CN112580040A - Method and device for shelling file shell, storage medium and electronic device - Google Patents
Method and device for shelling file shell, storage medium and electronic device Download PDFInfo
- Publication number
- CN112580040A CN112580040A CN201910945337.2A CN201910945337A CN112580040A CN 112580040 A CN112580040 A CN 112580040A CN 201910945337 A CN201910945337 A CN 201910945337A CN 112580040 A CN112580040 A CN 112580040A
- Authority
- CN
- China
- Prior art keywords
- shell
- file
- algorithm
- shelling
- target file
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/568—Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Health & Medical Sciences (AREA)
- Virology (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- General Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention provides a file shell shelling method and device, a storage medium and an electronic device, wherein the method comprises the following steps: identifying a shell type of the target file; shelling the target file according to the shell type to obtain a shelled file; and repairing the unshelled file to obtain an original file. The invention solves the technical problem that only a single type of file with a shell can be restored in the related technology, improves the identification rate and the detection rate of the file with the shell, and simultaneously reduces the network risk caused by using the virus Trojan file with the shell camouflage.
Description
Technical Field
The invention relates to the field of network security, in particular to a file shell shelling method and device, a storage medium and an electronic device.
Background
In the related art, the shell is a program segment outside the original program of the file and is generally used for file variation, compression, encryption and the like, because the shell is added, the virus is smaller and smaller, the virus is convenient to spread, and the code of the virus is also distorted so as to avoid the identification of antivirus software.
The shell comprises a plurality of protective shells and the like, wherein in the related technology, the protective shell is a code protection technology for protecting a virus from being identified by anti-virus software, and if the protected virus is required to be checked and killed, the method generally comprises two steps, namely 1: the recognition shell 2: and (6) shelling. Shelling tools in the related art are generally directed identification shells, and only fixed types of shells can be searched and killed, so that shells of other families cannot be identified, and the problems of identification errors and the like are caused to a certain degree.
In view of the above problems in the related art, no effective solution has been found at present.
Disclosure of Invention
The embodiment of the invention provides a file shell shelling method and device, a storage medium and an electronic device.
According to an embodiment of the present invention, there is provided a method for shelling a file shell, including: identifying a shell type of the target file; shelling the target file according to the shell type to obtain a shelled file; and repairing the unshelled file to obtain an original file.
Optionally, the shelling the target file according to the shell type includes: searching a shell adding rule corresponding to the shell type in preset shell table data; and performing anti-sequence processing on the target file according to the shell adding rule.
Optionally, performing anti-sequence processing on the target file according to the shell-adding rule includes: determining a starting position and a shell adding algorithm of a shell data segment in the target file, wherein the shell adding algorithm comprises an encryption algorithm and a compression algorithm; locating a shell code in the target file based on the starting position, and restoring the target file through a shell removing algorithm, wherein the shell removing algorithm is an inverse algorithm of the shell adding algorithm.
Optionally, the repairing the shelling file includes: determining a missing program of the shelling file; and acquiring the missing program from a preset database, and repairing the shelling file by adopting the missing program.
Optionally, identifying the shell type of the target file includes: detecting a family identifier of a file shell of a target file; detecting a shell code of the file shell when the family identifier is detected; and identifying the shell type of the file shell according to the shell code.
According to another embodiment of the present invention, there is provided a file dehulling apparatus including: the identification module is used for identifying the shell type of the target file; the shelling module is used for shelling the target file according to the shell type to obtain a shelled file; and the repairing module is used for repairing the unshelled file to obtain an original file.
Optionally, the shelling module includes: the searching unit is used for searching a shell adding rule corresponding to the shell type in preset shell table data; and the processing unit is used for performing anti-sequence processing on the target file according to the shell adding rule.
Optionally, the processing unit includes: the determining subunit is used for determining a starting position and a shell adding algorithm of a shell data segment in the target file, wherein the shell adding algorithm comprises an encryption algorithm and a compression algorithm; and the restoring subunit is used for positioning a shell code in the target file based on the starting position and restoring the target file through a shelling algorithm, wherein the shelling algorithm is a reverse algorithm of the shell adding algorithm.
Optionally, the repair module includes: a determining unit configured to determine a missing program of the dehulled file; and the repairing unit is used for acquiring the missing program from a preset database and repairing the unshelled file by adopting the missing program.
Optionally, the identification module includes: a first detection unit for detecting a family identifier of a file shell of a target file; the second detection unit is used for detecting the shell code of the file shell when the family identifier is detected; and the identification unit is used for identifying the shell type of the file shell according to the shell code.
According to a further embodiment of the present invention, there is also provided a storage medium having a computer program stored therein, wherein the computer program is arranged to perform the steps of any of the above method embodiments when executed.
According to yet another embodiment of the present invention, there is also provided an electronic device, including a memory in which a computer program is stored and a processor configured to execute the computer program to perform the steps in any of the above method embodiments.
According to the method and the device, the shell type of the target file is identified, then the target file is shelled according to the shell type to obtain the shelled file, finally the shelled file is repaired to obtain the original file, and the files with various camouflage types and varieties can be identified and restored, so that the technical problem that only a single type of file with a shell can be restored in the related technology is solved, the identification rate and the detection rate of the file with the shell are improved, and meanwhile, the network risk caused by using the virus Trojan file with the shell camouflage is reduced.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the invention without limiting the invention. In the drawings:
fig. 1 is a block diagram of a hardware configuration of a computer for removing a file shell according to an embodiment of the present invention;
FIG. 2 is a flowchart of a method for shelling a file shell according to an embodiment of the present invention;
fig. 3 is a block diagram illustrating a structure of a device for shelling a file enclosure according to an embodiment of the present invention.
Detailed Description
In order to make the technical solutions better understood by those skilled in the art, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only partial embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application. It should be noted that the embodiments and features of the embodiments in the present application may be combined with each other without conflict.
It should be noted that the terms "first," "second," and the like in the description and claims of this application and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the application described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Example 1
The method provided by the embodiment one of the present application may be executed in a mobile terminal, a processor, a server, a computer, or a similar computing device. Taking an example of a computer running on the computer, fig. 1 is a block diagram of a hardware structure of a computer with a file shell removed according to an embodiment of the present invention. As shown in fig. 1, computer 10 may include one or more (only one shown in fig. 1) processors 102 (processor 102 may include, but is not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA) and a memory 104 for storing data, and optionally may also include a transmission device 106 for communication functions and an input-output device 108. It will be appreciated by those of ordinary skill in the art that the configuration shown in FIG. 1 is illustrative only and is not intended to limit the configuration of the computer described above. For example, computer 10 may also include more or fewer components than shown in FIG. 1, or have a different configuration than shown in FIG. 1.
The memory 104 may be used to store a computer program, for example, a software program and a module of application software, such as a computer program corresponding to a file shell shelling method in the embodiment of the present invention, and the processor 102 executes various functional applications and data processing by executing the computer program stored in the memory 104, so as to implement the method described above. The memory 104 may include high speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, memory 104 may further include memory located remotely from processor 102, which may be connected to computer 10 via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission device 106 is used for receiving or transmitting data via a network. Specific examples of such networks may include wireless networks provided by the communications provider of computer 10. In one example, the transmission device 106 includes a Network adapter (NIC), which can be connected to other Network devices through a base station so as to communicate with the internet. In one example, the transmission device 106 may be a Radio Frequency (RF) module, which is used for communicating with the internet in a wireless manner.
In this embodiment, a method for shelling a file shell is provided, and fig. 2 is a flowchart of a method for shelling a file shell according to an embodiment of the present invention, as shown in fig. 2, the flowchart includes the following steps:
step S202, identifying the shell type of the target file;
the target file of this embodiment may be a to-be-processed file in any format, such as a program, a text, an executable file (. exe) and a command file (. com), a resource in an unknown format, and the like, where the target file is a shell file, and a file shell may be a protective shell, a compact shell, an encrypted shell, a virtual shell, and the like of source code, and is a program segment attached to the program.
Step S204, shelling the target file according to the shell type to obtain a shelled file;
the principle of shell adding for the shell in this embodiment is to compress the un-added program, then include a layer of shell code on the periphery of the compressed code, and also perform encryption and disguise processing for the shell at the same time, where shell removing is an anti-sequence process of the shell adding process.
And step S206, restoring the unshelled file to obtain an original file.
When the shell added file is normally executed, the system gives the control right to the shell, the shell decompresses or decrypts the program code according to the inverse operation of the initial compression or encryption, after the decompression or decryption is finished, the shell gives the control right to the program, and then the program runs. Since some shelled files are unknown or dangerous files, direct operation may cause network security problems, and therefore, the solution of the embodiment is that the system controls the shelling and obtains the original files. The original file is an executable file.
Through the steps, the shell type of the target file is identified, then the target file is shelled according to the shell type to obtain a shelled file, finally the shelled file is repaired to obtain an original file, and files with various camouflage types and varieties can be identified and restored.
In an implementation manner of this embodiment, the shelling the target file according to the shell type includes:
s11, searching a shell adding rule corresponding to the shell type in preset shell table data;
and S12, performing anti-sequence processing on the target file according to the shell adding rule.
The preset shell table data of this embodiment maintains shell adding rule information of various shells, and stores an initial range of a compressed data segment, a size of the compressed data segment, a compression algorithm, and the like of each shell, taking a compressed shell as an example.
In an optional implementation manner of this embodiment, performing anti-sequence processing on the target file according to the shelling rule includes: determining a starting position and a shell adding algorithm of a shell data segment in the target file, wherein the shell adding algorithm comprises an encryption algorithm and a compression algorithm; locating a shell code in the target file based on the starting position, and restoring the target file through a shell removing algorithm, wherein the shell removing algorithm is an inverse algorithm of the shell adding algorithm. Optionally, each shelling algorithm and shelling algorithm corresponds to an MD5 value, and the corresponding algorithm may be searched in the algorithm library through the MD5 value.
And for the compressed shell, positioning the original file to the initial position of the original file through the file characteristics of the target file, extracting the original file and adding codes for restoration, and decrypting and decompressing. Or intercept the shell code, decrypt it and delete it, and then decompress it.
Optionally, for some target files, when system shelling is performed on the target files, damage may be caused to an original file, so that the original file becomes an unexecutable file, and the scheme of this embodiment further needs to repair the shelled file, including: determining a missing program of the shelling file; and acquiring the missing program from a preset database, and repairing the shelling file by adopting the missing program. The missing program includes an execution instruction originally stored in the shell code, a DOS (disk operating system) header file, and a signature file. In addition, repairing the shell-removed file also includes modifying a program check code of the original file, and the like.
In some cases, the decapsulated file may be an encrypted file or a file compressed according to a predetermined algorithm, and the decapsulated file needs to be decrypted and decompressed. The decryption algorithm and the decompression algorithm correspond to the shell type, and in a normal file with a shell, the shell code comprises the decryption algorithm and the decompression algorithm, but the shell code of some virus trojans (a file with a shell) also comprises some illegal execution instructions, so that the decryption algorithm and the decompression algorithm of the system are directly adopted to recover the file with the shell, so that the safety and the reliability of the file with the shell are improved.
The embodiment can identify the shell type of the target file in a plurality of ways, including: detecting a family identifier of a file shell of a target file; detecting a shell code of the file shell when the family identifier is detected; and identifying the shell type of the file shell according to the shell code. The family identifier of the file shell in this embodiment is used to characterize the family to which the shell belongs, and corresponds to a developer, a provider, a development language, a shell adding tool, and the like of the shell, such as a JS shell, a RAR shell, an APK shell, and the like, and the shell code is the content of the file shell.
When detecting the family identification of the file shell of the target file, the method comprises the following steps: identifying a portable executive PE structure of the target file; and detecting the family identification of the file shell in the section of the PE file according to the PE structure.
When detecting the family identification of the file shell of the target file, the method comprises the following steps: scanning the feature codes of the target file; judging whether the feature codes are matched with a configuration file or not, wherein the configuration file comprises family features of a plurality of file families; determining the feature code as a family identification of the file shell when the feature code matches a family feature of a first family in the configuration file; and when the feature code is not matched with the family features of the first family in the configuration file, sequentially polling and matching the family features of the second family, the family features of the third family and the like in the configuration file until determining that the feature code is not matched with the family features of all file families in the configuration file.
In addition, when the target file is a known file, the target file can be identified through the label information and shell information (such as an encryption algorithm and a compression algorithm used by the shell) carried by the target file.
In this embodiment, the principle of each shell is that for an uncapped program, a compression process is performed first, and then a layer of shell code is included on the periphery of the compressed code, which is the process of shell adding. Similarly, shelling is an anti-sequence process of the shelling process. Then, during shelling, the present embodiment maintains a shell table data structure within the system, which stores the starting range, size, and compression algorithm of the compressed data segment for each shell. After the information is provided, what the shell is can be known by looking up the shell, then the compressed code is restored by acquiring the shell table data through the shell information, and the step is carried out, namely the compressed and encrypted code is restored. Then, the PE (Windows executable file) file is repaired and built, and finally, the shell removal is completed.
According to the embodiment, virus Trojan horse can be subjected to shelling and code reduction, so that the capability of antivirus software for killing Trojan horse viruses is improved. The method can be used for shelling the shells of various existing files, and has a good effect on virus code restoration.
Through the above description of the embodiments, those skilled in the art can clearly understand that the method according to the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but the former is a better implementation mode in many cases. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, or a network device) to execute the method according to the embodiments of the present invention.
Example 2
In this embodiment, a device for shelling a file shell is further provided, which is used to implement the foregoing embodiments and preferred embodiments, and the description already made is omitted. As used below, the term "module" may be a combination of software and/or hardware that implements a predetermined function. Although the means described in the embodiments below are preferably implemented in software, an implementation in hardware, or a combination of software and hardware is also possible and contemplated.
Fig. 3 is a block diagram illustrating a structure of a device for removing shells of document shells according to an embodiment of the present invention, as shown in fig. 3, the device includes: an identification module 30, a shelling module 32, a repair module 34, wherein,
the identification module 30 is used for identifying the shell type of the target file;
a shelling module 32, configured to shell the target file according to the shell type to obtain a shelled file;
and the repairing module 34 is configured to repair the decapsulated file to obtain an original file.
Optionally, the shelling module includes: the searching unit is used for searching a shell adding rule corresponding to the shell type in preset shell table data; and the processing unit is used for performing anti-sequence processing on the target file according to the shell adding rule.
Optionally, the processing unit includes: the determining subunit is used for determining a starting position and a shell adding algorithm of a shell data segment in the target file, wherein the shell adding algorithm comprises an encryption algorithm and a compression algorithm; and the restoring subunit is used for positioning a shell code in the target file based on the starting position and restoring the target file through a shelling algorithm, wherein the shelling algorithm is a reverse algorithm of the shell adding algorithm.
Optionally, the repair module includes: a determining unit configured to determine a missing program of the dehulled file; and the repairing unit is used for acquiring the missing program from a preset database and repairing the unshelled file by adopting the missing program.
Optionally, the identification module includes: a first detection unit for detecting a family identifier of a file shell of a target file; the second detection unit is used for detecting the shell code of the file shell when the family identifier is detected; and the identification unit is used for identifying the shell type of the file shell according to the shell code.
It should be noted that, the above modules may be implemented by software or hardware, and for the latter, the following may be implemented, but not limited to: the modules are all positioned in the same processor; alternatively, the modules are respectively located in different processors in any combination.
Example 3
Embodiments of the present invention also provide a storage medium having a computer program stored therein, wherein the computer program is arranged to perform the steps of any of the above method embodiments when executed.
Alternatively, in the present embodiment, the storage medium may be configured to store a computer program for executing the steps of:
s1, identifying the shell type of the target file;
s2, shelling the target file according to the shell type to obtain a shelled file;
and S3, repairing the unshelled file to obtain an original file.
Optionally, in this embodiment, the storage medium may include, but is not limited to: various media capable of storing computer programs, such as a usb disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic disk, or an optical disk.
Embodiments of the present invention also provide an electronic device comprising a memory having a computer program stored therein and a processor arranged to run the computer program to perform the steps of any of the above method embodiments.
Optionally, the electronic apparatus may further include a transmission device and an input/output device, wherein the transmission device is connected to the processor, and the input/output device is connected to the processor.
Optionally, in this embodiment, the processor may be configured to execute the following steps by a computer program:
s1, identifying the shell type of the target file;
s2, shelling the target file according to the shell type to obtain a shelled file;
and S3, repairing the unshelled file to obtain an original file.
Optionally, the specific examples in this embodiment may refer to the examples described in the above embodiments and optional implementation manners, and this embodiment is not described herein again.
The above-mentioned serial numbers of the embodiments of the present application are merely for description and do not represent the merits of the embodiments.
In the above embodiments of the present application, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
In the embodiments provided in the present application, it should be understood that the disclosed technology can be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one type of division of logical functions, and there may be other divisions when actually implemented, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, units or modules, and may be in an electrical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be substantially implemented or contributed to by the prior art, or all or part of the technical solution may be embodied in a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic or optical disk, and other various media capable of storing program codes.
The foregoing is only a preferred embodiment of the present application and it should be noted that those skilled in the art can make several improvements and modifications without departing from the principle of the present application, and these improvements and modifications should also be considered as the protection scope of the present application.
Claims (10)
1. A method of unshelling a document shell, comprising:
identifying a shell type of the target file;
shelling the target file according to the shell type to obtain a shelled file;
and repairing the unshelled file to obtain an original file.
2. The method of claim 1, wherein shelling the target file according to the shell class comprises:
searching a shell adding rule corresponding to the shell type in preset shell table data;
and performing anti-sequence processing on the target file according to the shell adding rule.
3. The method of claim 2, wherein deserializing the target file according to the shelling rule comprises:
determining a starting position and a shell adding algorithm of a shell data segment in the target file, wherein the shell adding algorithm comprises an encryption algorithm and a compression algorithm;
locating a shell code in the target file based on the starting position, and restoring the target file through a shell removing algorithm, wherein the shell removing algorithm is an inverse algorithm of the shell adding algorithm.
4. The method of claim 1, wherein repairing the dehulled file comprises:
determining a missing program of the shelling file;
and acquiring the missing program from a preset database, and repairing the shelling file by adopting the missing program.
5. The method of claim 1, wherein identifying a shell class for the target file comprises:
detecting a family identifier of a file shell of a target file;
detecting a shell code of the file shell when the family identifier is detected;
and identifying the shell type of the file shell according to the shell code.
6. An apparatus for shelling document shells, comprising:
the identification module is used for identifying the shell type of the target file;
the shelling module is used for shelling the target file according to the shell type to obtain a shelled file;
and the repairing module is used for repairing the unshelled file to obtain an original file.
7. The apparatus of claim 6, wherein the dehulling module comprises:
the searching unit is used for searching a shell adding rule corresponding to the shell type in preset shell table data;
and the processing unit is used for performing anti-sequence processing on the target file according to the shell adding rule.
8. The apparatus of claim 7, wherein the processing unit comprises:
the determining subunit is used for determining a starting position and a shell adding algorithm of a shell data segment in the target file, wherein the shell adding algorithm comprises an encryption algorithm and a compression algorithm;
and the restoring subunit is used for positioning a shell code in the target file based on the starting position and restoring the target file through a shelling algorithm, wherein the shelling algorithm is a reverse algorithm of the shell adding algorithm.
9. A storage medium, in which a computer program is stored, wherein the computer program is arranged to perform the method of any of claims 1 to 5 when executed.
10. An electronic device comprising a memory and a processor, wherein the memory has stored therein a computer program, and wherein the processor is arranged to execute the computer program to perform the method of any of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910945337.2A CN112580040B (en) | 2019-09-30 | 2019-09-30 | Method and device for unshelling file shell, storage medium and electronic device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910945337.2A CN112580040B (en) | 2019-09-30 | 2019-09-30 | Method and device for unshelling file shell, storage medium and electronic device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112580040A true CN112580040A (en) | 2021-03-30 |
| CN112580040B CN112580040B (en) | 2023-07-04 |
Family
ID=75117046
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910945337.2A Active CN112580040B (en) | 2019-09-30 | 2019-09-30 | Method and device for unshelling file shell, storage medium and electronic device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112580040B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113238884A (en) * | 2021-05-06 | 2021-08-10 | 国家计算机网络与信息安全管理中心 | Firmware file detection method and device, electronic equipment and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102831343A (en) * | 2012-07-27 | 2012-12-19 | 北京奇虎科技有限公司 | Target program processing method, processing device and cloud service equipment |
| CN102855440A (en) * | 2012-09-13 | 2013-01-02 | 北京奇虎科技有限公司 | Method, device and system for detecting packed executable files |
| CN108073815A (en) * | 2017-12-29 | 2018-05-25 | 哈尔滨安天科技股份有限公司 | Family's determination method, system and storage medium based on code slice |
| CN110135159A (en) * | 2019-04-18 | 2019-08-16 | 上海交通大学 | The identification of malicious code shell and static hulling method and system |
-
2019
- 2019-09-30 CN CN201910945337.2A patent/CN112580040B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102831343A (en) * | 2012-07-27 | 2012-12-19 | 北京奇虎科技有限公司 | Target program processing method, processing device and cloud service equipment |
| CN102855440A (en) * | 2012-09-13 | 2013-01-02 | 北京奇虎科技有限公司 | Method, device and system for detecting packed executable files |
| CN108073815A (en) * | 2017-12-29 | 2018-05-25 | 哈尔滨安天科技股份有限公司 | Family's determination method, system and storage medium based on code slice |
| CN110135159A (en) * | 2019-04-18 | 2019-08-16 | 上海交通大学 | The identification of malicious code shell and static hulling method and system |
Non-Patent Citations (8)
| Title |
|---|
| 刘亮;刘露平;何帅;刘嘉勇;: "一种基于多特征的恶意代码家族静态标注方法", 信息安全研究, no. 04, pages 44 - 50 * |
| 朱信宇 等: "恶意代码脱壳技术综述", 《通信技术》 * |
| 朱信宇 等: "恶意代码脱壳技术综述", 《通信技术》, 31 August 2017 (2017-08-31), pages 1768 - 1774 * |
| 李露等: "PE文件中脱壳技术的研究", 《计算机应用与软件》 * |
| 李露等: "PE文件中脱壳技术的研究", 《计算机应用与软件》, no. 09, 15 September 2010 (2010-09-15) * |
| 郭文等: "Windows恶意代码动态通用脱壳方法研究", 《四川大学学报(自然科学版)》 * |
| 郭文等: "Windows恶意代码动态通用脱壳方法研究", 《四川大学学报(自然科学版)》, no. 02, 20 March 2018 (2018-03-20) * |
| 陈勤;贾琳飞;张蔚;: "基于代码与壳互动技术的软件保护方法研究", 计算机工程与科学, no. 12, pages 40 - 41 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113238884A (en) * | 2021-05-06 | 2021-08-10 | 国家计算机网络与信息安全管理中心 | Firmware file detection method and device, electronic equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112580040B (en) | 2023-07-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109711171B (en) | Method, device and system for positioning software bugs, storage medium and electronic device | |
| US8479291B1 (en) | Systems and methods for identifying polymorphic malware | |
| CN105426708B (en) | A kind of reinforcement means of the application program of android system | |
| US10387648B2 (en) | Ransomware key extractor and recovery system | |
| CN104318160B (en) | The method and apparatus of killing rogue program | |
| CN106919811B (en) | File detection method and device | |
| CN108399319B (en) | Source code protection method, application server and computer readable storage medium | |
| KR101695639B1 (en) | Method and system for providing application security service based on cloud | |
| EP2998902B1 (en) | Method and apparatus for processing file | |
| CN108334754B (en) | Encryption and decryption method and system for embedded system program | |
| CN109120584B (en) | Terminal security protection method and system based on UEFI and WinPE | |
| CN104239795B (en) | The scan method and device of file | |
| CN111737718A (en) | Encryption and decryption method and device for jar packet, terminal equipment and storage medium | |
| CN112580040B (en) | Method and device for unshelling file shell, storage medium and electronic device | |
| CN113132484B (en) | Data transmission method and device | |
| CN109284590B (en) | Method, equipment, storage medium and device for access behavior security protection | |
| CN112035803B (en) | Protection method and device based on Windows platform software | |
| CN109284608B (en) | Method, device and equipment for identifying Legionella software and safety processing method | |
| CN107145342B (en) | Method and device for processing channel information of application | |
| CN109145599B (en) | Protection method for malicious viruses | |
| CN115794683A (en) | Method, device and equipment for protecting upper electric writing and storage medium | |
| CN107403103B (en) | File decryption method and device | |
| CN112580032B (en) | File shell identification method and device, storage medium and electronic device | |
| CN111695113B (en) | Terminal software installation compliance detection method and device and computer equipment | |
| CN112583773B (en) | Unknown sample detection method and device, storage medium and electronic device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |