CN113127418A - File detection method, device, terminal and storage medium - Google Patents
File detection method, device, terminal and storage medium Download PDFInfo
- Publication number
- CN113127418A CN113127418A CN201911390046.8A CN201911390046A CN113127418A CN 113127418 A CN113127418 A CN 113127418A CN 201911390046 A CN201911390046 A CN 201911390046A CN 113127418 A CN113127418 A CN 113127418A
- Authority
- CN
- China
- Prior art keywords
- file
- characteristic value
- application program
- target application
- loaded
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 48
- 238000000034 method Methods 0.000 claims abstract description 96
- 230000008569 process Effects 0.000 claims abstract description 74
- 238000009434 installation Methods 0.000 claims abstract description 41
- 238000011068 loading method Methods 0.000 claims description 16
- 230000006870 function Effects 0.000 description 47
- 238000010586 diagram Methods 0.000 description 7
- 238000012545 processing Methods 0.000 description 5
- 238000012795 verification Methods 0.000 description 3
- 241000700605 Viruses Species 0.000 description 2
- 238000013500 data storage Methods 0.000 description 2
- 230000006837 decompression Effects 0.000 description 2
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000007906 compression Methods 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/10—File systems; File servers
- G06F16/14—Details of searching files based on file metadata
- G06F16/148—File search processing
- G06F16/152—File search processing using file content signatures, e.g. hash values
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/10—File systems; File servers
- G06F16/16—File or folder operations, e.g. details of user interfaces specifically adapted to file systems
- G06F16/164—File meta data generation
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Data Mining & Analysis (AREA)
- Databases & Information Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Human Computer Interaction (AREA)
- Library & Information Science (AREA)
- Stored Programmes (AREA)
Abstract
The embodiment of the application provides a file detection method, a file detection device, a terminal and a storage medium. The method comprises the following steps: receiving a storage path of a first file transferred by a target application program; when a first file is loaded from a storage path of the first file, acquiring a characteristic value of the first file; if the characteristic value of the second file is not the same as the characteristic value of the first file, determining that the first file is a file downloaded from a network in the running process of the target application program; wherein the second file is a file included in an installation package of the target application program. In the embodiment of the application, whether the loaded file is the file downloaded from the network in the running process of the application program can be detected in real time, so that a basis is provided for subsequent security detection, and the application program can be further guaranteed to run efficiently and safely.
Description
Technical Field
The embodiment of the application relates to the technical field of terminals, in particular to a file detection method, a file detection device, a file detection terminal and a storage medium.
Background
At present, in order to make an application lighter, part of support files required for running the application are not encapsulated in an installation package of the application, but are stored in a cloud (e.g., a background server corresponding to the application).
In the related art, when the support file stored in the cloud is needed to be used in the running process of the application program, the terminal downloads the required support file from the cloud in real time.
Disclosure of Invention
The embodiment of the application provides a file detection method, a file detection device, a terminal and a storage medium. The technical scheme is as follows:
in a first aspect, a file detection method is provided, where the method includes:
receiving a storage path of a first file transferred by a target application program;
when the first file is loaded from the storage path of the first file, acquiring a characteristic value of the first file;
if the characteristic value of the second file is not the same as the characteristic value of the first file, determining that the first file is a file downloaded from a network in the running process of the target application program; wherein the second file is a file included in an installation package of the target application. In a second aspect, there is provided a document detection apparatus, the apparatus comprising:
the path receiving module is used for receiving a storage path of a first file transmitted by a target application program;
the characteristic value acquisition module is used for acquiring the characteristic value of the first file when the first file is loaded from the storage path of the first file;
the file detection module is used for determining that the first file is a file downloaded from a network in the running process of the target application program if the characteristic value of the second file is not the same as the characteristic value of the first file; wherein the second file is a file included in an installation package of the target application.
In a third aspect, a terminal is provided, where the terminal includes a processor and a memory, and the memory stores at least one instruction, and the instruction is loaded and executed by the processor to implement the file detection method according to the first aspect.
In a fourth aspect, a computer-readable storage medium is provided, in which at least one instruction is stored, the instruction being loaded and executed by a processor to implement the file detection method according to the first aspect.
The technical scheme provided by the embodiment of the application can bring the beneficial effects of at least comprising:
when the application program loads the file, the characteristic value of the loaded file is compared with the characteristic value of the file included in the installation package of the application program, if all the characteristic values of the file included in the installation package of the application program are different from the characteristic values of the loaded file, the loaded file is determined to be the file downloaded from the network in the running process of the application program, whether the file loaded in the running process of the application program is the file downloaded from the network can be detected in real time, a basis is provided for subsequent security detection, and the efficient and safe running of the application program is further ensured.
Drawings
FIG. 1 is a schematic diagram of a file loading flow shown in an exemplary embodiment of the present application;
FIG. 2 is a flow diagram illustrating a file loading process in accordance with an illustrative embodiment of the present application;
FIG. 3 is a flowchart of a file loading method according to another exemplary embodiment of the present application;
FIG. 4 is a block diagram illustrating a file loading apparatus according to an exemplary embodiment of the present application;
fig. 5 is a block diagram of a terminal according to an exemplary embodiment of the present application.
Detailed Description
To make the objects, technical solutions and advantages of the present application more clear, embodiments of the present application will be described in further detail below with reference to the accompanying drawings.
The application program is usually subjected to security verification during installation, so that the file stored locally in the terminal is usually secure, but the file downloaded from the network during the operation of the application program is not subjected to security verification, so that certain risks exist. Whether the file loaded in the running process of the application program is the file downloaded from the network is detected, and then targeted security detection is carried out, so that the application program can be guaranteed to run efficiently and safely, and the related technology does not provide the detection scheme.
According to the technical scheme provided by the embodiment of the application, when the application program loads the file, the characteristic value of the loaded file is compared with the characteristic value of the file included in the installation package of the application program, if all the characteristic values of the file included in the installation package of the application program are different from the characteristic values of the loaded file, the loaded file is determined to be the file downloaded from the network in the operation process of the application program, whether the file loaded in the operation process of the application program is the file downloaded from the network can be detected in real time, a basis is provided for subsequent security detection, and the application program is further guaranteed to operate efficiently and safely.
During the running process of an application program, loading a file generally involves an application (Java) layer, a service (Native) layer and a kernel layer. According to the embodiment of the application, the file detection is carried out on the loaded file at the Native layer, and the file loading process at the Native layer is explained only by combining the calling condition of each function at the Native layer in fig. 1.
And step 101, calling a native load function.
And calling a Native load function by the doLoad function of the Java layer, and entering a Native layer by the file loading process.
Step 102, a loadnative library function is called.
When a file loading process enters a Native layer, a JVM _ Native load function is called by a RuntimativeLoad function, and then a LoadNativeLibrary function is called by the JVM _ Native load function. The loadnative library function first determines the loading of the dynamic library file. Specifically, the LoadNativelibrary function uses libraries- > get (path) to obtain library. And determines whether the library is empty. If the library is empty, it indicates that the dynamic library file is not loaded, and step 105 is executed.
The loadnative library function is also used to call the FindSymbol function,
and step 104, calling a JNI _ OnLoad function.
And finding a JNI _ OnLoad function by a FindSymbol function FindSymbol () function, if the description is not found to be static registration, directly returning to success, and otherwise, describing that the description is dynamically registered through JNIONLoad.
And 105, calling an OpenNativelibrary function.
The OpenNativelibrary function is used for opening the dynamic library file and returning a handle of the opened dynamic library file.
dlOpen functions are used to load dynamic library files. In particular, it is used to load library files into the virtual address space of the calling process, as well as to load other dynamic library files on which the dynamic library files depend.
Referring to fig. 2, a flowchart of a file detection method according to an exemplary embodiment of the present application is shown. The method can be applied to an operating system in a terminal. The method comprises the following steps:
The first file refers to a file loaded during the running process of the target application program. Alternatively, the first file may be a preset type of file. Illustratively, the first file is a shared library (so) file. The storage path of the first file is also the local storage location of the first file in the terminal.
In the embodiment of the application, since the Java layer already acquires the storage path of the first file when loading the first file, it can directly receive the storage path of the first file transferred by the target application program without self-acquisition.
And after the target application program acquires the storage path of the first file, loading the first file from the storage path. Optionally, the target application loads the first file by calling dlOpen function in the embodiment shown in fig. 1. The characteristic value of the first file is used to uniquely identify the first file. Optionally, the characteristic value of the first file refers to a Hash value of the first file, such as a SHA-256-Hash value.
Optionally, the target application acquires the feature value of the first file by:
step 202a, when the first file is loaded, obtaining the running information of the target application program.
The running information of the target application program is used for recording the running process of the target application program. The running information of the target application generally includes the following: stack information, process information, library file information, and the like.
Step 202b, reading the operation parameters from the operation information.
The operating parameters include one or more of the following: stack information, a process identifier of the first process, a process identifier of a parent process of the first process, and a storage path of the first file. It should be noted that the first process refers to a running process, and the parent process of the first process refers to a process that creates the first process. And the terminal acquires the process identifier of the first process and the process identifier of the parent process of the first process through the getpid function. The storage path of the first file may be obtained from the path parameters.
Step 202c, obtaining the first file according to the operation parameters.
After the target application program obtains the operation parameters, the target application program can only obtain the first file.
Step 202d, calculating a feature value of the first file.
And the terminal reads the text content of the first file and then processes the first file by adopting a preset function to obtain the characteristic value of the first file. The preset function may be a hash function. The hash function compresses the text content of the first file into a digest, which distinguishes the first file from other files, i.e., the hash value of the first file.
The second file is a file included in the installation package of the target application. The target application is an application running on the terminal, and may be a system application or a third-party application. Since the system application is generally trusted, in the embodiment of the present application, the target application is only described as a third party application.
And if the characteristic value of the second file is the same as that of the first file, determining that the first file is not a file downloaded from a network in the running process of the target application program but a file included in the installation package of the target application program.
In the embodiment of the application, when a file is loaded in the running process of an application program (the file is loaded through a dlOpen function), monitoring is added to obtain a characteristic value of the file, and whether the file is a file downloaded from a network is detected by comparing the characteristic value of the file with a characteristic value of a file included in an installation package of the application program, so that subsequent security verification is performed.
Optionally, the terminal detects whether the preset feature value list includes the feature value of the first file. If the preset characteristic value list comprises the characteristic value of the first file, determining that the characteristic value of the second file is the same as the characteristic value of the first file; and if the preset characteristic value list does not comprise the characteristic value of the first file, determining that the characteristic value of the second file is the same as the characteristic value of the first file.
The preset feature value list includes feature values of the second file. The preset feature value list may include feature values of files included in an installation package of one application program, or may include feature values of files included in installation packages of a plurality of application programs. When the preset characteristic value list comprises the characteristic value of a file included in an installation package of an application program, the terminal firstly obtains the preset characteristic value list corresponding to the target application program, and then detects whether the preset characteristic value list corresponding to the target application program comprises the characteristic value of the first file or not.
To sum up, according to the technical scheme provided in the embodiment of the present application, when the application program loads a file, the characteristic value of the loaded file is compared with the characteristic value of the file included in the installation package of the application program, and if all the characteristic values of the file included in the installation package of the application program are different from the characteristic value of the loaded file, it is determined that the loaded file is the file downloaded from the network in the running process of the application program, and it is possible to detect whether the file loaded in the running process of the application program is the file downloaded from the network in real time, so as to provide a basis for subsequent security detection, thereby ensuring that the application program runs efficiently and safely.
In the above embodiment, it is mentioned that, by comparing whether the feature value of the first file exists in the preset feature value list, it is determined whether the first file is a file downloaded from the network during the running of the target application program. The following explains the acquisition process of the preset feature value list. In an alternative embodiment provided based on the embodiment shown in fig. 2, the file detection method further includes the following steps before step 203.
Step 204, when the target application program is installed, reading the characteristic value of the second file from the specified file included in the installation package of the target application program.
And a specified file exists in the installation package of the target application program, and the specified file is used for recording the characteristic values of the files included in the installation package of the target application program. Mf file is optionally a manual est.
Optionally, when the target application program is installed, the feature value of the second file is read from a specified file included in the installation package of the target application program by calling a preset function. Optionally, the preset function is a getmapackageinfo function.
Step 205, storing the characteristic value of the second file into a preset characteristic value list.
And the terminal adds the read characteristic value of the second file to a preset characteristic value list. Introduced in step 201, the terminal may read the feature value of the second file through the getmapackageinfo function, and the developer may add a code for implementing a write function to the getmapackageinfo function, and store the feature value of the second file into a preset feature value list through the write function, so as to save development cost.
In the embodiment of fig. 2, the preset feature value list may include feature values of files included in an installation package of one application program, or may include feature values of files included in installation packages of a plurality of application programs. When the preset feature value list includes feature values of files included in an installation package of an application program, in this case, a plurality of preset feature value lists are usually present. In this case, there is usually one preset feature value list when the preset feature value list includes feature values of files included in installation packages of a plurality of applications.
The compressed file is a file compressed by compressed software, the compressed software searches for repeated bytes in an original file, establishes a dictionary file with the same bytes, and replaces the repeated bytes with a code to obtain the compressed file. The compressed file may be a file with a suffix name jar, an apk, or a zip.
Because the compressed file is different from the text content of the original file, the corresponding characteristic values of the compressed file and the original file are different. When a compressed file is included in the installation package of an application, it is specified that the file does not usually record the characteristic value of the compressed file. In order to make the feature values recorded in the preset feature value list more comprehensive, the file detection method may further include the steps of:
step 206, when the target application program is installed, if the installation package of the target application program includes the compressed file, decompressing the compressed file to obtain a third file.
The decompression process is the inverse of the compression process, i.e., the compressed file is restored to the original file. In the embodiment of the application, the terminal decompresses the compressed file in the installation package of the target application program to obtain a third file.
When the compressed file is a file with a suffix name of jar or apk, decompressing the file to obtain a plurality of files, wherein the plurality of files also comprise a specified file (such as a MANIFEST. MF file) for recording the characteristic values of the files included in the compressed file; when the compressed file is a file with a suffix name of zip, the compressed file is decompressed to obtain only one file, and a specified file for recording the characteristic value of the file cannot be obtained.
And step 207, acquiring the characteristic value of the third file, and storing the characteristic value of the third file into a preset characteristic value list.
When the compressed file is a file with a suffix name of jar or apk, the feature value of the third file can be directly read from the specified file mentioned in step 206; when the compressed file is a file with a suffix name zip, the characteristic value of the third file may be calculated with reference to the method in step 202. Step 302 may be referred to for storing the feature value of the third file in the preset feature value list, which is not described herein.
According to the technical scheme provided by the embodiment of the application program, the characteristic value of the file included in the installation package of the application program is read and recorded when the application program is installed, so that the characteristic value of the loaded file can be compared with the recorded characteristic value when the file is loaded, the loaded file is determined to be the file downloaded from the network in the running process of the application program, and data support is provided for subsequent file detection.
In a specific example, reference is made to fig. 3 in combination, which shows a schematic diagram of a document detection method according to an embodiment of the present application. The file detection method can comprise the following steps:
Mf file included in the application is also a feature value of a file included in the installation package of the application.
Wherein, loading the first file involves a Java layer, a Native layer and a kernel layer.
Since the files downloaded from the network during the operation of the target application are not subjected to security detection, there may be a certain risk. In order to avoid the risk, the terminal may detect the security of the first file after determining that the first file is a file downloaded from the network in the running process of the target application program. In an optional embodiment provided based on the embodiment shown in fig. 2, the file detection method may further include the following steps:
The security level of the first file is used to measure the security of the first file. The security level and the security have positive correlation. That is, the higher the security level of the first file, the higher the security of the first file; the lower the security level of the first file, the lower the security of the first file.
Optionally, the terminal determines the security score of the first file first, and then determines the security level corresponding to the scoring area where the security score is located as the security level of the first file. The safety score can be calculated in the following way: the terminal detects the first file from at least one dimension, obtains a safety score corresponding to each dimension according to a detection result corresponding to each dimension, and then weights the safety scores corresponding to the dimensions to obtain the safety score of the first file.
The plurality of dimensions may be: detecting whether the first file is shelled, detecting whether the first file carries a sensitive function, detecting whether the first file carries a malicious program, and the like.
The file shell adding refers to compressing the executable binary file, and the file after shell adding can be directly operated without decompression. After some virus files are shelled, the virus files cannot be identified by antivirus software, so that great potential safety hazards exist. If the first file sensitive function is a function capable of having a specified function, the specification may be to view, obtain, use sensitive information, and so forth. The malicious program refers to a program code capable of implementing a malicious function, which may be a function of sending a short message, opening a data network, and the like, and this is not limited in the embodiments of the present application.
Optionally, the preset condition may be that the security level of the first file reaches a preset level, where the preset level may be set by a user or may be set by a terminal in a user-defined manner. The second process is referred to as a calling process.
In the embodiment of the application, when the terminal detects that the security level of the first file meets the preset condition, that is, when the first file is identified as a secure file, the subsequent file loading step is executed, so that the situation that the first file is operated when the first file is a malicious file can be avoided, and the security is improved.
To sum up, according to the technical scheme provided by the embodiment of the application, the first file is detected after being determined to be the file downloaded from the network in the operation process of the application program, and the subsequent process is executed under the condition that the safety of the first file is determined, so that the situation that the first file is operated when the first file is a malicious file is avoided, and the safety is improved.
End users grant different permissions to different applications. Wherein, some application programs have sensitive authority, such as information authority, address list authority, call record authority, etc. For the application programs, the potential safety hazard is large, so that it is more necessary to detect whether the files loaded in the running process of the application programs are files downloaded from the network. In an optional embodiment provided based on the embodiment shown in fig. 2, before obtaining the feature value of the first file, the file detection method further includes:
Sensitive rights refer to rights to access sensitive information. Such sensitive information includes, but is not limited to: location information, address book information, call information, short message content, album content, and the like. Such sensitive rights include, but are not limited to: location information permissions, microphone permissions, address book permissions, information permissions, call record permissions, camera permissions, and the like. The sensitive authority can be preset by a user or can be set by the default of the terminal.
Optionally, the terminal stores a corresponding relationship between the permission and the application program, and the terminal queries the corresponding relationship to obtain an application program list with sensitive permission, and then detects whether the application program list includes the target application program. If the application program list comprises the target application program, determining that the target application program has the sensitive permission; and if the target application program is not included in the application program list, determining that the target application program does not have the sensitive permission.
And if the target application program is detected to have the sensitive authority, acquiring the characteristic value of the first file, and if the target application program is detected not to have the sensitive authority, ending the process.
The application program with the sensitive authority can acquire the sensitive information of the terminal user, and when the application program has potential safety hazards, the sensitive information of the terminal user can be leaked; and the situation that sensitive information is leaked cannot be caused when the application program without the sensitive authority has potential safety hazard. Therefore, in the embodiment of the application, only whether the file loaded in the running process of the application with the sensitive permission is the file downloaded from the network is detected, so that the terminal is prevented from detecting each application, and the processing resource of the terminal can be saved on the premise of ensuring the safety.
In summary, according to the technical scheme provided by the embodiment of the application, whether a file loaded in the running process of an application with a sensitive permission is a file downloaded from a network is detected, so that a terminal is prevented from detecting each application, and processing resources of the terminal can be saved on the premise of ensuring the safety.
In the following, embodiments of the apparatus of the present application are described, and for portions of the embodiments of the apparatus not described in detail, reference may be made to technical details disclosed in the above-mentioned method embodiments.
Referring to fig. 4, a block diagram of a document detection apparatus according to an exemplary embodiment of the present application is shown. The file detection means may be implemented as all or part of the terminal in software, hardware or a combination of both. The file detection device includes:
the path receiving module 410 is configured to receive a storage path of the first file transferred by the target application.
The characteristic value obtaining module 420 is configured to obtain a characteristic value of the first file when the first file is loaded from the storage path of the first file.
The file detection module 430 is configured to determine that the first file is a file downloaded from a network in the running process of the target application program if the feature value of the second file is not the same as the feature value of the first file; wherein the second file is a file included in an installation package of the target application.
To sum up, according to the technical scheme provided in the embodiment of the present application, when the application program loads a file, the characteristic value of the loaded file is compared with the characteristic value of the file included in the installation package of the application program, and if all the characteristic values of the file included in the installation package of the application program are different from the characteristic value of the loaded file, it is determined that the loaded file is the file downloaded from the network in the running process of the application program, and it is possible to detect whether the file loaded in the running process of the application program is the file downloaded from the network in real time, so as to provide a basis for subsequent security detection, thereby ensuring that the application program runs efficiently and safely.
In an alternative embodiment provided based on the embodiment shown in fig. 4, the feature value obtaining module 420 is configured to:
when the first file is loaded, acquiring the running information of the target application program;
reading operating parameters from the operating information, the operating parameters including one or more of the following in combination: a process identifier of a target process, a process identifier of a parent process of the target process, and a storage path of the first file;
acquiring the first file according to the operation parameters;
and calculating the characteristic value of the first file.
In an optional embodiment provided based on the embodiment shown in fig. 4, the file detection module 430 is further configured to:
detecting whether a preset characteristic value list comprises a characteristic value of the first file or not, wherein the preset characteristic value list comprises a characteristic value of the second file;
if the preset characteristic value list comprises the characteristic value of the first file, determining that the characteristic value of the second file is the same as the characteristic value of the first file;
if the preset feature value list does not include the feature value of the first file, it is determined that the feature value of the second file is not the same as the feature value of the first file.
Optionally, the apparatus further comprises: a feature value storage module (not shown).
The characteristic value storage module is used for:
when the target application program is installed, reading a characteristic value of the second file from a specified file included in an installation package of the target application program;
and storing the characteristic value of the second file to the preset characteristic value list.
Optionally, the feature value storage module is further configured to:
when the target application program is installed, if the installation package of the target application program comprises a compressed file, decompressing the compressed file to obtain a third file;
and acquiring the characteristic value of the third file, and storing the characteristic value of the third file to the preset characteristic value list.
In an optional embodiment provided based on the embodiment shown in fig. 4, the apparatus further comprises: a security detection module (not shown).
The security detection module is configured to:
detecting the first file, and determining the security level of the first file;
and when the security level of the first file meets a preset condition, loading the first file to a virtual address space of a second process.
In an optional embodiment provided based on the embodiment shown in fig. 4, the apparatus further comprises: a rights detection module (not shown).
The permission detection module is configured to:
detecting whether the target application program has a sensitive authority, wherein the sensitive authority refers to the authority for accessing sensitive information;
and if the target application program has the sensitive permission, executing the step of acquiring the characteristic value of the first file.
It should be noted that, when the apparatus provided in the foregoing embodiment implements the functions thereof, only the division of the functional modules is illustrated, and in practical applications, the functions may be distributed by different functional modules according to needs, that is, the internal structure of the apparatus may be divided into different functional modules to implement all or part of the functions described above. In addition, the apparatus and method embodiments provided by the above embodiments belong to the same concept, and specific implementation processes thereof are described in the method embodiments for details, which are not described herein again.
Referring to fig. 5, a block diagram of a terminal according to an exemplary embodiment of the present application is shown. A terminal in the present application may include one or more of the following components: a processor 510 and a memory 520.
Alternatively, the processor 510, when executing the program instructions in the memory 520, implements the file detection method provided by the various method embodiments described below.
The Memory 520 may include a Random Access Memory (RAM) or a Read-Only Memory (ROM). Optionally, the memory 520 includes a non-transitory computer-readable medium. The memory 520 may be used to store instructions, programs, code sets, or instruction sets. The memory 520 may include a program storage area and a data storage area, wherein the program storage area may store instructions for implementing an operating system, instructions for at least one function, instructions for implementing the various method embodiments described above, and the like; the storage data area may store data created according to the use of the terminal, and the like.
The structure of the terminal described above is only illustrative, and in actual implementation, the terminal may include more or less components, such as: a camera, etc., and this embodiment does not limit this.
Those skilled in the art will appreciate that the configuration shown in fig. 5 is not intended to be limiting of terminal 500 and may include more or fewer components than those shown, or some components may be combined, or a different arrangement of components may be used.
In an exemplary embodiment, a computer-readable storage medium is further provided, in which at least one instruction is stored, and the at least one instruction is loaded and executed by a processor of a terminal to implement the file detection method in the above-described method embodiment. Alternatively, the computer-readable storage medium may be a ROM, a RAM, a CD-ROM, a magnetic tape, a floppy disk, an optical data storage device, and the like.
In an exemplary embodiment, a computer program product is also provided, which, when executed, is adapted to implement the file detection method provided in the above-described method embodiments.
It should be understood that reference to "a plurality" herein means two or more. "and/or" describes the association relationship of the associated objects, meaning that there may be three relationships, e.g., a and/or B, which may mean: a exists alone, A and B exist simultaneously, and B exists alone. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship. As used herein, the terms "first," "second," and the like, do not denote any order, quantity, or importance, but rather are used to distinguish one element from another.
The above-mentioned serial numbers of the embodiments of the present application are merely for description and do not represent the merits of the embodiments.
The above description is only exemplary of the present application and should not be taken as limiting the present application, and any modifications, equivalents, improvements and the like that are made within the spirit and principle of the present application should be included in the protection scope of the present application.
Claims (10)
1. A method for file detection, the method comprising:
receiving a storage path of a first file transferred by a target application program;
when the first file is loaded from the storage path of the first file, acquiring a characteristic value of the first file;
if the characteristic value of the second file is not the same as the characteristic value of the first file, determining that the first file is a file downloaded from a network in the running process of the target application program; wherein the second file is a file included in an installation package of the target application.
2. The method according to claim 1, wherein the obtaining the feature value of the first file comprises:
when the first file is loaded, acquiring the running information of the target application program;
reading operating parameters from the operating information, the operating parameters including one or more of the following in combination: a process identifier of a first process, a process identifier of a parent process of the first process, and a storage path of the first file;
acquiring the first file according to the operation parameters;
and calculating the characteristic value of the first file.
3. The method of claim 1, wherein before determining that the first file is a file downloaded from a network during the running of the target application, further comprising:
detecting whether a preset characteristic value list comprises a characteristic value of the first file or not, wherein the preset characteristic value list comprises a characteristic value of the second file;
if the preset characteristic value list comprises the characteristic value of the first file, determining that the characteristic value of the second file is the same as the characteristic value of the first file;
if the preset feature value list does not include the feature value of the first file, it is determined that the feature value of the second file is not the same as the feature value of the first file.
4. The method of claim 3, further comprising:
when the target application program is installed, reading a characteristic value of the second file from a specified file included in an installation package of the target application program;
and storing the characteristic value of the second file to the preset characteristic value list.
5. The method of claim 4, further comprising:
when the target application program is installed, if the installation package of the target application program comprises a compressed file, decompressing the compressed file to obtain a third file;
and acquiring the characteristic value of the third file, and storing the characteristic value of the third file to the preset characteristic value list.
6. The method according to any one of claims 1 to 5, wherein after determining that the first file is a file downloaded from a network during the running of the target application, the method further comprises:
detecting the first file, and determining the security level of the first file;
and when the security level of the first file meets a preset condition, loading the first file to a virtual address space of a second process.
7. The method according to any one of claims 1 to 5, wherein before obtaining the feature value of the first file, the method further comprises:
detecting whether the target application program has a sensitive authority, wherein the sensitive authority refers to the authority for accessing sensitive information;
and if the target application program has the sensitive permission, executing the step of acquiring the characteristic value of the first file.
8. A document sensing apparatus, the apparatus comprising:
the path receiving module is used for receiving a storage path of a first file transmitted by a target application program;
the characteristic value acquisition module is used for acquiring the characteristic value of the first file when the first file is loaded from the storage path of the first file;
the file detection module is used for determining that the first file is a file downloaded from a network in the running process of the target application program if the characteristic value of the second file is not the same as the characteristic value of the first file; wherein the second file is a file included in an installation package of the target application.
9. A terminal, characterized in that it comprises a processor and a memory, said memory storing at least one instruction which is loaded and executed by said processor to implement the file detection method according to any one of claims 1 to 7.
10. A computer-readable storage medium having stored therein at least one instruction, which is loaded and executed by a processor to implement the file detection method of any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911390046.8A CN113127418B (en) | 2019-12-30 | 2019-12-30 | File detection method, device, terminal and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911390046.8A CN113127418B (en) | 2019-12-30 | 2019-12-30 | File detection method, device, terminal and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113127418A true CN113127418A (en) | 2021-07-16 |
| CN113127418B CN113127418B (en) | 2024-08-27 |
Family
ID=76767316
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911390046.8A Active CN113127418B (en) | 2019-12-30 | 2019-12-30 | File detection method, device, terminal and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113127418B (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106709346A (en) * | 2016-11-25 | 2017-05-24 | 腾讯科技(深圳)有限公司 | File processing method and device |
| CN106971098A (en) * | 2016-10-11 | 2017-07-21 | 阿里巴巴集团控股有限公司 | A kind of anti-method and its device for beating again bag |
| CN107122661A (en) * | 2017-03-31 | 2017-09-01 | 武汉斗鱼网络科技有限公司 | A kind of method and device for being safely loaded with Flash file |
| CN107480519A (en) * | 2017-08-04 | 2017-12-15 | 深圳市金立通信设备有限公司 | A kind of method and server for identifying risk application |
| CN107592319A (en) * | 2017-09-29 | 2018-01-16 | 郑州云海信息技术有限公司 | A kind of document down loading method and device |
| CN108777691A (en) * | 2018-06-12 | 2018-11-09 | 山东智慧云链网络科技有限公司 | Network safety protection method and device |
| CN109002710A (en) * | 2017-06-07 | 2018-12-14 | 中国移动通信有限公司研究院 | A kind of detection method, device and computer readable storage medium |
-
2019
- 2019-12-30 CN CN201911390046.8A patent/CN113127418B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106971098A (en) * | 2016-10-11 | 2017-07-21 | 阿里巴巴集团控股有限公司 | A kind of anti-method and its device for beating again bag |
| CN106709346A (en) * | 2016-11-25 | 2017-05-24 | 腾讯科技(深圳)有限公司 | File processing method and device |
| CN107122661A (en) * | 2017-03-31 | 2017-09-01 | 武汉斗鱼网络科技有限公司 | A kind of method and device for being safely loaded with Flash file |
| CN109002710A (en) * | 2017-06-07 | 2018-12-14 | 中国移动通信有限公司研究院 | A kind of detection method, device and computer readable storage medium |
| CN107480519A (en) * | 2017-08-04 | 2017-12-15 | 深圳市金立通信设备有限公司 | A kind of method and server for identifying risk application |
| CN107592319A (en) * | 2017-09-29 | 2018-01-16 | 郑州云海信息技术有限公司 | A kind of document down loading method and device |
| CN108777691A (en) * | 2018-06-12 | 2018-11-09 | 山东智慧云链网络科技有限公司 | Network safety protection method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113127418B (en) | 2024-08-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8806641B1 (en) | Systems and methods for detecting malware variants | |
| RU2614557C2 (en) | System and method for detecting malicious files on mobile devices | |
| RU2575985C2 (en) | Method and apparatus for vetting executable program using model | |
| US20160070911A1 (en) | Rapid malware inspection of mobile applications | |
| CN104317599B (en) | Whether detection installation kit is by the method and apparatus of secondary packing | |
| CN103595774A (en) | System application uninstalling method and device with terminal based on server side | |
| CN107580703B (en) | Migration service method and module for software module | |
| WO2014071867A1 (en) | Program processing method and system, and client and server for program processing | |
| CN111163095B (en) | Network attack analysis method, network attack analysis device, computing device, and medium | |
| KR101628837B1 (en) | Malicious application or website detecting method and system | |
| CN115378735B (en) | Data processing method and device, storage medium and electronic equipment | |
| CN103793649A (en) | Method and device for cloud-based safety scanning of files | |
| US10242182B2 (en) | Computer security system and method | |
| CN113360913A (en) | Malicious program detection method and device, electronic equipment and storage medium | |
| CN113132421B (en) | File detection method, device, terminal and storage medium | |
| US9785775B1 (en) | Malware management | |
| US9646157B1 (en) | Systems and methods for identifying repackaged files | |
| CN113127418B (en) | File detection method, device, terminal and storage medium | |
| CN114003907A (en) | Malicious file detection method and device, computing equipment and storage medium | |
| KR101642222B1 (en) | Method of Spy Application and System Scan Based on Android Operating System | |
| CN112528286B (en) | Terminal equipment safety detection method, associated equipment and computer program product | |
| CN113127860B (en) | Executable file detection method, device, terminal and storage medium | |
| CN113127859B (en) | Method, device, terminal and storage medium for detecting file to be detected | |
| US20190080090A1 (en) | Method and apparatus for detecting dynamically-loaded malware with run time predictive analysis | |
| CN113127812B (en) | File detection method, device, terminal and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |