CN113467784A - Application program processing method and device and computer readable storage medium - Google Patents

Application program processing method and device and computer readable storage medium Download PDF

Info

Publication number
CN113467784A
CN113467784A CN202110834851.6A CN202110834851A CN113467784A CN 113467784 A CN113467784 A CN 113467784A CN 202110834851 A CN202110834851 A CN 202110834851A CN 113467784 A CN113467784 A CN 113467784A
Authority
CN
China
Prior art keywords
target application
application program
function
program
logic
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110834851.6A
Other languages
Chinese (zh)
Other versions
CN113467784B (en
Inventor
章勤杰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Chengdu Co Ltd
Original Assignee
Tencent Technology Chengdu Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Chengdu Co Ltd filed Critical Tencent Technology Chengdu Co Ltd
Priority to CN202110834851.6A priority Critical patent/CN113467784B/en
Publication of CN113467784A publication Critical patent/CN113467784A/en
Application granted granted Critical
Publication of CN113467784B publication Critical patent/CN113467784B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/40Transformation of program code
    • G06F8/41Compilation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/40Transformation of program code
    • G06F8/53Decompilation; Disassembly
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/60Software deployment
    • G06F8/61Installation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/445Program loading or initiating
    • G06F9/44521Dynamic linking or loading; Link editing at or after load time, e.g. Java class loading
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45591Monitoring or debugging support

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Stored Programmes (AREA)

Abstract

The application discloses an application program processing method and a device thereof, and a computer readable storage medium, wherein a virtual environment is operated firstly, wherein a dynamic loading library of the virtual environment is provided with a hook function, and the hook function is set according to a certificate verification logic function of a target application program; and then, running the target application program in the virtual environment, and bypassing the function of the certificate verification logic function of the target application program through the hook function in the running process of the target application program, so that the interactive data of the target application program and the server can be acquired. Because the hook function is arranged in the dynamic loading library of the virtual environment, the method and the device can effectively acquire the interactive data of the target application program and the server under the condition of not modifying the target application program, thereby being convenient for realizing the detection processing of the target application program. Therefore, the method and the device can be widely applied to software detection technology.

Description

Application program processing method and device and computer readable storage medium
Technical Field
The present application relates to the field of software detection technologies, and in particular, to an application processing method and apparatus, and a computer-readable storage medium.
Background
With the development of smart terminal technology, the types of Application programs (apps) applied to smart terminals are increasing, such as game apps, learning apps, social apps, and information apps. However, as the development threshold of apps is low, each large App is in a state of wild growth, and the exposed compliance problem becomes more and more serious. In order to detect whether the App meets the compliance requirements, it is a common requirement to acquire interactive data between the App and the server for data analysis. For the requirement, a currently common mode is to modify a target application program, and add a code of a log printing module into the target application program, that is, to obtain interactive data between the App and the server in a log printing mode, but this mode interferes with normal operation of the App, and is not favorable for publishing and use of the App.
Disclosure of Invention
The following is a summary of the subject matter described in detail herein. This summary is not intended to limit the scope of the claims.
The embodiment of the application provides an application processing method, an application processing device and a computer-readable storage medium, which can enable interactive data between a target application and a server to be effectively acquired without modifying the target application.
In one aspect, an embodiment of the present application provides an application processing method, including the following steps:
running a virtual environment, wherein a dynamic loading library of the virtual environment is provided with a hook function, and the hook function is set according to a certificate verification logic function of a target application program;
running the target application in the virtual environment;
and bypassing the function of the certificate checking logic function of the target application program through the hook function in the running process of the target application program, so that the interaction data of the target application program and a server can be acquired.
On the other hand, an embodiment of the present application further provides an application processing apparatus, including:
the system comprises a first program running unit, a second program running unit and a third program running unit, wherein the first program running unit is used for running a virtual environment, a dynamic loading library of the virtual environment is provided with a hook function, and the hook function is set according to a certificate verification logic function of a target application program;
a second program running unit for running the target application program in the virtual environment;
and the function bypass unit is used for bypassing the function of the certificate checking logic function of the target application program through the hook function in the running process of the target application program, so that the interactive data of the target application program and the server can be acquired.
Optionally, the application processing apparatus further includes:
a function determining unit, configured to determine the certificate checking logic function in a program logic text of an installation package corresponding to the target application program;
the hook point determining unit is used for determining a hook point according to the certificate checking logic function;
a first function setting unit configured to set the hook function in the virtual environment according to the hook point.
Optionally, the hook point determining unit includes:
an execution position determining unit, configured to determine an execution position of the certificate checking logic function in the program logic text;
and the hook point determining subunit is used for determining the hook point according to the execution position.
Optionally, the execution location includes a start execution location and an end execution location; the hook point determination subunit includes:
the first determining subunit is used for determining an initial hook point according to the initial execution position;
and the second determining subunit is used for determining an end hook point according to the end execution position.
Optionally, the function bypass unit comprises:
the first skip execution unit is used for skipping to execute the hook function when the target application program runs to a first target logic position in the program logic text;
the second jump execution unit is used for jumping to a second target logic position in the program logic text when the hook function is executed, so that the target application program continues to run from the second target logic position;
the first target logic position is a position corresponding to the starting hook point in the program logic text, and the second target logic position is a position corresponding to the ending hook point in the program logic text.
Optionally, the first jump execution unit includes:
a jump execution subunit, configured to jump from the target application program to the virtual environment when the target application program runs to a first target logical position in the program logical text;
and the function calling unit is used for calling the hook function through the virtual environment.
Optionally, the function determination unit includes:
the installation package obtaining unit is used for obtaining an installation package corresponding to the target application program;
the decompiling unit is used for decompiling the installation package to obtain a program logic text of the installation package;
a function determining subunit, configured to determine the certificate checking logic function in the program logic text.
Optionally, the application processing apparatus further includes:
the second function setting unit is used for setting the hook function in a dynamic loading library of the virtual environment;
and the compiling unit is used for compiling the virtual environment provided with the hook function to obtain the compiled virtual environment.
Optionally, the virtual environment comprises a simulation running process; the second program execution unit includes:
the program installation unit is used for installing an installation package corresponding to the target application program in the virtual environment;
and the program running subunit is used for running the target application program through the simulation running process.
Optionally, the application processing apparatus further includes:
the data acquisition unit is used for acquiring the interactive data of the target application program and the server;
and the data processing unit is used for carrying out at least one of data interaction correctness verification, data flow monitoring or data information monitoring according to the interaction data.
Optionally, the data acquiring unit includes:
the first acquisition subunit is used for acquiring the interaction data of the target application program and the server through a data acquisition tool in the process of data interaction between the target application program and the server;
and the second acquisition subunit is used for acquiring the interactive data sent by the data acquisition tool.
Optionally, the first obtaining subunit includes:
the first data processing subunit is configured to, when the target application program sends first interaction information to the server, obtain the first interaction information through a data obtaining tool, and simulate the target application program through the data obtaining tool to send second interaction information to the server, where the second interaction information is obtained according to the first interaction information;
and the second data processing subunit is configured to, when the server sends third interaction information to the target application program, obtain the third interaction information through the data obtaining tool, and simulate the server to send fourth interaction information to the target application program through the data obtaining tool, where the fourth interaction information is obtained according to the third interaction information.
On the other hand, an embodiment of the present application further provides an application processing apparatus, including:
at least one processor;
at least one memory for storing at least one program;
at least one of said programs, when executed by at least one of said processors, implements an application processing method as previously described.
In another aspect, the present application further provides a computer-readable storage medium, in which a program executable by a processor is stored, and the program executable by the processor is used for implementing the application processing method as described above when executed by the processor.
In another aspect, the present application further provides a computer program product or a computer program, where the computer program product or the computer program includes computer instructions, and the computer instructions are stored in a computer-readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions to cause the computer device to perform the application processing method as described above.
The method comprises the steps of firstly running a virtual environment, then running a target application program in the virtual environment, wherein a hook function is arranged in a dynamic loading library of the virtual environment, the hook function is arranged according to a certificate verification logic function of the target application program, the hook function can bypass the function of the certificate verification logic function of the target application program in the running process of the target application program, and the hook function is arranged in the dynamic loading library of the virtual environment, so that the interactive data between the target application program and a server can be effectively acquired under the condition that the target application program does not need to be modified, and the compliance detection processing of the target application program can be conveniently realized.
Additional features and advantages of the application will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by the practice of the application. The objectives and other advantages of the application may be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
Drawings
The accompanying drawings are included to provide a further understanding of the claimed subject matter and are incorporated in and constitute a part of this specification, illustrate embodiments of the subject matter and together with the description serve to explain the principles of the subject matter and not to limit the subject matter.
FIG. 1 is a schematic diagram of a scheme for acquiring interactive data between an App and a server by means of printing logs at present;
FIG. 2 is a schematic illustration of an implementation environment provided by an embodiment of the present application;
fig. 3 is a flowchart of an application processing method provided in an embodiment of the present application;
FIG. 4 is a schematic diagram of an interface of an application program of an application store class displaying an error prompt message due to the effect of a packet capture detection function in the related art;
FIG. 5 is a schematic interface diagram illustrating a normal display of an application program of an application store class by using the application program processing method provided in the embodiment of the present application;
FIG. 6 is a flow chart of steps provided by one embodiment of the present application to set a hook function;
FIG. 7 is a diagram of the relevant code logical relationship for representation and management of HTTPS digital certificates in the android system in the related art;
fig. 8 is a flowchart of verification execution related to certificate verification in the android system in the related art;
fig. 9 is a flowchart of verification execution related to domain name verification in the android system in the related art;
FIG. 10 is a flowchart of a method specific to step 120 of FIG. 6;
FIG. 11 is a flowchart of a particular method of step 300 of FIG. 3;
FIG. 12 is a flowchart of a particular method of step 310 in FIG. 11;
FIG. 13 is a flowchart of a method specific to step 110 of FIG. 6;
FIG. 14 is a flowchart of an application processing method according to another embodiment of the present application;
FIG. 15 is a flowchart of a method specific to step 200 of FIG. 3;
FIG. 16 is a diagram of a virtual environment architecture provided by a specific example of the present application;
FIG. 17 is a flowchart of an application processing method according to another embodiment of the present application;
FIG. 18 is a flowchart of a particular method of step 600 of FIG. 17;
FIG. 19 is a flowchart of a particular method of step 610 of FIG. 18;
FIG. 20 is a flowchart illustrating the data acquisition tool for acquiring interaction data between a target application and a server according to a specific example of the present application;
fig. 21 is a schematic diagram of an application processing apparatus according to an embodiment of the present application.
Detailed Description
The present application is further described with reference to the following figures and specific examples. The described embodiments should not be considered as limiting the present application, and all other embodiments obtained by a person skilled in the art without making any inventive step are within the scope of protection of the present application.
In the following description, reference is made to "some embodiments" which describe a subset of all possible embodiments, but it is understood that "some embodiments" may be the same subset or different subsets of all possible embodiments, and may be combined with each other without conflict.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs. The terminology used herein is for the purpose of describing embodiments of the present application only and is not intended to be limiting of the application.
Before further detailed description of the embodiments of the present application, terms and expressions referred to in the embodiments of the present application will be described, and the terms and expressions referred to in the embodiments of the present application will be used for the following explanation.
1) The virtual environment refers to a test environment provided for the App to be detected, the App to be detected can be operated without being installed in a system in the test environment, and various operations executed by the App to be detected cannot cause any influence on an operating system of the host machine. The host refers to a terminal device, such as a smart phone, a tablet computer, and the like, for installing and operating the App to be detected.
2) The dynamic loading library is a method for realizing shared function library, and can make the process call the function which is not belonging to its executable code. Dynamically loaded libraries contain one or more functions that have been compiled, linked, and stored separately from the process in which they are used.
3) A Hook function (Hook function) is a function for processing system messages. Through the calling of the system, the hook function can be hung in the system, so that the application program can filter all messages and events at a system level and access the messages which cannot be accessed under normal conditions.
4) The certificate verification logic function refers to a function in the App for realizing verification logic of the digital certificate. The digital certificate refers to a file used for marking identity information in a network communication and digital interaction scene. The digital certificate utilizes the characteristic of asymmetric encryption technology, utilizes a private key to calculate digital signature information of target content, and under any scene that the identity is required to be verified, the verification is completed by utilizing a public key corresponding to the private key, and the digital certificate is a file for storing the public key, the identity information, a signature string and other contents. A root certificate is a public key certificate of a legitimate Certificate Authority (CA), and is the starting point of a chain of trust in public key infrastructure, which is also essentially a digital certificate. The root certificate is a self-signed certificate, i.e. a certificate signed with its own private key. In a trust hierarchy based on digital certificates, a common organization form of certificates is: the certificate A is a root certificate and issues a certificate B (the certificate B is an intermediate certificate and is signed by a private key of the certificate A and can be verified by a public key of the certificate A); meanwhile, the certificate B can issue the certificate C, and so on, finally a chain structure formed by digital certificates is formed, and the chain structure formed by the digital certificates is called a digital certificate chain. Digital certificate chain verification means that all digital certificates in the whole digital certificate chain need to be verified when identity verification is performed until a root certificate is verified as a trusted certificate.
