium for verifying terminal root certificate | |
| Tsankov et al. | Semi-valid input coverage for fuzz testing | |
| Tillmanns et al. | Firmware insider: Bluetooth randomness is mostly random | |
| CN112307468B (en) | Software detection method, software detection device and medium | |
| CN111177726B (en) | System vulnerability detection method, device, equipment and medium | |
| CN108259490B (en) | Client verification method and device | |
| CN109167785B (en) | Calling method of virtual trusted root and service server | |
| CN109583204B (en) | Method for monitoring static object tampering in mixed environment | |
| CN111859313A (en) | Verification method and device | |
| CN112016336A (en) | Method, device, equipment and storage medium for detecting copy card |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |