CN112527672B - Detection method and equipment for shell adding tool - Google Patents
Detection method and equipment for shell adding tool Download PDFInfo
- Publication number
- CN112527672B CN112527672B CN202011517740.4A CN202011517740A CN112527672B CN 112527672 B CN112527672 B CN 112527672B CN 202011517740 A CN202011517740 A CN 202011517740A CN 112527672 B CN112527672 B CN 112527672B
- Authority
- CN
- China
- Prior art keywords
- test sample
- running
- log file
- shell adding
- result
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/3668—Software testing
- G06F11/3672—Test management
- G06F11/3684—Test management for test design, e.g. generating new test cases
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/3668—Software testing
- G06F11/3672—Test management
- G06F11/3688—Test management for test execution, e.g. scheduling of test suites
Abstract
The invention discloses a detection method and equipment for a shell adding tool, wherein the method comprises the following steps: performing shell adding operation on the test sample by using the configured shell adding tool; running the test sample after the shell adding operation, and generating a corresponding first log file based on the related information of the first running result; and comparing the first log file with a second log file to determine whether the shelling tool meets a preset requirement, wherein the second log file is a file generated by running the test sample without shelling and based on related information of a second running result. According to the detection method, the relevant information of the execution result of the test sample with the shell is compared with the relevant information of the execution result of the test sample without the shell, so that the accurate detection of the shell adding tool can be realized according to the comparison result of the main content, and whether the correct shell adding operation can be finished or not is determined.
Description
Technical Field
The present disclosure relates to the field of information testing, and more particularly, to a method and an apparatus for detecting a shell-adding tool.
Background
The shell adding tool is used for performing encryption protection on data such as software, for example, the shell adding tool such as VBP (VBP), and can perform encryption protection on data by using technical means such as virtualization, obfuscation, automatic code transplantation, and the like. However, after the data such as the software is shelled, the data such as the software may be in error due to the shell adding tool, and even the program after the shell adding cannot run. There is currently no good way to detect whether the shelling tool can properly complete the shelling operation.
Disclosure of Invention
The embodiment of the invention aims to provide a detection method and equipment for a shelling tool, and the method can be used for accurately detecting the shelling tool used for shelling target data.
In order to solve the technical problem, the embodiment of the invention adopts the following technical scheme: a method of inspection for a shelled tool comprising:
performing shell adding operation on the test sample by using the configured shell adding tool;
running the test sample after the shell adding operation, and generating a corresponding first log file based on the related information of the first running result;
and comparing the first log file with a second log file to determine whether the shelling tool meets a preset requirement, wherein the second log file is a file generated by running the test sample without shelling and based on related information of a second running result.
Optionally, the running of the test sample after the shell adding operation generates a corresponding first log file based on the relevant information of the first running result, and includes:
running the test sample after the shell adding operation, and at least obtaining a first function call path of the test sample and first information stored in a preset storage area;
and generating the first log file at least based on the first function call path and the first information.
Optionally, the step of running the test sample after the shell adding operation at least acquiring a first function call path of the test sample and first information stored in a preset storage area includes:
running each first function in the test sample after the shell adding operation, obtaining the running times of the first function, and obtaining at least one of the following stored in a preset register: function name and function run result.
Optionally, the method further comprises:
running the test sample which is not subjected to the shell adding operation, and at least obtaining a second function call path of the test sample and second information stored in a preset storage area;
generating the second log file based on at least the second function call path and the second information.
Optionally, the comparing the first log file with the second log file to determine whether the shelling tool meets the preset requirement includes:
determining that the shelling tool meets a preset requirement under the condition that the related information of the first operation result is the same as the related information of the second operation result; alternatively, the first and second electrodes may be,
and under the condition that the difference degree between the related information of the first operation result and the related information of the second operation result is within a certain range, determining that the shelling tool meets the preset requirement.
Optionally, the method further comprises performing a configuration operation on the shelling tool, the configuration operation comprising:
generating a shell option configuration file corresponding to the test sample by using a script;
determining a file name and an output file name of the test sample;
and constructing a test environment of the test sample based on an operating system.
Optionally, the shelling operation comprises:
and distributing the test sample to a constructed test environment through a scheduling program, and using a script command to run a shell adding tool so as to add the shell to the test sample.
The embodiment of the present application further provides a detection apparatus for a shell adding tool, including:
a shell adding module configured to perform a shell adding operation on the test sample by using the configured shell adding tool;
the execution module is configured to run the test sample after the shell adding operation and generate a corresponding first log file based on the related information of the first running result;
and the processing module is configured to compare the first log file with a second log file to determine whether the shelling tool meets a preset requirement, wherein the second log file is a file generated by running the test sample without shelling operation and based on related information of a second running result.
Optionally, the execution module is further configured to:
running the test sample after the shell adding operation, and at least obtaining a first function call path of the test sample and first information stored in a preset storage area;
and generating the first log file at least based on the first function call path and the first information.
An embodiment of the present application further provides a computer-readable storage medium, where instructions are stored in the computer-readable storage medium, and when the instructions are executed on a computer, the following steps are implemented:
performing shell adding operation on the test sample by using the configured shell adding tool;
running the test sample after the shell adding operation, and generating a corresponding first log file based on the related information of the first running result;
and comparing the first log file with a second log file to determine whether the shelling tool meets a preset requirement, wherein the second log file is a file generated by running the test sample without shelling and based on related information of a second running result.
The embodiment of the invention has the beneficial effects that: according to the detection method for the shell adding tool, the relevant information of the execution result of the test sample with the shell is compared with the relevant information of the execution result of the test sample without the shell, so that the accurate detection of the shell adding tool can be realized according to the comparison result of the main contents, and whether the shell adding tool can finish the correct shell adding operation or not is determined.
Drawings
FIG. 1 is a flow chart of a detection method for a shelled tool according to an embodiment of the invention;
FIG. 2 is a flowchart of one embodiment of step S2 of FIG. 1 according to the present invention;
FIG. 3 is a flow chart of one embodiment of a detection method for a shelled tool in accordance with an embodiment of the present invention;
fig. 4 is a block diagram of a detection apparatus for a shelling tool according to an embodiment of the present invention.
Detailed Description
Various aspects and features of the present invention are described herein with reference to the drawings.
It will be understood that various modifications may be made to the embodiments of the invention herein. Accordingly, the foregoing description should not be construed as limiting, but merely as exemplifications of embodiments. Other modifications will occur to those skilled in the art which are within the scope and spirit of the invention.
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and, together with a general description of the invention given above, and the detailed description of the embodiments given below, serve to explain the principles of the invention.
These and other characteristics of the invention will become apparent from the following description of a preferred form of embodiment, given as a non-limiting example, with reference to the accompanying drawings.
It is also to be understood that although the invention has been described with reference to specific examples, those skilled in the art are able to ascertain many other equivalents to the practice of the invention.
The above and other aspects, features and advantages of the present invention will become more apparent in view of the following detailed description when taken in conjunction with the accompanying drawings.
Specific embodiments of the present invention are described hereinafter with reference to the accompanying drawings; however, it is to be understood that the disclosed embodiments are merely exemplary of the invention, which can be embodied in various forms. Well-known and/or repeated functions and constructions are not described in detail to avoid obscuring the invention in unnecessary or unnecessary detail. Therefore, specific structural and functional details disclosed herein are not to be interpreted as limiting, but merely as a basis for the claims and as a representative basis for teaching one skilled in the art to variously employ the present invention in virtually any appropriately detailed structure.
The specification may use the phrases "in one embodiment," "in another embodiment," "in yet another embodiment," or "in other embodiments," which may each refer to one or more of the same or different embodiments in accordance with the invention.
The detection method for the shell adding tool in the embodiment of the invention can be used by electronic equipment for detecting the shell adding effect of the shell adding tool, and comprises the following steps:
performing shell adding operation on the test sample by using the configured shell adding tool;
running the test sample after the shell adding operation, and generating a corresponding first log file based on the related information of the first running result;
and comparing the first log file with a second log file to determine whether the shelling tool meets a preset requirement, wherein the second log file is a file generated by running the test sample without shelling and based on related information of a second running result.
Specifically, the shell adding tool uses technical means such as virtualization, confusion and automatic code transplanting to disorder and recombine the instructions of the executable program or put part of the code into a virtual machine for running, so that the protected program cannot be decompiled; and at the same time, the running result of the program is ensured to be correct. The test sample in this embodiment may be a program used for testing or other relevant data, such as a program identical or similar to the actual shelled object, which may preferably be a test program with a typical structure. The test sample can be subjected to a shelling operation by the shelling tool after the configuration is finished. The test sample after shell adding is encrypted, but the original function is still preserved, the encrypted test sample is run, a corresponding first run result can be generated, and relevant information of the first run result is generated, wherein the relevant information comprises information of the run path (call path of function in the test sample), the run logic, the run times of the function and the like of the test sample after shell adding. Based on the information related to the first operation result, a first log file may be generated. The test sample can also run before the shell is added, a second running result is obtained after the test sample is run, relevant information of the second running result is generated, the relevant information comprises information of the running path, the running logic, the function running times and the like of the test sample, and a second log file is generated based on the relevant information of the second running result. In this embodiment, the first log file and the second log file may be compared to obtain a corresponding comparison result, and if the comparison result meets a preset requirement, the shelling tool is considered to meet the requirement, and the shelling operation may be completed correctly, otherwise, the shelling tool may be considered to have a defect.
According to the detection method for the shell adding tool, the relevant information of the execution result of the test sample with the shell is compared with the relevant information of the execution result of the test sample without the shell, so that the accurate detection of the shell adding tool can be realized according to the comparison result of the main contents, and whether the shell adding tool can finish the correct shell adding operation or not is determined.
In order to better understand the technical solutions, the technical solutions of the present invention are described in detail below with reference to the drawings and specific embodiments, and it should be understood that the specific features in the embodiments and examples of the present invention are detailed descriptions of the technical solutions of the present invention, and are not limitations of the technical solutions of the present invention, and the technical features in the embodiments and examples of the present invention may be combined with each other without conflict.
FIG. 1 is a flow chart of a detection method for a shelled tool according to an embodiment of the invention; the detection method for the shell adding tool in the embodiment of the application can be applied to electronic equipment or detection equipment for the shell adding tool to detect the shell adding tool, as shown in fig. 1, the method includes the following steps:
and S1, performing a shell adding operation on the test sample by using the configured shell adding tool.
The shell adding tool needs to be configured, for example, the adjusted configuration template can be used for configuring the shell adding tool, and the configuration comprises configuration specific data, such as a file name of the test sample, an output file name and the like; the configuration of the test environment can also be performed, such as based on the operating system of the running electronic device, using a built test architecture, and the like. The configured shelling tool may perform a shelling operation on the test sample, for example, implanting a code into the test sample, preferentially obtaining control of the program during operation, and then returning the control to the test sample, thereby hiding a real entry point of the program. Of course, the shell adding operation can be adjusted correspondingly according to actual needs.
And S2, running the test sample after the shell adding operation, and generating a corresponding first log file based on the relevant information of the first running result.
The first operation result is an operation result of the test sample after the shell adding operation, the first operation result may be stored in a register, and after the test sample after the shell adding operation is operated, the relevant information of the first operation result is generated in addition to the first operation result, and may be regarded as the first relevant information, including information on the operation result of the test sample after the shell adding operation, the operation path, the operation logic, the operation frequency of at least one function in the test sample, and the like. And generating a corresponding first log file based on the related information of the first operation result, wherein the first log file is a log file generated after the test sample subjected to the shell adding operation is operated, the related information of the first operation result is recorded, and other information generated in the operation process of the test sample is also included. The first log file may be stored in a storage device of the electronic device.
And S3, comparing the first log file with a second log file to determine whether the shelling tool meets the preset requirement, wherein the second log file is a file generated by running the test sample without shelling operation and based on the related information of the second running result.
The second log file is a log file generated in the running process of the uncapped test sample, and includes related information of the second running result, which can be regarded as second related information, including information of the running result of the uncapped test sample, the running path, the running logic, the running times of at least one function in the test sample, and the like. Of course, other relevant information of the test sample in the running process is recorded, such as specific operation information, important events and the like. In this embodiment, the first log file and the second log file may be compared, and further the related information of the first operation result and the related information of the second operation result may be compared, where the information includes information on the operation results, the operation paths, the operation logic, the operation times of at least one function in the test sample, and the like. Whether the shell adding tool meets the preset requirement or not can be determined according to the specific comparison result. Including whether the shell adding tool has errors or not and whether the shell adding operation can be completed correctly or not.
In an embodiment of the present application, the executing the test sample after the casing adding operation generates a corresponding first log file based on the related information of the first execution result, as shown in fig. 2, and includes the following steps:
and S21, operating the test sample after the shell adding operation, and at least obtaining a first function call path of the test sample and first information stored in a preset storage area.
The test sample comprises at least one first function, and after the test sample after the shell adding operation is run, the first function can also have a corresponding first function call path which can represent a running track of the test sample after the shell adding operation is run. The first information may be a function name of the first function and a function execution result of at least one first function, and the first information is stored in a preset storage area, such as a register of the electronic device, so as to facilitate the calling of the first information.
S22, generating the first log file based on at least the first function call path and the first information.
The first log file may record a log generated during operation of the electronic device processing the shelled test sample, including significant events of the electronic device during processing. In this embodiment, when generating the first log file, the first log file may be generated based on the first function call path and the first information, and in combination with other information that needs to be recorded and appears in the process of processing the shelled test sample by the electronic device.
In an embodiment of the present application, the step of obtaining at least a first function call path of the test sample and first information stored in a preset storage area after the test sample is subjected to the shell adding operation includes:
running each first function in the test sample after the shell adding operation, obtaining the running times of the first function, and obtaining at least one of the following stored in a preset register: function name and function run result.
Specifically, the test sample after the shell adding operation includes one or more first functions, and the first function call path may represent a running track of the test sample after the shell adding operation during running, where the running track includes information such as the number of calls of a single and/or all first functions, and the execution order of the plurality of first functions. In this embodiment, each first function may be run to obtain the number of times of running of the corresponding first function, and when a plurality of first functions are present in the test sample, not only the number of times of running of each first function but also the running order of the plurality of first functions may be obtained. In one embodiment, each first function is given a unique index number each time it is called (the same function is called multiple times, and the corresponding index numbers are different). When the test sample is completely run, the number of the corresponding index numbers of each first function can be respectively counted to obtain the running times of the first function, so that index counting is realized.
The first information may be a function name of the first function and a function execution result of the first function, and the function name and the function execution result may be stored in a preset register so as to be called and compared later.
In one embodiment of the present application, as shown in fig. 3, the method further comprises the steps of:
s4, running the test sample without the shell adding operation, and at least obtaining a second function call path of the test sample and second information stored in a preset storage area;
s5, generating the second log file based on at least the second function call path and the second information.
Specifically, the test sample that is not subjected to the shelling operation contains one or more second functions, and the specific content of the second functions may be the same as that of the first functions in the corresponding shelled test sample, and the first functions and the corresponding second functions may be different between only shelling and shelling. In this embodiment, at least the second function call path of the uncapped test sample is obtained, which may represent a running trajectory of the uncapped test sample during running. This includes information such as the number of calls of a single and/or all of the second functions, and the execution order of the plurality of second functions. In addition, second information stored in the preset storage area after the test sample without the shell is operated can be obtained, the second information can be a function name of a second function and a function operation result of the second function, and the function name and the function operation result can be stored in a preset register.
In this embodiment, the second log file may be generated based on the second function call path and the second information, and certainly, may also be generated by combining with other information that needs to be recorded and occurs in the process of processing the test sample without the shell by the electronic device. The first log file may be compared with the second log file, and specifically, the related information of the first operation result in the first log file may be compared with the related information of the second operation result in the second log file. Specifically, the method comprises the steps of comparing a first function call path with a second function call path; the method also comprises the step of comparing the first information with the second information, namely comparing the function name and the function operation result of the first function with the function name and the function operation result of the second function. Thereby obtaining the corresponding comparison result.
In an embodiment of the present application, the comparing the first log file with the second log file to determine whether the shelling tool meets a preset requirement includes:
determining that the shelling tool meets a preset requirement under the condition that the related information of the first operation result is the same as the related information of the second operation result; alternatively, the first and second electrodes may be,
and under the condition that the difference degree between the related information of the first operation result and the related information of the second operation result is within a certain range, determining that the shelling tool meets the preset requirement.
Specifically, on one hand, the related information of the first operation result is the same as the related information of the second operation result, and if all the comparison contents in the first operation result are the same as the corresponding contents in the second operation result, it may be determined that the shelling tool meets the preset requirement. For example, the first function call path is the same as the second function call path; and the function name and the function operation result of the first function are the same as those of the second function, so that the shell adding tool can be determined to meet the preset requirement, the shell adding operation can be completed correctly, and even if the shell is added to the test sample, the test sample cannot have operation errors or other problems.
On the other hand, the information on the first operation result is not completely identical to the information on the second operation result. The comparison content in the first operation result and the corresponding content in the second operation result may be mostly the same or the main content is the same, and it may also be determined that the shelling tool meets the preset requirement. For example, the first function call path is the same as the second function call path; and the function operation result of the first function is the same as the function operation result of the second function, and the shell adding tool can be determined to meet the preset requirement only if the function name of the first function and the function name of the second function slightly change in the process of generating the log file.
In one embodiment of the present application, the method further comprises performing a configuration operation on the shelling tool, the configuration operation comprising:
generating a shell option configuration file corresponding to the test sample by using a script;
determining a file name and an output file name of the test sample;
and constructing a test environment of the test sample based on an operating system.
For example, a script may be used to generate a shell option configuration file corresponding to the test sample, that is, an ssp file, by copying according to the configuration template, and modifying a file name of the test sample to be shell-added, an output file name, and a storage path of the test sample after shell-adding.
When the shell adding tool runs on Windows, an automatic testing scheme built based on a staff framework can be used for deploying and installing staff and python environments on a system to be tested. Test samples are distributed onto the test system by means of a stabf schedule, and a command line script is used to run the shelling operation.
In one embodiment of the present application, the shelling operation comprises:
and distributing the test sample to a constructed test environment through a scheduling program, and using a script command to run a shell adding tool so as to add the shell to the test sample.
Script commands may be used in this implementation to run the shell tool. But the shelling tool can analyze the test sample to be shelled before the program is shelled; different test samples are analyzed to obtain results in different forms, and entry addresses of all functions can be obtained and marked when a standard executable program and a shell adding tool are analyzed; simultaneously, input parameters and output parameters of each function can be obtained and marked; aiming at managed program languages (such as C #), function names can be directly obtained during analysis, and marking is carried out; simultaneously obtaining input parameters and output parameters of the function, and marking; in this way, the source program of the test sample can be processed into two forms, namely, firstly, only marking is carried out, the execution of the source program is not changed, and the source program is stored as the source program; secondly, using different shelling technologies to shell the source program, and implanting a mark into the source program to serve as the source program after shell adding; and then calling and executing through the steps, respectively executing the test sample after the shell is added and the test sample without the shell, and generating a corresponding first log file and a second log file.
The embodiment of the present application further provides a detection device for a shell adding tool, where the detection device may be a device in an electronic device such as a computer, or may be the electronic device itself, and as shown in fig. 4, the detection device includes:
and the shell adding module is configured to perform shell adding operation on the test sample by utilizing the configured shell adding tool.
The shell adding tool needs to be configured, for example, the shell adding module can use the adjusted configuration template to configure the shell adding tool, including configuring specific data, such as a file name of the test sample, an output file name and the like; the configuration of the test environment can also be performed, such as based on the operating system of the running electronic device, using a built test architecture, and the like. The configured shelling tool may perform a shelling operation on the test sample, for example, implanting a code into the test sample, preferentially obtaining control of the program during operation, and then returning the control to the test sample, thereby hiding a real entry point of the program. Of course, for the shell adding operation, the shell adding module can be adjusted correspondingly according to actual needs.
And the execution module is configured to run the test sample after the shell adding operation and generate a corresponding first log file based on the relevant information of the first running result.
The first operation result is an operation result of the test sample after the shell adding operation, the first operation result may be stored in a register, and after the execution module operates the test sample after the shell adding operation, the execution module generates the first operation result and also generates related information of the first operation result, which may be regarded as the first related information, including information on the operation result of the test sample after the shell adding operation, the operation path, the operation logic, the operation times of at least one function in the test sample, and the like. The execution module generates a corresponding first log file based on the relevant information of the first operation result, wherein the first log file is a log file generated after the test sample subjected to the shell adding operation is operated, the relevant information of the first operation result is recorded, and certainly, other information generated in the operation process of the test sample is also included. The first log file may be stored in a storage device of the electronic device.
And the processing module is configured to compare the first log file with a second log file to determine whether the shelling tool meets a preset requirement, wherein the second log file is a file generated by running the test sample without shelling operation and based on related information of a second running result.
The second log file is a log file generated in the running process of the uncapped test sample, and includes related information of the second running result, which can be regarded as second related information, including information of the running result of the uncapped test sample, the running path, the running logic, the running times of at least one function in the test sample, and the like. Of course, other relevant information of the test sample in the running process is recorded, such as specific operation information, important events and the like. In this embodiment, the processing module may compare the first log file with the second log file, and further compare the related information of the first operation result with the related information of the second operation result, where the comparison includes information on the operation results of the first operation result and the second operation result, such as the operation path, the operation logic, and the operation times of at least one function in the test sample. The processing module can determine whether the shell adding tool meets the preset requirement according to the specific comparison result. Including whether the shell adding tool has errors or not and whether the shell adding operation can be completed correctly or not.
In one embodiment of the present application, the execution module is further configured to:
running the test sample after the shell adding operation, and at least obtaining a first function call path of the test sample and first information stored in a preset storage area;
and generating the first log file at least based on the first function call path and the first information.
Specifically, the test sample includes at least one first function, and after the execution module runs the test sample after the shell adding operation, the first function may also have a corresponding first function call path, which may represent a running track of the test sample after the shell adding operation. The first information may be a function name of the first function and a function execution result of at least one first function, and the first information is stored in a preset storage area, such as a register of the electronic device, so as to facilitate the calling of the first information.
The first log file may record a log generated during operation of the electronic device processing the shelled test sample, including significant events of the electronic device during processing. In this embodiment, when generating the first log file, the execution module may generate the first log file based on the first function call path and the first information, and in combination with other information that needs to be recorded and appears in the process of processing the shelled test sample by the electronic device.
In one embodiment of the present application, the execution module is further configured to:
running each first function in the test sample after the shell adding operation, obtaining the running times of the first function, and obtaining at least one of the following stored in a preset register: function name and function run result.
In one embodiment of the present application, the execution module is further configured to:
running the test sample which is not subjected to the shell adding operation, and at least obtaining a second function call path of the test sample and second information stored in a preset storage area;
generating the second log file based on at least the second function call path and the second information.
In one embodiment of the present application, the processing module is further configured to:
determining that the shelling tool meets a preset requirement under the condition that the related information of the first operation result is the same as the related information of the second operation result; alternatively, the first and second electrodes may be,
and under the condition that the difference degree between the related information of the first operation result and the related information of the second operation result is within a certain range, determining that the shelling tool meets the preset requirement.
In one embodiment of the present application, the encasement module is further configured to: performing a configuration operation on the shelling tool, the configuration operation comprising:
generating a shell option configuration file corresponding to the test sample by using a script;
determining a file name and an output file name of the test sample;
and constructing a test environment of the test sample based on an operating system.
In one embodiment of the present application, the shelling operation comprises:
and distributing the test sample to a constructed test environment through a scheduling program, and using a script command to run a shell adding tool so as to add the shell to the test sample.
An embodiment of the present application further provides a computer-readable storage medium, where instructions are stored in the computer-readable storage medium, and when the instructions are executed on a computer, the following steps are implemented:
performing shell adding operation on the test sample by using the configured shell adding tool;
running the test sample after the shell adding operation, and generating a corresponding first log file based on the related information of the first running result;
and comparing the first log file with a second log file to determine whether the shelling tool meets a preset requirement, wherein the second log file is a file generated by running the test sample without shelling and based on related information of a second running result.
Specifically, the shell adding tool needs to be configured, for example, the adjusted configuration template can be used to configure the shell adding tool, including configuring specific data, such as a file name of the test sample, an output file name, and the like; the configuration of the test environment can also be performed, such as based on the operating system of the running electronic device, using a built test architecture, and the like. The configured shelling tool may perform a shelling operation on the test sample, for example, implanting a code into the test sample, preferentially obtaining control of the program during operation, and then returning the control to the test sample, thereby hiding a real entry point of the program. Of course, the shell adding operation can be adjusted correspondingly according to actual needs.
The first operation result is an operation result of the test sample after the shell adding operation, the first operation result may be stored in a register, and after the test sample after the shell adding operation is operated, the relevant information of the first operation result is generated in addition to the first operation result, and may be regarded as the first relevant information, including information on the operation result of the test sample after the shell adding operation, the operation path, the operation logic, the operation frequency of at least one function in the test sample, and the like. And generating a corresponding first log file based on the related information of the first operation result, wherein the first log file is a log file generated after the test sample subjected to the shell adding operation is operated, the related information of the first operation result is recorded, and other information generated in the operation process of the test sample is also included. The first log file may be stored in a storage device of the electronic device.
The second log file is a log file generated in the running process of the uncapped test sample, and includes related information of the second running result, which can be regarded as second related information, including information of the running result of the uncapped test sample, the running path, the running logic, the running times of at least one function in the test sample, and the like. Of course, other relevant information of the test sample in the running process is recorded, such as specific operation information, important events and the like. In this embodiment, the first log file and the second log file may be compared, and further the related information of the first operation result and the related information of the second operation result may be compared, where the information includes information on the operation results, the operation paths, the operation logic, the operation times of at least one function in the test sample, and the like. Whether the shell adding tool meets the preset requirement or not can be determined according to the specific comparison result. Including whether the shell adding tool has errors or not and whether the shell adding operation can be completed correctly or not.
The above embodiments are only exemplary embodiments of the present invention, and are not intended to limit the present invention, and the scope of the present invention is defined by the claims. Various modifications and equivalents may be made by those skilled in the art within the spirit and scope of the present invention, and such modifications and equivalents should also be considered as falling within the scope of the present invention.
Claims (10)
1. A method of testing a shelled tool, comprising:
performing shell adding operation on the test sample by using the configured shell adding tool;
the test sample after the shell adding operation is operated, and a corresponding first log file is generated based on relevant information of a first operation result, wherein the relevant information of the first operation result is first relevant information and comprises at least one of the following information: running times of at least one function in the running path, the running logic and the test sample of the test sample after the shell is added;
comparing the first log file with a second log file to determine whether the shelling tool meets a preset requirement, wherein the second log file is a file generated by running the test sample without shelling and based on related information of a second running result, the test sample has the second running result after running before shelling, and the related information of the second running result includes at least one of the following: the running path and the running logic of the test sample before shell adding and the running times of the function in the test sample.
2. The detection method according to claim 1, wherein the step of generating a corresponding first log file based on the information related to the first operation result after the step of executing the test sample subjected to the shelling operation comprises:
running the test sample after the shell adding operation, and at least obtaining a first function call path of the test sample and first information stored in a preset storage area;
and generating the first log file at least based on the first function call path and the first information.
3. The method according to claim 2, wherein the step of obtaining at least a first function call path of the test sample and first information stored in a preset storage area after the test sample is subjected to the shell adding operation comprises:
running each first function in the test sample after the shell adding operation, obtaining the running times of the first function, and obtaining at least one of the following stored in a preset register: function name and function run result.
4. The detection method according to claim 1, further comprising:
running the test sample which is not subjected to the shell adding operation, and at least obtaining a second function call path of the test sample and second information stored in a preset storage area;
generating the second log file based on at least the second function call path and the second information.
5. The method of claim 1, wherein comparing the first log file with the second log file to determine whether the shelling tool meets predetermined requirements comprises:
determining that the shelling tool meets a preset requirement under the condition that the related information of the first operation result is the same as the related information of the second operation result; alternatively, the first and second electrodes may be,
and under the condition that the comparison content in the first operation result is mostly the same as the corresponding content in the second operation result or the main content is the same, determining that the shell adding tool meets the preset requirement.
6. The inspection method of claim 1, further comprising performing a configuration operation on the shelling tool, the configuration operation comprising:
generating a shell option configuration file corresponding to the test sample by using a script;
determining a file name and an output file name of the test sample;
and constructing a test environment of the test sample based on an operating system.
7. The detection method according to claim 6, wherein the shelling operation comprises:
and distributing the test sample to a constructed test environment through a scheduling program, and using a script command to run a shell adding tool so as to add the shell to the test sample.
8. A detection apparatus for a shelling tool, comprising:
a shell adding module configured to perform a shell adding operation on the test sample by using the configured shell adding tool;
the execution module is configured to run the test sample after the shell adding operation, and generate a corresponding first log file based on relevant information of a first running result, wherein the relevant information of the first running result is first relevant information and includes at least one of the following: running times of at least one function in the running path, the running logic and the test sample of the test sample after the shell is added;
a processing module, configured to compare a first log file with a second log file to determine whether the shelling tool meets a preset requirement, where the second log file is a file generated based on related information of a second operation result, and the test sample has a second operation result after being operated before shelling is performed, and the related information of the second operation result includes at least one of: the running path and the running logic of the test sample before shell adding and the running times of the function in the test sample.
9. The detection device of claim 8, wherein the execution module is further configured to:
running the test sample after the shell adding operation, and at least obtaining a first function call path of the test sample and first information stored in a preset storage area;
and generating the first log file at least based on the first function call path and the first information.
10. A computer-readable storage medium having stored therein instructions that, when executed on a computer, perform the steps of:
performing shell adding operation on the test sample by using the configured shell adding tool;
the test sample after the shell adding operation is operated, and a corresponding first log file is generated based on relevant information of a first operation result, wherein the relevant information of the first operation result is first relevant information and comprises at least one of the following information: running times of at least one function in the running path, the running logic and the test sample of the test sample after the shell is added;
comparing the first log file with a second log file to determine whether the shelling tool meets a preset requirement, wherein the second log file is a file generated by running the test sample without shelling and based on related information of a second running result, the test sample has the second running result after running before shelling, and the related information of the second running result includes at least one of the following: the running path and the running logic of the test sample before shell adding and the running times of the function in the test sample.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011517740.4A CN112527672B (en) | 2020-12-21 | 2020-12-21 | Detection method and equipment for shell adding tool |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011517740.4A CN112527672B (en) | 2020-12-21 | 2020-12-21 | Detection method and equipment for shell adding tool |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112527672A CN112527672A (en) | 2021-03-19 |
| CN112527672B true CN112527672B (en) | 2021-10-22 |
Family
ID=75002015
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011517740.4A Active CN112527672B (en) | 2020-12-21 | 2020-12-21 | Detection method and equipment for shell adding tool |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112527672B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103839003A (en) * | 2012-11-22 | 2014-06-04 | 腾讯科技(深圳)有限公司 | Malicious file detection method and device |
| CN104484607A (en) * | 2014-12-16 | 2015-04-01 | 上海交通大学 | Universal method and universal system for performing safety testing on Android application programs |
| CN105068932A (en) * | 2015-08-25 | 2015-11-18 | 北京安普诺信息技术有限公司 | Android application program packing detection method |
| CN105630659A (en) * | 2015-12-23 | 2016-06-01 | 北京奇虎科技有限公司 | Application crash log acquisition method and apparatus |
| US9798884B1 (en) * | 2016-10-11 | 2017-10-24 | Veracode, Inc. | Systems and methods for identifying insider threats in code |
| CN108133139A (en) * | 2017-11-28 | 2018-06-08 | 西安交通大学 | A kind of Android malicious application detecting system compared based on more running environment behaviors |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103077332B (en) * | 2012-12-28 | 2015-08-26 | 飞天诚信科技股份有限公司 | A kind of method and apparatus running the cryptor containing self checking |
| CN105205398B (en) * | 2015-11-04 | 2018-03-09 | 北京鼎源科技有限公司 | It is a kind of that shell side method is looked into based on APK shell adding software dynamic behaviours |
| CN107273298B (en) * | 2017-07-07 | 2019-02-15 | 北京深思数盾科技股份有限公司 | A kind of test method of shell adding tool, apparatus and system |
| CN109408400A (en) * | 2018-12-25 | 2019-03-01 | 欧普照明股份有限公司 | A kind of software code automatic test approach and test macro |
-
2020
- 2020-12-21 CN CN202011517740.4A patent/CN112527672B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103839003A (en) * | 2012-11-22 | 2014-06-04 | 腾讯科技(深圳)有限公司 | Malicious file detection method and device |
| CN104484607A (en) * | 2014-12-16 | 2015-04-01 | 上海交通大学 | Universal method and universal system for performing safety testing on Android application programs |
| CN105068932A (en) * | 2015-08-25 | 2015-11-18 | 北京安普诺信息技术有限公司 | Android application program packing detection method |
| CN105630659A (en) * | 2015-12-23 | 2016-06-01 | 北京奇虎科技有限公司 | Application crash log acquisition method and apparatus |
| US9798884B1 (en) * | 2016-10-11 | 2017-10-24 | Veracode, Inc. | Systems and methods for identifying insider threats in code |
| CN108133139A (en) * | 2017-11-28 | 2018-06-08 | 西安交通大学 | A kind of Android malicious application detecting system compared based on more running environment behaviors |
Non-Patent Citations (2)
| Title |
|---|
| Logging Done Right with PowerShell and the PSFramework Module;Bill Kindle;《https://adamtheautomator.com/powershell-logging/》;20191008;第1-28页 * |
| 数据安全管理系统加壳技术研究与实现;高艳军;《中国优秀博硕士学位论文全文数据库(硕士)信息科技辑》;20100515;第I138-27页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112527672A (en) | 2021-03-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9317400B2 (en) | Code coverage rate determination method and system | |
| JP5430570B2 (en) | Method for test suite reduction by system call coverage criteria | |
| US8397104B2 (en) | Creation of test plans | |
| US20100199263A1 (en) | Test case pattern matching | |
| US20020133807A1 (en) | Automation and isolation of software component testing | |
| US11888885B1 (en) | Automated security analysis of software libraries | |
| CN110580226B (en) | Object code coverage rate testing method, system and medium for operating system level program | |
| CN109525556A (en) | It is a kind of for determining the light weight method and system of protocol bug in embedded system firmware | |
| CN108491321B (en) | Method and device for determining test case range and storage medium | |
| CN110543420B (en) | Software testing method, system, terminal and storage medium | |
| CN104021072A (en) | Machine and methods for evaluating failing software programs | |
| KR20220085290A (en) | Method for verifying software and apparatus therefor | |
| CN111124870A (en) | Interface testing method and device | |
| CN107272441B (en) | Method for monitoring errors and data processing device for monitoring errors | |
| JPH10320234A (en) | Automatic test method for software | |
| US10229029B2 (en) | Embedded instruction sets for use in testing and error simulation of computing programs | |
| CN117493188A (en) | Interface testing method and device, electronic equipment and storage medium | |
| CN112527672B (en) | Detection method and equipment for shell adding tool | |
| CN110221933B (en) | Code defect auxiliary repairing method and system | |
| CN109960656B (en) | Program detection method and device and electronic equipment | |
| US10481969B2 (en) | Configurable system wide tests | |
| CN114064489A (en) | Automatic testing method, device, equipment and readable storage medium | |
| CN107402883A (en) | A kind of data test treating method and apparatus | |
| CN113468058A (en) | Regression testing method and device for software-as-a-service platform and electronic equipment | |
| CN113434385A (en) | Method and system for automatically generating test case for software model inspection tool |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 100193 5th floor 510, No. 5 Building, East Yard, No. 10 Wangdong Road, Northwest Haidian District, Beijing Patentee after: Beijing Shendun Technology Co.,Ltd. Address before: 100193 5th floor 510, No. 5 Building, East Yard, No. 10 Wangdong Road, Northwest Haidian District, Beijing Patentee before: BEIJING SENSESHIELD TECHNOLOGY Co.,Ltd. |
|
| CP01 | Change in the name or title of a patent holder |