5) Program logic text refers to program logic code. For example, the program logic text of the installation package refers to the program logic code of the installation package.
6) The Hook point (Hook point) refers to a modified logic point in the process of modifying the program logic code in the application program process by using the Hook technology, namely, the entry point of the Hook technology.
7) The data acquisition tool is also called a packet capture tool, and can be used for acquiring interactive data of two communication parties in the data interaction process of the two communication parties.
8) The packet capture detection refers to a technology that an App finds that a current network environment is hijacked by people and prevents a communicated data packet from being intercepted by an unknown third party. The core implementation of packet-grabbing detection relies on the verification of a digital certificate chain.
Currently, in the research and development process of an App or in the process of performing compliance detection on an App of a formal version, it is a common requirement to monitor and examine the data content acquired by the App from a network so as to analyze whether the App meets the compliance requirement. For the requirement, a currently common mode is to modify the App, add a code of a log printing module into a program logic code of the App, that is, acquire interactive data between the App and the server in a log printing mode. As shown in fig. 1, fig. 1 is a schematic diagram of a scheme for acquiring interaction data between an App and a server by printing a log. In the scheme, all network request actions of the App need to be received in the network module, a log output code is added to a sending data port and a receiving data port of the network module, and in addition, a log output control switch needs to be added to a log printing module to ensure that the App outputs interactive data between the App and the server only in a debugging mode. However, since the program logic code of the App needs to be modified, the scheme can only be implemented for the App with the source code, so that interactive data between the third party App and the server cannot be acquired, the scheme can only be implemented in the App of the test version, and for the App of the formal version, the log output control switch needs to be closed for safety, so that the scheme cannot be implemented in the App of the formal version, and in addition, the scheme needs to check the instruction to trigger the log printing module to output the interactive data between the App and the server, so that the efficiency is low.
In order to enable interaction data between a target application and a server to be effectively obtained without modifying the target application, an embodiment of the present application provides an application processing method, an application processing apparatus, and a computer-readable storage medium, where a virtual environment is run first, and then the target application is run in the virtual environment, where a hook function is set in a dynamic loading library of the virtual environment, and the hook function is set according to a certificate checking logic function of the target application, and is capable of bypassing a function of the certificate checking logic function of the target application during running of the target application. Because the hook function is set in the dynamic loading library of the virtual environment, the scheme provided by the embodiment of the application can effectively acquire the interactive data between the target application program and the server under the condition of not modifying the target application program, thereby being convenient for realizing the compliance detection processing of the target application program.
Fig. 2 is a schematic diagram of an implementation environment provided by an embodiment of the present application. Referring to fig. 2, the implementation environment includes an operating system 101 and a virtual environment 102.
The operating system 101 may be an android system or a hong meng system, and the operating system 101 may operate in a terminal device such as a smart phone, a tablet computer, a netbook, a Personal Digital Assistant (PDA), a wearable electronic device, or a virtual reality device, but is not limited thereto.
The virtual environment 102 may be provided by a virtual environment application installed in the operating system 101, which may generate the virtual environment 102 when the virtual environment application is run in the operating system 101. The virtual environment 102 has at least a function of loading and running the target application program, and can run the target application program without installing the target application program to the operating system 101, and each logical operation performed by the target application program can not cause any influence on the operating system 101. In addition, a dynamic loading library is arranged in the virtual environment, and a hook function is arranged in the dynamic loading library.
In an alternative implementation manner, a virtual environment application program may be first run in the operating system 101, so that the virtual environment application program generates the virtual environment 102 in the operating system 101; then, loading the target application program in the virtual environment 102, so that the running logic of the hook function in the virtual environment 102 can be injected into the program running logic of the target application program; then, the target application is run in the virtual environment 102, and the program running logic of the target application is changed through the hook function, for example, the certificate checking logic function of the target application is skipped, so that the packet capture detection function of the target application is disabled. Since the function of the certificate checking logic function of the target application program is bypassed by the hook function, and the function is disabled, the interaction data between the target application program and the server can be obtained through the data obtaining tool. In fig. 2, a solid line with arrows represents the original logical processing flow of the target application; the dotted line with an arrow indicates a processing flow of loading the target application program by the virtual environment 102 so that the operation logic of the hook function is injected into the program operation logic of the target application program, and the dotted line with an arrow indicates an actual logic processing flow of the target application program after the program operation logic of the target application program is changed by the hook function.
Fig. 3 is a flowchart of an application processing method provided in an embodiment of the present application, where the application processing method may be applied to a terminal device capable of operating the implementation environment in the embodiment shown in fig. 2. In fig. 3, the application processing method includes, but is not limited to, step 100, step 200, and step 300.
Step 100: and running the virtual environment, wherein the dynamic loading library of the virtual environment is provided with a hook function, and the hook function is set according to the certificate verification logic function of the target application program.
In this step, in order to implement compliance detection on the target application program, the virtual environment application program may be first run in the terminal device, so that the virtual environment application program generates a virtual environment for performing a detection test on the target application program, so that the target application program may be run in the virtual environment and interactive data between the target application program and the server may be obtained in subsequent steps, and an operating system of the terminal device is prevented from being affected by various operations executed by the target application program.
It should be noted that, in the related art, there is also a technical solution for acquiring the interaction data between the target application and the server in a man-in-the-middle attack based manner, and specifically, the technical solution acquires the interaction data between the target application and the server by using a third-party package capture tool. In the technical scheme, the root certificate file provided by the packet capturing tool needs to be trusted by the target application program, so that when the packet capturing tool constructs the digital certificate and sends the digital certificate to the target application program, the target application program can verify the digital certificate, the whole man-in-the-middle attack is established, and the interactive data between the target application program and the server can be acquired. However, because the security requirement needs to be met, a packet capturing detection function is often set in the target application program, that is, a certificate verification logic function is set in the target application program, and the certificate verification logic function can verify the credibility of the digital certificate, so that whether the current network environment is hijacked by a person can be detected, and further, the interaction data between the target application program and the server can be prevented from being intercepted by an unknown third party. Therefore, when the bale plucking tool constructs the digital certificate and sends the digital certificate to the target application program, the certificate verification logic function of the target application program returns the result of the digital certificate verification failure, so that the bale plucking tool cannot be used for acquiring the interactive data between the target application program and the server. For example, as shown in fig. 4, fig. 4 is an interface diagram of a specific example, in which an application program of a certain application store class displays an error prompt message due to the fact that the bale plucking detection function is enabled. In the example of fig. 4, when an application program of an application store class is run to download a game application program, the application program of the application store class requests the server for data related to the game application program, and when the data is grabbed by the bale plucking tool, because the application program of the application store class has detection and protection measures for the bale plucking behavior, the application program of the application store class exposes the interface as shown in fig. 4 and gives a prompt message of "there is a security risk in the current network, please retry after switching to the secure network".
In order to solve the problem that the compliance detection processing of the target application program cannot be realized by using the bale plucking tool in the related art, in this step, since the hook function is set in the dynamic loading library of the virtual environment and is set according to the certificate checking logic function of the target application program, when the target application program is loaded in the virtual environment in the subsequent step, the hook function of the virtual environment can be injected into the program running logic of the target application program without modifying and recompiling the target application program, so that the program running logic of the target application program can be changed through the hook function, the certificate checking logic function of the target application program is disabled, and the compliance detection processing of the target application program can be realized.
Step 200: a target application is run in the virtual environment.
In this step, since the virtual environment is run in step 100, at this time, the target application program may be run in the virtual environment, so that the hook function of the virtual environment can be injected into the program running logic of the target application program, and the program running logic of the target application program can be changed.
In an optional implementation manner of this step, after the virtual environment is run in step 100, the virtual environment may actively load a predetermined target application program, after the target application program is loaded, the virtual environment may simulate to install the target application program, and after the target application program is simulated to be installed, the virtual environment may run the target application program.
Step 300: and in the running process of the target application program, bypassing the function of the certificate verification logic function of the target application program through the hook function, so that the interactive data of the target application program and the server can be acquired.
In this step, since the virtual environment is run in step 100, the target application is run through the virtual environment in step 200, and the hook function is set in the dynamic load library of the virtual environment and is set according to the certificate checking logic function of the target application, during the running of the target application, the function of the certificate checking logic function of the target application can be bypassed by the hook function, so that the interactive data between the target application and the server can be obtained, and the compliance detection processing of the target application can be realized in the subsequent steps.
It should be noted that bypassing the function of the certificate verification logic function of the target application program through the hook function means that the hook function can skip the call of the certificate verification logic function of the target application program, so that the function of the certificate verification logic function is disabled. Therefore, in the step, in the running process of the target application program, the interactive data between the target application program and the server can be effectively acquired, so that the follow-up step is facilitated to analyze whether the target application program meets the compliance requirement according to the interactive data.
In this embodiment, by using the application processing method including the foregoing step 100, step 200, and step 300, a virtual environment is first run in a terminal device, and then a target application is run in the virtual environment, where a hook function is set in a dynamic load library of the virtual environment, the hook function is set according to a certificate checking logic function of the target application, and the hook function can bypass a function of the certificate checking logic function of the target application in a running process of the target application. Because the hook function is set in the dynamic loading library of the virtual environment, the embodiment can effectively acquire the interactive data between the target application program and the server under the condition of not modifying the target application program, thereby being convenient for realizing the compliance detection processing of the target application program. For example, as shown in fig. 5, fig. 5 is an interface schematic diagram for normally displaying an application program of a certain application store class by using the application program processing method of the present embodiment. In the example of fig. 5, when an application program of an application store class is run in the virtual environment to download a game application program, the application program of the application store class requests the server for data related to the game application program, and at this time, since the hook function provided in the dynamic loading library of the virtual environment bypasses the function of the certificate checking logic function of the target application program, the application program of the application store class may exhibit an interface as shown in fig. 5, and exhibit information, such as application program details, comments, and the like, acquired from the server.
Referring to fig. 6, an embodiment of the present application further describes a setting manner of a hook function, where the hook function is set according to a certificate checking logic function of a target application, and specifically includes, but is not limited to, step 110, step 120, and step 130.
Step 110: and determining a certificate verification logic function in the program logic text of the installation package corresponding to the target application program.
In this step, in order to enable the hook function to accurately bypass the function of the certificate verification logic function of the target application program, the certificate verification logic function may be determined in advance in the program logic text of the installation package corresponding to the target application program, so that the hook function may be set in the virtual environment according to the certificate verification logic function in the subsequent step.
It should be noted that different embodiments are possible to determine the certificate checking logic function in the program logic text of the installation package corresponding to the target application program in advance. For example, when the target application program is a locally developed application program, that is, when the original program logic text of the target application program is locally provided, the certificate verification logic function may be directly determined in the program logic text of the installation package corresponding to the target application program; for another example, when the target application program is an application program developed by a third party, that is, when there is no original program logic text of the target application program locally, the target application program may be downloaded from the server first, then static decompilation processing is performed on the installation package of the target application program to obtain a program logic text of the installation package corresponding to the target application program, and then a certificate verification logic function is determined in the program logic text.
Step 120: and determining a hook point according to the certificate checking logic function.
In this step, since the certificate verification logic function is determined in step 110, a hook point may be determined according to the certificate verification logic function, so that a subsequent step may set a corresponding hook function in the virtual environment according to the hook point.
As shown in fig. 7 to fig. 9, fig. 7 is a diagram of a logical relationship between codes related to representation and management of a Hypertext Transfer Protocol Secure (HTTPS) digital certificate in an android system, fig. 8 is a flowchart of verification execution related to certificate verification in the android system, and fig. 9 is a flowchart of verification execution related to domain name verification in the android system. As can be seen from fig. 7, the digital certificate is represented by an X509 certificate interface, and the implementation classes for managing the digital certificate mainly include a trustmanagempl class, a networksecurityttrustmanager class, a NetworkSecurityConfig class, and a RootTrustManager class. As can be seen from fig. 8 and 9, the target application mainly implements the packet capture detection function through digital certificate verification and domain name verification. Referring to fig. 8, when the target application executes the verification logic of the digital certificate, a handshake connection is first requested to the server through an openssisocketlpll # startHandshake () function, then the handshake connection is realized through a native crypto # SSL _ do _ handshake () function, then a verification digital certificate chain is triggered through the openssisocketlpll # verifycerticutanechalin () function, and then the digital certificate chain is forwarded to a corresponding verification module through a Platform # checkservertrustfunction to perform corresponding verification processing. Referring to fig. 9, when the target application executes the domain name check logic, the domain name is checked by triggering the RealConnection # connections () function, and then the corresponding domain name check processing is performed in the corresponding check module. When the digital certificate constructed by the bale plucking tool is used for being sent to the target application program, the domain name information in the digital certificate constructed by the bale plucking tool is consistent with the domain name information in the real digital certificate, so that when the hook function is set, the execution of the domain name verification logic does not need to be concerned, the hook function can be ensured to bypass the execution of the digital certificate verification logic, therefore, the certificate verification logic function is determined by executing the step 110, and the hook point is determined according to the certificate verification logic function by executing the step 120, so that the subsequent step can accurately set the hook function according to the hook point, and the compliance detection processing on the target application program in the subsequent step can be smoothly executed.
It should be noted that the above-mentioned logical relationship of the relevant codes for the representation and management of the HTTPS digital certificate and the verification execution flow related to the certificate verification are only brief descriptions of the verification principle of the digital certificate, and do not represent the whole content of the verification principle of the digital certificate. Since the principle of checking a digital certificate is a mature technical principle in the field, other descriptions about the principle of checking a digital certificate may refer to the related descriptions about the principle of checking a digital certificate in the related art, and are not described herein again.
Step 130: setting a hook function in the virtual environment according to the hook point.
In this step, since the hook point is determined in step 120, a corresponding hook function may be set in the virtual environment according to the hook point, so that when the target application is run in the virtual environment in the subsequent step, the hook function may be injected into the program running logic of the target application at the determined hook point, thereby changing the program running logic of the target application, so that the certificate checking logic function of the target application is bypassed, and facilitating implementation of compliance detection processing on the target application.
In an alternative implementation manner, the installation directory of the virtual environment may be preset with related plug-in executable files, where the plug-in executable files include hook functions corresponding to various different certificate checking logic functions in a one-to-one manner, so that when step 130 is executed to set the hook functions in the virtual environment according to the hook points, the corresponding hook functions may be called from the plug-in executable files, thereby achieving the purpose of setting the hook functions in the virtual environment.
Referring to fig. 10, in an embodiment of the present application, step 120 is further described, and step 120 may include, but is not limited to, step 121 and step 122.
Step 121: and determining the execution position of the certificate checking logic function in the program logic text.
In this step, since the certificate verification logic function is determined in step 110, the execution position of the certificate verification logic function can be determined in the program logic text of the installation package corresponding to the target application program, so that the hook point can be accurately determined in the subsequent steps.
It should be noted that the certificate checking logic function includes a function entry and a function exit, where the function entry refers to a position where the certificate checking logic function is called, and the function exit refers to a position where the certificate checking logic function outputs a return value, and the return value of the certificate checking logic function is returned to the target application program as a result of calling the certificate checking logic function, for example, the return value may be a value indicating that the certificate checking logic function passes the checking or a value that does not pass the checking. Therefore, in the process of executing step 121 to determine the execution position of the certificate checking logic function in the program logic text, the function entry and the function exit of the certificate checking logic function can be determined, so that the hook point can be accurately determined in the subsequent step.
Step 122: and determining the hook point according to the execution position.
In this step, since the execution position of the certificate checking logic function in the program logic text is determined in step 121, a hook point may be determined according to the execution position, so that a corresponding hook function may be set in the virtual environment according to the hook point in the subsequent step.
As shown in table 1 below, table 1 is the location of the logic code in the target application that may trigger the grab packet detection function.
TABLE 1
Figure BDA0003176763340000091
Figure BDA0003176763340000101
The Hook point in table 1 is a key logic of the certificate verification function in the target application program, and the certificate verification function in the target application program can be invalidated by performing Hook processing on the certificate verification logic in table 1, so that the interactive data between the target application program and the server can be effectively acquired, and compliance detection processing on the target application program can be conveniently realized.
In addition, in an embodiment of the present application, in a case that the execution location includes a start execution location and an end execution location, the step 122 is further described, and the step 122 may include the following steps:
firstly, determining an initial hook point according to an initial execution position;
then, an end hook point is determined from the end execution position.
It should be noted that the start execution position in the present embodiment corresponds to the function entry in the embodiment shown in fig. 10, and the end execution position corresponds to the function exit in the embodiment shown in fig. 10. Since the hook function needs to be set in the virtual environment for the hook point after the hook point is determined, so that the hook function can bypass the function of the certificate checking logic function of the target application, in the process of determining the hook point, it is necessary to determine the starting hook point according to the starting execution position and determine the ending hook point according to the ending execution position, so that in the process of setting the hook function in the virtual environment, the hook function capable of bypassing the certificate checking logic function of the target application can be set according to the starting hook point and the ending hook point.
It should be noted that the starting execution position is a starting position of the execution logic of the certificate checking logic function, and therefore, in an alternative implementation, the determining the starting hook point according to the starting execution position may specifically be: firstly, a logic operation position in front of the certificate checking logic function is determined in a program logic text according to the starting execution position, and then the logic operation position is determined as a position corresponding to the starting hook point. In addition, the end execution position is an end position of the execution logic of the certificate checking logic function, and therefore, in an alternative implementation, the determining the end hook point according to the end execution position may specifically be: firstly, a logic operation position behind the certificate checking logic function is determined in the program logic text according to the ending execution position, and then the logic operation position is determined as a position corresponding to the ending hook point.
Referring to fig. 11, an embodiment of the present application further illustrates the function of bypassing the certificate checking logic function of the target application through the hook function in step 300, and the function of bypassing the certificate checking logic function of the target application through the hook function in step 300 may include, but is not limited to, step 310 and step 320.
Step 310: and when the target application program runs to the first target logic position in the program logic text, skipping to execute the hook function.
In this step, the first target logical position is a position corresponding to the starting hook point in the program logical text. Since the hook function in the dynamic loading library of the virtual environment has been injected into the program running logic of the target application program in the process of executing step 200, when the target application program runs to the first target logic position in the program logic text, the running logic of the target application program changes, and the running logic of the hook function is jumped to execute.
Step 320: and when the hook function is executed, jumping to a second target logic position in the program logic text, and enabling the target application program to continue to run from the second target logic position.
In this step, the second target logical position is a position corresponding to the end hook point in the program logical text. Because the target application program jumps from the original running logic to the running logic for executing the hook function in step 310, after the running logic for executing the hook function is completed, the running logic for the entire program jumps to the second target logic position in the program logic text, so that the target application program can continue to run from the second target logic position.
In this embodiment, by executing step 310 and step 320, when the target application program runs to the first target logic position corresponding to the starting hook point in the program logic text, the hook function can be skipped to execute; after the hook function is executed, the target application program can jump to a second target logic position in the program logic text to continuously run from the second target logic position, so that the certificate checking logic function in the target application program can be bypassed under the condition of not modifying and recompiling the target application program, the function of the certificate checking logic function of the target application program is disabled, and the interactive data between the target application program and the server can be effectively acquired in the subsequent steps.
Referring to fig. 12, an embodiment of the present application further illustrates step 310, and step 310 may include, but is not limited to, the following steps:
step 311: when the target application program runs to a first target logic position in the program logic text, jumping to the virtual environment from the target application program;
step 312: the hook function is called through the virtual environment.
In this embodiment, since the hook function in the dynamic loading library of the virtual environment has been injected into the program running logic of the target application program in the process of executing step 200, when the target application program runs to the first target logic location in the program logic text, the target application program jumps to call the hook function. Because the hook function is arranged in the dynamic loading library of the virtual environment, in the process of calling the hook function by skipping, the running logic of the whole program skips from the target application program to the virtual environment, and then the hook function is called by the virtual environment, so that the running logic of the hook function can be smoothly executed, the bypass processing of the certificate checking logic function of the target application program can be realized, and the purpose of disabling the function of the certificate checking logic function is achieved.
Referring to fig. 13, an embodiment of the present application further illustrates step 110, and step 110 may include, but is not limited to, the following steps:
step 111: acquiring an installation package corresponding to a target application program;
step 112: performing decompiling on the installation package to obtain a program logic text of the installation package;
step 113: the certificate checking logic function is determined in the program logic text.
In this embodiment, in order to enable the hook function to accurately bypass the function of the certificate checking logic function of the target application program, step 110 may be executed to determine the certificate checking logic function in the program logic text of the installation package corresponding to the target application program. In the process of executing step 110, an installation package corresponding to the target application program needs to be obtained first, then the installation package is decompiled to obtain a program logic text of the installation package, and then a certificate verification logic function is determined in the program logic text.
Step 111, step 112, and step 113 in the present embodiment are steps performed in advance before step 100 is performed. Since the installation package corresponding to the target application program may be copied or downloaded to the terminal device in advance, when step 111 is executed, the terminal device may directly obtain the installation package corresponding to the target application program from its storage space. In addition, the installation package corresponding to the target application program may be obtained by directly downloading the installation package from the server when the terminal device executes step 111. In addition, the terminal device may further be provided with a static decompilation tool, and after the terminal device executes step 111 to obtain the installation package corresponding to the target application program, the terminal device may invoke and run the static decompilation tool to decompilate the installation package, so as to obtain the program logic text of the installation package. In addition, after the terminal device executes step 112 to obtain the program logic text of the installation package, the terminal device may determine the certificate verification logic function in the program logic text. It should be noted that the terminal device may determine the certificate verification logic function in the program logic text by performing processes such as identification or comparison on the content in the program logic text, and in addition, when the terminal device performs the process of determining the certificate verification logic function in the program logic text, the content in the program logic text may also be presented to the user, so that the certificate verification logic function may be more accurately determined in the program logic text through the auxiliary process of the user.
Referring to fig. 14, in an embodiment of the present application, before step 100 is performed, the application processing method may further include, but is not limited to, step 400 and step 500.
Step 400: and setting a hook function in a dynamic loading library of the virtual environment.
In this step, before step 100 is executed, a hook function needs to be set in the dynamic load library of the virtual environment. It should be noted that, different implementations are possible to set the hook function in the dynamic load library of the virtual environment. For example, different plug-in executable files may be preset in the storage space of the terminal device, each plug-in executable file is provided with a hook function, and the different plug-in executable files correspond to different certificate checking logic functions, so that when the terminal device performs step 400 to set a hook function in a dynamic loading library of the virtual environment, the terminal device may copy the corresponding plug-in executable file to the dynamic loading library, thereby completing the process of setting the hook function in the dynamic loading library. For another example, different plug-in executable files may be preset in the server, each plug-in executable file may be provided with a hook function, and the different plug-in executable files correspond to different certificate checking logic functions, so that when the terminal device performs step 400 to set a hook function in the dynamic loading library of the virtual environment, the terminal device may first request the corresponding plug-in executable file from the server, and when the terminal device receives a plug-in executable file fed back by the server, the terminal device copies the plug-in executable file to the dynamic loading library, thereby completing the process of setting the hook function in the dynamic loading library.
Step 500: and compiling the virtual environment provided with the hook function to obtain the compiled virtual environment.
In this step, since the hook function is already set in the dynamic loading library of the virtual environment in step 400, the virtual environment provided with the hook function can be compiled to obtain a compiled virtual environment, so that the target application program can be run through the compiled virtual environment in the subsequent step, and the hook function can bypass the function of the certificate verification logic function of the target application program.
It should be noted that, after the hook function is set in the dynamic loading library of the virtual environment, the program logic text of the virtual environment is changed, and therefore, the modified program logic text of the virtual environment needs to be compiled again to generate an executable virtual environment capable of injecting the hook function into the program running logic of the target application program, so that after the virtual environment is run in subsequent steps, the target application program can be run in the virtual environment, and the hook function bypasses the certificate verification function of the target application program to enable the interactive data of the target application program and the server to be obtained.
Referring to fig. 15, in an embodiment of the present application, step 200 is further described in the case that the virtual environment includes a simulation running process, and step 200 may include, but is not limited to, the following steps:
step 210: installing an installation package corresponding to a target application program in a virtual environment;
step 220: and running the target application program through the simulation running process.
In this embodiment, when step 200 is executed to run the target application in the virtual environment, an installation package corresponding to the target application may be installed in the virtual environment first, so that the target application is installed in the virtual environment in a simulated manner, and then the target application is run through a simulated running process in the virtual environment, so that in the running process of the target application, the function of the certificate verification logic function of the target application can be bypassed through the hook function, and thus the interactive data between the target application and the server can be effectively acquired.
The architecture of the virtual environment is explained below with a specific example.
As shown in fig. 16, fig. 16 is a schematic diagram of a virtual environment architecture provided by a specific example. The virtual environment architecture comprises a virtual environment main process, a unified management process and a simulation running process.
The virtual environment main process is a main process of a virtual environment and is mainly responsible for displaying a User Interface (UI) of the virtual environment. The virtual environment host process at least has an interface framework management function and a file export function. The interface framework management function refers to a user interface framework which can be used for constructing a virtual environment by a virtual environment main process and is responsible for operation management of the user interface, and a file export button, an installation button used for selecting an installation package to install, an uninstallation button used for uninstalling the installation package and the like are displayed in the user interface framework. The file export function means that the virtual environment host process can copy the file output by the target application program from the data directory of the target application program to the specified directory after the target application program runs.
The unified management process is mainly responsible for realizing the installation management of the installation package, the starting and stack management of the Activity component (Activity), the management of the simulation running process and the like. The unified management process at least has an installation package installation management function, an activity component stack management function, a simulation operation process management function and a cross-process interface calling function. The installation package installation management function refers to that the unified management process can copy an installation package to be installed to a specified directory, decompress the installation package to obtain an executable file (such as a so file), and construct a ClassLoader object to load the installation package. The activity component stack management function refers to that the unified management process can manage the activity component pages of the installation package which is simulated to run, so that all the pages of the installation package which is simulated to run can be displayed. The simulation running process management function means that the unified management process can record the information of the process running in the virtual environment at present and can provide operations of process quitting, opening and the like. The cross-process interface calling function means that the unified management process can maintain interface capabilities required by some main processes and simulation running processes and can provide a unified capability output interface for other processes to call.
The simulation running process is a process where the simulated running installation package is really located, and is mainly responsible for completely presenting the running logic contained in the installation package. In order to achieve the purpose of running the installation package, the simulated running process may include a large amount of Hook logic to an Application Programming Interface (API) of the android system, so as to ensure that the running logic in the installation package can run the process normally without being shielded and error-reported by the android system when triggering the call of the API of the android frame. Additionally, implementation logic for file path replacement may also be included in the Hook logic for the API. The simulated operation process at least has a Hook function for the android native service, a file storage path replacement function and a function of operating the operation logic of the target application program. The Hook function for the android native service refers to that a simulation running process can perform Hook processing on APIs of an android system framework so as to ensure that the system APIs can be correctly called and executed. The file storage path replacement function means that the simulated operation process can modify the return path of the return value of the function to return to the subdirectory named by the package name of the installation package by modifying the getDateDir interface, the getFilesDir interface and the getDir interface which are used for operating the Context object of the installation package, so that all final files obtained by acquiring the storage path and performing the action of file writing operation based on the interfaces can be written into the subdirectory named by the package name of the installation package. The file export operation may be performed based on such logic, and the contents in the subdirectory named by the package name of the installation package may be directly exported in their entirety. The function of running the running logic of the target application program is that the running process can simulate and run the running logic of the target application program, so that the running logic of the target application program in the virtual environment is basically consistent with the running logic of the target application program in an android system or a Hongmon system.
Referring to fig. 17, in an embodiment of the present application, the application processing method is further described, and after performing step 300, the application processing method may further include, but is not limited to, the following steps:
step 600: acquiring interactive data of a target application program and a server;
step 700: and performing at least one of data interaction correctness checking, data flow monitoring or data information monitoring according to the interaction data.
In this embodiment, after the function of the certificate checking logic function of the target application program is bypassed by the hook function in step 300, the function of the certificate checking logic function of the target application program may be disabled, and at this time, the interactive data between the target application program and the server may be obtained first, and then at least one of the data interaction correctness checking, the data traffic monitoring, or the data information monitoring may be performed according to the interactive data, so as to implement the compliance detection processing on the target application program.
It should be noted that, the acquiring of the interaction data between the target application and the server in step 600 may have different implementations. For example, a Package Capture tool such as Package Capture, Charles or Fiddler may be deployed in the terminal device, and then interaction data between the target application and the server may be acquired through the Package Capture tool. In addition, Package Capture tools such as Package Capture, Charles or Fiddler can be deployed in other equipment, interaction data between the target application and the server is acquired through the Package Capture tools, and then the terminal equipment acquires the interaction data from the equipment.
Referring to fig. 18, in an embodiment of the present application, step 600 is further described, and step 600 may include, but is not limited to, step 610 and step 620.
Step 610: and acquiring interactive data of the target application program and the server through a data acquisition tool in the process of data interaction between the target application program and the server.
In this step, since the function of the certificate checking logic function of the target application program is bypassed by the hook function in step 300, the interactive data between the target application program and the server may be obtained by the data obtaining tool in the process of data interaction between the target application program and the server, so that compliance detection processing may be performed on the target application program according to the interactive data in the subsequent step.
It should be noted that the data acquisition tool may be a conventional Package Capture tool, such as a Package Capture, Charles, or Fiddler, and this embodiment is not limited in this respect. In addition, the data acquisition tool may be deployed in a terminal device that executes the application processing method, or may be deployed in other device devices that are in communication connection with the terminal device, which is not specifically limited in this embodiment.
Step 620: and acquiring the interactive data sent by the data acquisition tool.
In this step, after the interactive data between the target application program and the server is obtained by the data obtaining tool in step 610, the data obtaining tool may cache the interactive data, so that a data obtaining instruction may be sent to the data obtaining tool to obtain the interactive data from the data obtaining tool, so that the subsequent step may perform compliance detection processing on the target application program according to the interactive data.
It should be noted that, the interactive data sent by the data obtaining tool in step 620 may have different implementations. For example, after the data obtaining tool obtains the interactive data between the target application and the server, the data obtaining tool may cache the interactive data, and after the data obtaining tool receives the data obtaining instruction from the terminal device, the data obtaining tool obtains the interactive data from the cache space of the data obtaining tool, and then sends the interactive data to the terminal device. For another example, after the data acquisition tool acquires the interactive data between the target application program and the server, the data acquisition tool may directly send the interactive data to the terminal device, so that instruction interaction between the terminal device and the data acquisition tool is saved, and the efficiency of acquiring the interactive data can be improved.
Referring to fig. 19, in an embodiment of the present application, step 610 is further described, and step 610 may include, but is not limited to, step 611 and step 612.
Step 611: when the target application program sends first interaction information to the server, the first interaction information is obtained through the data obtaining tool, and second interaction information is sent to the server through the data obtaining tool in a mode of simulating the target application program, wherein the second interaction information is obtained according to the first interaction information.
In this step, when the interactive data between the target application program and the server is acquired by the data acquisition tool, when the target application program sends first interactive information to the server, the first interactive information can be acquired by the data acquisition tool, and after the first interactive information is acquired by the data acquisition tool, the data acquisition tool can firstly cache the first interactive information or directly send the first interactive information to the terminal device executing the application program processing method; in addition, after the data acquisition tool acquires the first interactive information, the data acquisition tool can simulate the target application program to send second interactive information to the server. Therefore, the data acquisition tool can effectively acquire the first interaction information sent by the target application program to the server under the condition that normal data interaction between the target application program and the server is not influenced, so that compliance detection processing can be conveniently carried out on the target application program in the subsequent steps according to the first interaction information.
Step 612: and when the server sends third interactive information to the target application program, acquiring the third interactive information through the data acquisition tool, and simulating the server to send fourth interactive information to the target application program through the data acquisition tool, wherein the fourth interactive information is obtained according to the third interactive information.
In this step, when the interactive data between the target application program and the server is acquired by the data acquisition tool, when the server sends third interactive information to the target application program, the third interactive information can be acquired by the data acquisition tool, and after the third interactive information is acquired by the data acquisition tool, the data acquisition tool can firstly cache the third interactive information or directly send the third interactive information to the terminal device executing the application program processing method; in addition, after the data acquisition tool acquires the third interactive information, fourth interactive information may be sent to the target application program through the data acquisition tool simulation server. Therefore, the data acquisition tool can effectively acquire the third interactive information sent by the server to the target application program under the condition that normal data interaction between the target application program and the server is not influenced, so that compliance detection processing can be conveniently carried out on the target application program in the subsequent steps according to the third interactive information.
With respect to the present embodiment, a specific example is described below, and as shown in fig. 20, fig. 20 is a flowchart for acquiring interaction data between a target application and a server through a data acquisition tool. Specifically, the obtaining of the interaction data between the target application and the server by the data obtaining tool may include the following steps:
step 801: the target application program initiates an HTTPS request to the server;
step 802: the data acquisition tool intercepts the HTTPS request and initiates the HTTPS request to the server instead of the target application program;
step 803: the data acquisition tool acquires a digital certificate chain returned by the server;
step 804: the data acquisition tool returns to the target application a digital certificate chain provided by the data acquisition tool;
step 805: the target application program encrypts the symmetric key A by using a public key provided by the data acquisition tool to obtain first key information and sends the first key information to the server;
step 806: the data acquisition tool intercepts the first key information, decrypts the first key information by using a private key of the data acquisition tool to obtain and store a symmetric key A, then, the data acquisition tool encrypts a symmetric key B by using a public key provided by the server to obtain second key information, and sends the second key information to the server;
step 807: the server decrypts the second key information by using the private key of the server to obtain a symmetric key B, then encrypts plaintext response data needing to be sent to the target application program by using the symmetric key B to obtain ciphertext response data, and sends the ciphertext response data to the target application program;
step 808: the data acquisition tool intercepts ciphertext response data, decrypts the ciphertext response data by using a symmetric key B to obtain and store plaintext response data, encrypts the plaintext response data by using a symmetric key A, and sends the encrypted plaintext response data to a target application program;
step 809: the target application program decrypts the received information by using the symmetric key A to obtain plaintext response data.
In this example, the data acquisition tool impersonates the server when communicating data with the target application, such that the target application believes it is communicating with the server; the data acquisition tool impersonates the target application when communicating data with the server so that the server believes it is communicating with the target application. Therefore, the data acquisition tool can acquire both the data transmitted by the target application program and the data transmitted by the server, so that the purpose of acquiring the interactive data between the target application program and the server is achieved, and the follow-up steps can perform compliance detection processing on the target application program according to the interactive data.
Referring to fig. 21, an embodiment of the present application further discloses an application processing apparatus, where the application processing apparatus 900 is capable of implementing an application processing method with a terminal device as an execution subject as in the foregoing embodiments, and the application processing apparatus 900 includes:
a first program running unit 901, configured to run a virtual environment, where a dynamic load library of the virtual environment is provided with a hook function, and the hook function is set according to a certificate verification logic function of a target application program;
a second program running unit 902 for running a target application in a virtual environment;
the function bypass unit 903 is configured to bypass, by using a hook function, a function of the certificate checking logic function of the target application program in the running process of the target application program, so that the interaction data of the target application program and the server can be acquired.
In one embodiment, the application processing device 900 further comprises:
the function determining unit is used for determining a certificate verification logic function in a program logic text of an installation package corresponding to the target application program;
the hook point determining unit is used for determining a hook point according to the certificate verification logic function;
a first function setting unit for setting a hook function in the virtual environment according to the hook point.
In one embodiment, the hook point determination unit includes:
the execution position determining unit is used for determining the execution position of the certificate verification logic function in the program logic text;
and the hook point determining subunit is used for determining the hook point according to the execution position.
In one embodiment, in a case where the execution position includes a start execution position and an end execution position, the hook point determination subunit includes:
the first determining subunit is used for determining an initial hook point according to the initial execution position;
and the second determining subunit is used for determining an end hook point according to the end execution position.
In one embodiment, the function bypass unit 903 comprises:
the first skip execution unit is used for skipping to execute the hook function when the target application program runs to a first target logic position in the program logic text;
the second jump execution unit is used for jumping to a second target logic position in the program logic text when the hook function is executed, so that the target application program continues to run from the second target logic position;
the first target logic position is a position corresponding to the starting hook point in the program logic text, and the second target logic position is a position corresponding to the ending hook point in the program logic text.
In one embodiment, the first jump execution unit includes:
the jump execution subunit is used for jumping from the target application program to the virtual environment when the target application program runs to a first target logic position in the program logic text;
and the function calling unit is used for calling the hook function through the virtual environment.
In one embodiment, the function determination unit includes:
the installation package obtaining unit is used for obtaining an installation package corresponding to the target application program;
the decompiling unit is used for decompiling the installation package to obtain a program logic text of the installation package;
and the function determining subunit is used for determining the certificate checking logic function in the program logic text.
In one embodiment, the application processing device 900 further comprises:
the second function setting unit is used for setting a hook function in a dynamic loading library of the virtual environment;
and the compiling unit is used for compiling the virtual environment provided with the hook function to obtain the compiled virtual environment.
In an embodiment, in the case where the virtual environment includes a simulation execution process, the second program execution unit 902 includes:
the program installation unit is used for installing an installation package corresponding to the target application program in the virtual environment;
and the program running subunit is used for running the target application program through the simulation running process.
In one embodiment, the application processing device 900 further comprises:
the data acquisition unit is used for acquiring interactive data of the target application program and the server;
and the data processing unit is used for carrying out at least one of data interaction correctness checking, data flow monitoring or data information monitoring according to the interactive data.
In one embodiment, the data acquisition unit includes:
the first acquisition subunit is used for acquiring the interactive data of the target application program and the server through a data acquisition tool in the process of data interaction between the target application program and the server;
and the second acquisition subunit is used for acquiring the interactive data sent by the data acquisition tool.
In one embodiment, the first acquiring subunit includes:
the first data processing subunit is used for acquiring first interaction information through the data acquisition tool when the target application program sends the first interaction information to the server, and sending second interaction information to the server by simulating the target application program through the data acquisition tool, wherein the second interaction information is obtained according to the first interaction information;
and the second data processing subunit is used for acquiring the third interactive information through the data acquisition tool when the server sends the third interactive information to the target application program, and sending fourth interactive information to the target application program through the data acquisition tool simulation server, wherein the fourth interactive information is obtained according to the third interactive information.
It should be noted that, since the application processing apparatus 900 of this embodiment can implement the application processing method using the terminal device as the execution subject as in the foregoing embodiment, the application processing apparatus 900 of this embodiment has the same technical principle and the same beneficial effects as the application processing method using the terminal device as the execution subject in the foregoing embodiment, and therefore, in order to avoid the repetition of the content, the details are not described here again.
The above-described embodiments of the apparatus are merely illustrative, wherein the units illustrated as separate components may or may not be physically separate, i.e. may be located in one place, or may also be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment.
In addition, an embodiment of the present application further discloses an application processing apparatus, including:
at least one processor;
at least one memory for storing at least one program;
when at least one of the programs is executed by at least one of the processors, the application processing method according to any of the preceding embodiments is implemented.
The embodiment of the application also discloses a computer readable storage medium, wherein a program executable by a processor is stored, and when the program executable by the processor is executed by the processor, the program is used for realizing the application processing method according to any of the previous embodiments.
The embodiment of the application also discloses a computer program product or a computer program, which comprises computer instructions, and the computer instructions are stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions to cause the computer device to execute the application processing method according to any of the foregoing embodiments.
The terms "first," "second," "third," "fourth," and the like in the description of the application and the above-described figures, if any, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the application described herein are, for example, capable of operation in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
It should be understood that in the present application, "at least one" means one or more, "a plurality" means two or more. "and/or" for describing an association relationship of associated objects, indicating that there may be three relationships, e.g., "a and/or B" may indicate: only A, only B and both A and B are present, wherein A and B may be singular or plural. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship. "at least one of the following" or similar expressions refer to any combination of these items, including any combination of single item(s) or plural items. For example, at least one (one) of a, b, or c, may represent: a, b, c, "a and b", "a and c", "b and c", or "a and b and c", wherein a, b, c may be single or plural.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be substantially implemented or contributed to by the prior art, or all or part of the technical solution may be embodied in a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The step numbers in the above method embodiments are set for convenience of illustration only, the order between the steps is not limited at all, and the execution order of each step in the embodiments can be adapted according to the understanding of those skilled in the art.

Claims (15)

1. An application processing method, comprising the steps of:
running a virtual environment, wherein a dynamic loading library of the virtual environment is provided with a hook function, and the hook function is set according to a certificate verification logic function of a target application program;
running the target application in the virtual environment;
and bypassing the function of the certificate checking logic function of the target application program through the hook function in the running process of the target application program, so that the interaction data of the target application program and a server can be acquired.
2. The application processing method according to claim 1, wherein the hook function setting according to the certificate verification logic function of the target application specifically includes:
determining the certificate verification logic function in a program logic text of an installation package corresponding to the target application program;
determining a hook point according to the certificate verification logic function;
setting the hook function in the virtual environment according to the hook point.
3. The application processing method according to claim 2, wherein the determining a hook point according to the certificate checking logic function comprises:
determining an execution position of the certificate checking logic function in the program logic text;
and determining a hook point according to the execution position.
4. The application processing method according to claim 3, wherein the execution position includes a start execution position and an end execution position; the determining of the hook point according to the execution position comprises:
determining an initial hook point according to the initial execution position;
and determining an end hook point according to the end execution position.
5. The application processing method according to claim 4, wherein the bypassing, by the hook function, the function of the certificate checking logic function of the target application comprises:
when the target application program runs to a first target logic position in the program logic text, skipping to execute the hook function;
when the hook function is executed, jumping to a second target logic position in the program logic text, and enabling the target application program to continue to run from the second target logic position;
the first target logic position is a position corresponding to the starting hook point in the program logic text, and the second target logic position is a position corresponding to the ending hook point in the program logic text.
6. The application processing method according to claim 5, wherein the jumping to execute the hook function when the target application is run to a first target logical position in the program logical text comprises:
when the target application program runs to a first target logic position in the program logic text, jumping to the virtual environment from the target application program;
and calling the hook function through the virtual environment.
7. The method according to claim 2, wherein the determining the certificate checking logic function in the program logic text of the installation package corresponding to the target application includes:
acquiring an installation package corresponding to the target application program;
performing decompiling on the installation package to obtain a program logic text of the installation package;
determining the certificate checking logic function in the program logic text.
8. The application processing method of claim 1, wherein prior to the running of the virtual environment, the application processing method further comprises:
setting the hook function in a dynamic loading library of the virtual environment;
compiling the virtual environment provided with the hook function to obtain the compiled virtual environment.
9. The application processing method of claim 1, wherein the virtual environment comprises a simulation run process; the running of the target application in the virtual environment includes:
installing an installation package corresponding to the target application program in the virtual environment;
and running the target application program through the simulation running process.
10. The application processing method according to any one of claims 1 to 9, wherein after bypassing the function of the certificate checking logic function of the target application by the hook function, the application processing method further comprises:
acquiring the interactive data of the target application program and the server;
and performing at least one of data interaction correctness checking, data flow monitoring or data information monitoring according to the interaction data.
11. The method for processing the application program according to claim 10, wherein the obtaining the interaction data of the target application program and the server comprises:
in the process of data interaction between the target application program and the server, acquiring the interaction data between the target application program and the server through a data acquisition tool;
and acquiring the interactive data sent by the data acquisition tool.
12. The method for processing the application program according to claim 11, wherein the acquiring the interaction data of the target application program and the server through a data acquisition tool in the process of data interaction between the target application program and the server includes:
when the target application program sends first interaction information to the server, acquiring the first interaction information through a data acquisition tool, and simulating the target application program to send second interaction information to the server through the data acquisition tool, wherein the second interaction information is obtained according to the first interaction information;
when the server sends third interactive information to the target application program, the third interactive information is obtained through the data obtaining tool, and the server is simulated through the data obtaining tool to send fourth interactive information to the target application program, wherein the fourth interactive information is obtained according to the third interactive information.
13. An application processing apparatus, comprising:
the system comprises a first program running unit, a second program running unit and a third program running unit, wherein the first program running unit is used for running a virtual environment, a dynamic loading library of the virtual environment is provided with a hook function, and the hook function is set according to a certificate verification logic function of a target application program;
a second program running unit for running the target application program in the virtual environment;
and the function bypass unit is used for bypassing the function of the certificate checking logic function of the target application program through the hook function in the running process of the target application program, so that the interactive data of the target application program and the server can be acquired.
14. An application processing apparatus, comprising:
at least one processor;
at least one memory for storing at least one program;
the application processing method according to any one of claims 1 to 12 when at least one of said programs is executed by at least one of said processors.
15. A computer-readable storage medium characterized by: in which a program executable by a processor is stored, which program, when being executed by the processor, is adapted to carry out the application processing method of any one of claims 1 to 12.
CN202110834851.6A 2021-07-23 2021-07-23 Application processing method and device and computer readable storage medium Active CN113467784B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110834851.6A CN113467784B (en) 2021-07-23 2021-07-23 Application processing method and device and computer readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110834851.6A CN113467784B (en) 2021-07-23 2021-07-23 Application processing method and device and computer readable storage medium

Publications (2)

Publication Number Publication Date
CN113467784A true CN113467784A (en) 2021-10-01
CN113467784B CN113467784B (en) 2023-12-22

Family

ID=77882008

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110834851.6A Active CN113467784B (en) 2021-07-23 2021-07-23 Application processing method and device and computer readable storage medium

Country Status (1)

Country Link
CN (1) CN113467784B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113810431A (en) * 2021-11-19 2021-12-17 北京云星宇交通科技股份有限公司 Method and system for traffic Internet of things terminal security detection based on Hook
CN117472720A (en) * 2023-12-28 2024-01-30 北京中科闻歌科技股份有限公司 General data acquisition system
CN117724726A (en) * 2024-02-05 2024-03-19 腾讯科技(深圳)有限公司 Data processing method and related device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060143700A1 (en) * 2004-12-24 2006-06-29 Check Point Software Technologies, Inc. Security System Providing Methodology for Cooperative Enforcement of Security Policies During SSL Sessions
CN107220083A (en) * 2017-05-22 2017-09-29 韩皓 Exempt from the method and system of installation and operation application program in a kind of Android system
US20190347406A1 (en) * 2018-05-09 2019-11-14 International Business Machines Corporation Dynamically generating and injecting trusted root certificates
CN111027070A (en) * 2019-12-02 2020-04-17 厦门大学 Malicious application detection method, medium, device and apparatus
CN111046387A (en) * 2019-12-05 2020-04-21 深圳市任子行科技开发有限公司 Analysis and detection method and system for APP uploading user information

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060143700A1 (en) * 2004-12-24 2006-06-29 Check Point Software Technologies, Inc. Security System Providing Methodology for Cooperative Enforcement of Security Policies During SSL Sessions
CN107220083A (en) * 2017-05-22 2017-09-29 韩皓 Exempt from the method and system of installation and operation application program in a kind of Android system
US20190347406A1 (en) * 2018-05-09 2019-11-14 International Business Machines Corporation Dynamically generating and injecting trusted root certificates
CN111027070A (en) * 2019-12-02 2020-04-17 厦门大学 Malicious application detection method, medium, device and apparatus
CN111046387A (en) * 2019-12-05 2020-04-21 深圳市任子行科技开发有限公司 Analysis and detection method and system for APP uploading user information

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
QIANG ZENG等: "Resilient User-Side Android Application Repackaging and Tampering Detection Using Cryptographically Obfuscated Logic Bombs", 《IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING》, pages 2582 - 2600 *
李俊晨: "基于Android平台的动态加载技术的研究与实现", 《中国优秀硕士学位论文全文数据库 信息科技辑》, pages 138 - 704 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113810431A (en) * 2021-11-19 2021-12-17 北京云星宇交通科技股份有限公司 Method and system for traffic Internet of things terminal security detection based on Hook
CN117472720A (en) * 2023-12-28 2024-01-30 北京中科闻歌科技股份有限公司 General data acquisition system
CN117724726A (en) * 2024-02-05 2024-03-19 腾讯科技(深圳)有限公司 Data processing method and related device
CN117724726B (en) * 2024-02-05 2024-05-28 腾讯科技(深圳)有限公司 Data processing method and related device

Also Published As

Publication number Publication date
CN113467784B (en) 2023-12-22

Similar Documents

Publication Publication Date Title
Rahaman et al. Cryptoguard: High precision detection of cryptographic vulnerabilities in massive-sized java projects
CN113467784B (en) Application processing method and device and computer readable storage medium
US20200125730A1 (en) System and method for vetting mobile phone software applications
KR101471589B1 (en) Method for Providing Security for Common Intermediate Language Program
Jeon et al. Dr. Android and Mr. Hide: fine-grained permissions in android applications
CN111143869B (en) Application package processing method and device, electronic equipment and storage medium
US9396082B2 (en) Systems and methods of analyzing a software component
CN105760787B (en) System and method for the malicious code in detection of random access memory
Chen et al. Instaguard: Instantly deployable hot-patches for vulnerable system programs on android
CN112231702B (en) Application protection method, device, equipment and medium
CN108595950A (en) A kind of safe Enhancement Methods of SGX of combination remote authentication
Li et al. Android-based cryptocurrency wallets: Attacks and countermeasures
CN104965701B (en) Obtain the method and device of application message
Choi et al. Large‐Scale Analysis of Remote Code Injection Attacks in Android Apps
CN108763934B (en) Data processing method and device, storage medium and server
EP2942728A1 (en) Systems and methods of analyzing a software component
CN114238870A (en) Network request processing method, device, equipment and storage medium
US20180053016A1 (en) Visually configurable privacy enforcement
Lin et al. Fa3: Fine-grained android application analysis
CN107205001A (en) The update method and device of python scripts, client, server
Muhovic Behavioural analysis of malware using custom sandbox environments
CN112486836B (en) Method, device, electronic equipment and medium for debugging release package
CN108304729A (en) Method for reporting log by client and electronic equipment
CN117857118A (en) Asymmetric encryption-based cloud mobile phone system mirror image tamper-proof method
Marcantoni A Study on the Use of Mobile-specific HTML5 WebAPI Calls on the Web

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant