CN113467784B - Application processing method and device and computer readable storage medium - Google Patents

Application processing method and device and computer readable storage medium Download PDF

Info

Publication number
CN113467784B
CN113467784B CN202110834851.6A CN202110834851A CN113467784B CN 113467784 B CN113467784 B CN 113467784B CN 202110834851 A CN202110834851 A CN 202110834851A CN 113467784 B CN113467784 B CN 113467784B
Authority
CN
China
Prior art keywords
target application
function
application program
program
logic
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110834851.6A
Other languages
Chinese (zh)
Other versions
CN113467784A (en
Inventor
章勤杰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Chengdu Co Ltd
Original Assignee
Tencent Technology Chengdu Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Chengdu Co Ltd filed Critical Tencent Technology Chengdu Co Ltd
Priority to CN202110834851.6A priority Critical patent/CN113467784B/en
Publication of CN113467784A publication Critical patent/CN113467784A/en
Application granted granted Critical
Publication of CN113467784B publication Critical patent/CN113467784B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/40Transformation of program code
    • G06F8/41Compilation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/40Transformation of program code
    • G06F8/53Decompilation; Disassembly
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/60Software deployment
    • G06F8/61Installation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/445Program loading or initiating
    • G06F9/44521Dynamic linking or loading; Link editing at or after load time, e.g. Java class loading
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45591Monitoring or debugging support

Abstract

The application program processing method comprises the steps of firstly, running a virtual environment, wherein a dynamic loading library of the virtual environment is provided with a hook function, and the hook function is set according to a certificate verification logic function of a target application program; and then, running the target application program in the virtual environment, and bypassing the function of the certificate verification logic function of the target application program through the hook function in the running process of the target application program, so that the interaction data of the target application program and the server can be acquired. Because the hook function is arranged in the dynamic loading library of the virtual environment, the method and the device can effectively acquire the interaction data of the target application program and the server under the condition that the target application program does not need to be modified, thereby being convenient for realizing detection processing of the target application program. Therefore, the method and the device can be widely applied to the software detection technology.

Description

Application processing method and device and computer readable storage medium
Technical Field
The present disclosure relates to the field of software detection technologies, and in particular, to an application processing method and apparatus, and a computer readable storage medium.
Background
With the development of intelligent terminal technology, application programs (apps) applied to the intelligent terminals are more and more, such as apps of games, apps of learning, apps of social, apps of information, and the like. However, because the development threshold of apps is low, the App is in a wild growth state, and the exposed compliance problem is more serious. In order to detect whether an App meets compliance requirements, it is a common requirement to acquire interaction data between the App and a server for data analysis. Aiming at the requirement, the current common mode is to modify the target application program, add the code of the log printing module into the target application program, namely obtain the interactive data between the App and the server in the mode of printing the log, but the mode interferes with the normal operation of the App, and is not beneficial to the release and use of the App.
Disclosure of Invention
The following is a summary of the subject matter described in detail herein. This summary is not intended to limit the scope of the claims.
The embodiment of the application program processing method, the device and the computer readable storage medium can enable interaction data between a target application program and a server to be effectively acquired under the condition that the target application program is not required to be modified.
In one aspect, an embodiment of the present application provides an application processing method, including the following steps:
running a virtual environment, wherein a dynamic loading library of the virtual environment is provided with a hook function, and the hook function is set according to a certificate verification logic function of a target application program;
running the target application in the virtual environment;
and in the running process of the target application program, bypassing the function of the certificate verification logic function of the target application program through the hook function, so that the interaction data of the target application program and a server can be acquired.
On the other hand, the embodiment of the application also provides an application processing device, which comprises:
the first program running unit is used for running a virtual environment, wherein a dynamic loading library of the virtual environment is provided with a hook function, and the hook function is set according to a certificate verification logic function of a target application program;
a second program running unit for running the target application program in the virtual environment;
and the function bypass unit is used for bypassing the function of the certificate verification logic function of the target application program through the hook function in the running process of the target application program, so that the interaction data of the target application program and a server can be acquired.
Optionally, the application processing device further includes:
a function determining unit, configured to determine the certificate verification logic function in a program logic text of an installation package corresponding to the target application program;
a hook point determining unit for determining a hook point according to the certificate verification logic function;
a first function setting unit configured to set the hook function in the virtual environment according to the hook point.
Optionally, the hook point determining unit includes:
an execution position determining unit, configured to determine an execution position of the certificate check logic function in the program logic text;
and the hook point determining subunit is used for determining a hook point according to the execution position.
Optionally, the execution position includes a start execution position and an end execution position; the hook point determination subunit includes:
a first determining subunit, configured to determine a starting hook point according to the starting execution position;
and the second determining subunit is used for determining an end hook point according to the end execution position.
Optionally, the function bypass unit includes:
a first jump execution unit, configured to jump to execute the hook function when the target application program runs to a first target logic location in the program logic text;
The second jump execution unit is used for jumping to a second target logic position in the program logic text when the hook function is executed, so that the target application program continues to run from the second target logic position;
the first target logic position is a position of the starting hook point corresponding to the program logic text, and the second target logic position is a position of the ending hook point corresponding to the program logic text.
Optionally, the first jump execution unit includes:
a jump execution subunit, configured to jump from the target application program to the virtual environment when the target application program runs to a first target logic location in the program logic text;
and the function calling unit is used for calling the hook function through the virtual environment.
Optionally, the function determining unit includes:
the installation package acquisition unit is used for acquiring an installation package corresponding to the target application program;
the decompilation unit is used for decompiling the installation package to obtain a program logic text of the installation package;
and the function determining subunit is used for determining the certificate checking logic function in the program logic text.
Optionally, the application processing device further includes:
a second function setting unit, configured to set the hook function in a dynamic loading library of the virtual environment;
and the compiling unit is used for compiling the virtual environment provided with the hook function to obtain the compiled virtual environment.
Optionally, the virtual environment includes a simulated running process; the second program running unit includes:
a program installation unit, configured to install an installation package corresponding to the target application program in the virtual environment;
and the program running subunit is used for running the target application program through the simulation running process.
Optionally, the application processing device further includes:
the data acquisition unit is used for acquiring the interaction data of the target application program and the server;
and the data processing unit is used for carrying out at least one of data interaction correctness checking, data flow detection or data information detection according to the interaction data.
Optionally, the data acquisition unit includes:
the first acquisition subunit is used for acquiring the interaction data of the target application program and the server through a data acquisition tool in the process of carrying out data interaction between the target application program and the server;
And the second acquisition subunit is used for acquiring the interaction data sent by the data acquisition tool.
Optionally, the first acquisition subunit includes:
the first data processing subunit is used for sending first interaction information to the server when the target application program sends the first interaction information to the server, acquiring the first interaction information through a data acquisition tool, and simulating the target application program to send second interaction information to the server through the data acquisition tool, wherein the second interaction information is obtained according to the first interaction information;
and the second data processing subunit is used for sending third interaction information to the target application program when the server sends the third interaction information to the target application program, acquiring the third interaction information through the data acquisition tool, and simulating the server to send fourth interaction information to the target application program through the data acquisition tool, wherein the fourth interaction information is obtained according to the third interaction information.
On the other hand, the embodiment of the application also provides an application processing device, which comprises:
at least one processor;
at least one memory for storing at least one program;
the application processing method as described above is implemented when at least one of said programs is executed by at least one of said processors.
In another aspect, embodiments of the present application further provide a computer readable storage medium, in which a processor executable program is stored, where the processor executable program is used to implement the application processing method as described above when executed by a processor.
In another aspect, embodiments of the present application also provide a computer program product or computer program comprising computer instructions stored in a computer-readable storage medium. The computer instructions are read from a computer-readable storage medium by a processor of a computer device, and executed by the processor, cause the computer device to perform the application processing method as described above.
The virtual environment is operated firstly, then the target application program is operated in the virtual environment, and the hook function is arranged in the dynamic loading library of the virtual environment and is arranged according to the certificate checking logic function of the target application program, and the hook function can bypass the function of the certificate checking logic function of the target application program in the operation process of the target application program.
Additional features and advantages of the application will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the application. The objectives and other advantages of the application will be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
Drawings
The accompanying drawings are included to provide a further understanding of the technical aspects of the present application, and are incorporated in and constitute a part of this specification, illustrate the technical aspects of the present application and together with the examples of the present application, and not constitute a limitation of the technical aspects of the present application.
FIG. 1 is a schematic diagram of a scheme for acquiring interaction data between an App and a server by printing a log at present;
FIG. 2 is a schematic diagram of an implementation environment provided by embodiments of the present application;
FIG. 3 is a flowchart of an application processing method according to an embodiment of the present application;
FIG. 4 is a schematic diagram of an interface for displaying error messages by an application program of an application store class due to the effectiveness of a packet-capturing detection function in the related art;
FIG. 5 is a schematic diagram of an interface for enabling an application of an application store class to be displayed normally using the application processing method provided in an embodiment of the present application;
FIG. 6 is a flowchart of the steps for setting a hook function provided in one embodiment of the present application;
FIG. 7 is a related code logical relationship diagram for the representation and management of HTTPS digital certificates in an android system in the related art;
FIG. 8 is a flow chart of a related art verification execution related to certificate verification in an android system;
FIG. 9 is a flow chart of verification execution related to domain name verification in the android system in the related art;
FIG. 10 is a flowchart of a specific method of step 120 of FIG. 6;
FIG. 11 is a flowchart of a specific method of step 300 of FIG. 3;
FIG. 12 is a flowchart of a specific method of step 310 of FIG. 11;
FIG. 13 is a flowchart of a specific method of step 110 of FIG. 6;
FIG. 14 is a flow chart of an application processing method provided in another embodiment of the present application;
FIG. 15 is a flowchart of a specific method of step 200 of FIG. 3;
FIG. 16 is a schematic diagram of a virtual environment architecture provided by one embodiment of the present application;
FIG. 17 is a flow chart of an application processing method provided in another embodiment of the present application;
FIG. 18 is a flowchart of a specific method of step 600 of FIG. 17;
FIG. 19 is a flowchart of a specific method of step 610 of FIG. 18;
FIG. 20 is a flow chart of acquiring interaction data between a target application and a server through a data acquisition tool provided in one specific example of the present application;
Fig. 21 is a schematic diagram of an application processing apparatus according to an embodiment of the present application.
Detailed Description
The present application is further described below with reference to the drawings and specific examples. The described embodiments should not be construed as limitations on the present application, and all other embodiments, which may be made by those of ordinary skill in the art without the exercise of inventive faculty, are intended to be within the scope of the present application.
In the following description, reference is made to "some embodiments" which describe a subset of all possible embodiments, but it is to be understood that "some embodiments" can be the same subset or different subsets of all possible embodiments and can be combined with one another without conflict.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs. The terminology used herein is for the purpose of describing embodiments of the present application only and is not intended to be limiting of the present application.
Before further describing embodiments of the present application in detail, the terms and expressions that are referred to in the embodiments of the present application are described, and are suitable for the following explanation.
1) The virtual environment is a test environment provided for the to-be-detected App, under the test environment, the to-be-detected App can be operated without installing the to-be-detected App into the system, and various operations executed by the to-be-detected App cannot cause any influence on an operating system of the host machine. The host refers to terminal equipment for installing and running the to-be-detected App, such as a smart phone, a tablet computer and the like.
2) The dynamic loading library is a method for realizing shared function library, which can make the process call the function which does not belong to the executable code. The dynamic load library contains one or more functions that have been compiled, linked, and stored separately from the process in which they are used.
3) A Hook function (Hook function) is a function used to process system messages. Through the call of the system, the hook function can be hung into the system, so that an application program can filter all messages and events at the system level and access messages which cannot be accessed under normal conditions.
4) Certificate verification logic functions refer to functions in App that are used to implement verification logic for digital certificates. Digital certificates refer to files used to mark identity information in a network communication, digital interaction scenario. The digital certificate uses the characteristic of asymmetric encryption technology, calculates the digital signature information of the target content by using the private key, and in any scene needing to verify the identity, the verification needs to be completed by using the public key corresponding to the private key, and the digital certificate is a file for storing the content such as the public key, the identity information, the signature string and the like. The root certificate refers to the public key certificate of a legal certificate authority (Certification Authority, CA), which is the origin of the trust chain in the public key infrastructure, and the nature of which is also a digital certificate. The root certificate is a self-signed certificate, i.e. a certificate signed with its own private key. In a trust hierarchy based on digital certificates, common certificate organizations are in the form of: certificate a is a root certificate and issues certificate B (certificate B is an intermediate certificate, signed with the private key of certificate a and verifiable with the public key of certificate a); at the same time, the certificate B can issue the certificate C again, and so on, finally forms a chained structure composed of digital certificates, and the chained structure composed of digital certificates is called a digital certificate chain. Digital certificate chain verification means that all digital certificates on the whole digital certificate chain need to be verified when identity verification is performed until the root certificate is verified as a trusted certificate.
5) Program logic text refers to program logic code. For example, the program logic text of an installation package refers to the program logic code of the installation package.
6) Hook point (Hook point) refers to the modified logical point, i.e. the point of entry of the Hook technology, in the process of modifying the program logic code in the application program process by the Hook technology.
7) The data acquisition tool is also called a packet capturing tool and can be used for acquiring interaction data of two communication parties in the process of data interaction of the two communication parties.
8) The packet grabbing detection refers to a technology that an App discovers that the current network environment is hijacked by a person and prevents a communication data packet from being intercepted by an unknown third party. The core implementation of the packet-grabbing detection relies on verification of the digital certificate chain.
At present, in the development process of an App, or in the process of detecting compliance of an App in a formal version, it is a common requirement to detect and check data content acquired by the App from a network so as to analyze whether the App meets the compliance requirement. Aiming at the requirement, the current common mode is to modify the App, and add a code of a log printing module into a program logic code of the App, namely, obtain interaction data between the App and a server in a log printing mode. As shown in fig. 1, fig. 1 is a schematic diagram of a scheme for acquiring interactive data between an App and a server by means of a print log at present. In the scheme, all network request actions of the App are required to be received into the network module, a log output code is added to a sending data port and a receiving data port of the network module, and a log output control switch is additionally required to be added to a log printing module, so that the App can output interaction data between the App and a server only in a debugging mode. However, since the program logic code of the App needs to be modified, the scheme can only be implemented on the App with the source code, so that the interactive data between the App of the third party and the server cannot be obtained, and the scheme can only be implemented in the App with the test version, and for the App with the formal version, the log output control switch needs to be closed for safety, so that the scheme cannot be implemented in the App with the formal version, and in addition, the scheme needs to trigger the log printing module to output the interactive data between the App and the server by checking the instruction, so that the efficiency is low.
In order to enable interaction data between a target application program and a server to be effectively acquired without modifying the target application program, the embodiment of the application program processing method, the application program processing device and the computer readable storage medium provide an application program processing method, an application program processing device and a computer readable storage medium, wherein a virtual environment is operated first, then the target application program is operated in the virtual environment, a hook function is arranged in a dynamic loading library of the virtual environment, the hook function is arranged according to a certificate verification logic function of the target application program, and the hook function can bypass functions of the certificate verification logic function of the target application program in the operation process of the target application program. Because the hook function is arranged in the dynamic loading library of the virtual environment, the scheme provided by the embodiment of the application can effectively acquire the interaction data between the target application and the server under the condition that the target application does not need to be modified, so that the compliance detection processing of the target application can be conveniently realized.
FIG. 2 is a schematic diagram of an implementation environment provided by embodiments of the present application. Referring to FIG. 2, the implementation environment includes an operating system 101 and a virtual environment 102.
The operating system 101 may be an android system or a hong-and-mong system, and the operating system 101 may run on a terminal device such as, but not limited to, a smart phone, a tablet, a netbook, a personal digital assistant (Personal Digital Assistant, PDA), a wearable electronic device, or a virtual reality device.
The virtual environment 102 may be provided by a virtual environment application installed in the operating system 101, which may generate the virtual environment 102 when the virtual environment application is running in the operating system 101. The virtual environment 102 has at least functions of loading and running the target application program, and can run the target application program without installing the target application program to the operating system 101, and all logic operations executed by the target application program can not affect the operating system 101. In addition, a dynamic loading library is arranged in the virtual environment, and a hook function is arranged in the dynamic loading library.
In an alternative implementation, a virtual environment application may be run in operating system 101 first, such that the virtual environment application generates virtual environment 102 in operating system 101; then loading the target application program in the virtual environment 102, so that the running logic of the hook function in the virtual environment 102 can be injected into the program running logic of the target application program; the target application is then run in the virtual environment 102, and program run logic of the target application is changed by the hook function, e.g., a certificate check logic function of the target application is skipped, such that the packet capture detection function of the target application is disabled. Since the function of the certificate verification logic function of the target application is bypassed by the hook function to cause invalidation, interactive data between the target application and the server can be acquired through the data acquisition tool. In fig. 2, the solid lines with arrows represent the original logical process flow of the target application; the dashed line with arrows represents the process flow of the virtual environment 102 loading the target application such that the execution logic of the hooking function is injected into the program execution logic of the target application, and the dashed line with arrows represents the actual logic process flow of the target application after the program execution logic of the target application is changed by the hooking function.
Fig. 3 is a flowchart of an application processing method provided in an embodiment of the present application, where the application processing method may be applied to a terminal device capable of running an implementation environment as in the embodiment shown in fig. 2. In fig. 3, the application processing method includes, but is not limited to, steps 100, 200 and 300.
Step 100: and running the virtual environment, wherein a dynamic loading library of the virtual environment is provided with a hook function, and the hook function is set according to a certificate verification logic function of the target application program.
In this step, in order to implement compliance detection of the target application program, the virtual environment application program may be first run in the terminal device, so that the virtual environment application program generates a virtual environment for performing a detection test on the target application program, so that the following step may run the target application program in the virtual environment and obtain interaction data between the target application program and the server, thereby avoiding that each operation performed by the target application program affects an operating system of the terminal device.
In the related art, there is also a technical solution for acquiring interaction data between a target application program and a server by using a manner based on man-in-the-middle access, and specifically, the technical solution acquires interaction data between the target application program and the server by using a third party packet capturing tool. In the technical scheme, the target application program needs to trust the root certificate file provided by the packet capturing tool, so that when the packet capturing tool constructs a digital certificate and sends the digital certificate to the target application program, the target application program can verify that the digital certificate passes through, so that the whole man-in-the-middle access is established, and the interaction data between the target application program and the server can be obtained. However, because the security requirement needs to be met, a packet grabbing detection function is often set in the target application program, that is, a certificate verification logic function is set in the target application program, and the certificate verification logic function can verify the credibility of the digital certificate, so that whether the current network environment is hijacked by a person or not can be detected, and further interaction data of the target application program and the server can be prevented from being intercepted by an unknown third party. Therefore, when the packet capturing tool constructs the digital certificate and sends the digital certificate to the target application program, the certificate verification logic function of the target application program returns a result of failure in verification of the digital certificate, so that interaction data between the target application program and the server cannot be acquired by the packet capturing tool. For example, as shown in fig. 4, fig. 4 is a schematic interface diagram of an application program of an application store class displaying error prompt information due to the fact that the packet capturing detection function is in effect in a specific example. In the example of fig. 4, when an application program of an application store class is run to download a certain game application program, the application program of the application store class requests relevant data of the game application program from a server, at this time, when the data is grabbed by a grabbing tool, because the application program of the application store class has detection and protection measures on the grabbing behavior, the application program of the application store class can display an interface as shown in fig. 4 and give a prompt message of "the potential safety hazard exists in the current network, please switch to the secure network and retry".
In order to solve the problem that the compliance detection processing of the target application program cannot be implemented by using the wrapping tool in the related art, in this step, since the hook function is set in the dynamic loading library of the virtual environment and is set according to the certificate verification logic function of the target application program, when the target application program is loaded in the virtual environment in the subsequent step, the hook function of the virtual environment can be injected into the program running logic of the target application program without modifying and recompiling the target application program, so that the program running logic of the target application program can be changed by the hook function, so that the certificate verification logic function of the target application program fails, and the compliance detection processing of the target application program can be implemented conveniently.
Step 200: the target application is run in the virtual environment.
In this step, since the virtual environment is operated in step 100, at this time, the target application may be operated in the virtual environment, so that the hook function of the virtual environment can be injected into the program operation logic of the target application, thereby being able to change the program operation logic of the target application.
In an alternative implementation of this step, after executing the virtual environment in step 100, the virtual environment may actively load a predetermined target application program, after loading the target application program, the virtual environment may simulate the installation of the target application program, and after simulating the installation of the target application program, the virtual environment may run the target application program.
Step 300: in the running process of the target application program, the function of the certificate verification logic function of the target application program is bypassed through the hook function, so that the interaction data of the target application program and the server can be acquired.
In this step, since the virtual environment is operated in step 100 and the target application is operated through the virtual environment in step 200, and the hook function is set in the dynamic loading library of the virtual environment, the hook function is set according to the certificate verification logic function of the target application, and therefore, in the process of operating the target application, the function of the certificate verification logic function of the target application can be bypassed through the hook function, so that the interaction data of the target application and the server can be acquired, and the compliance detection processing of the target application can be realized in the subsequent step.
The function of bypassing the certificate verification logic function of the target application program through the hook function means that the call to the certificate verification logic function of the target application program can be skipped through the hook function, so that the function of the certificate verification logic function is disabled. Therefore, in the step, in the process of running the target application program, the interactive data between the target application program and the server can be effectively obtained, so that whether the target application program meets the compliance requirement is analyzed according to the interactive data in the subsequent step.
In this embodiment, by adopting the application processing method including the foregoing steps 100, 200 and 300, the virtual environment is first run in the terminal device, and then the target application is run in the virtual environment, where a hook function is set in the dynamic load library of the virtual environment, the hook function is set according to the certificate verification logic function of the target application, and the hook function can bypass the function of the certificate verification logic function of the target application during the running process of the target application. Because the hook function is arranged in the dynamic loading library of the virtual environment, the embodiment can effectively acquire the interaction data between the target application program and the server under the condition that the target application program is not required to be modified, thereby being convenient for realizing the compliance detection processing of the target application program. For example, as shown in fig. 5, fig. 5 is a schematic view of an interface for normally displaying an application program of an application store class by using the application processing method of the present embodiment. In the example of fig. 5, when an application of an application store class is run in a virtual environment to download a game application, the application of the application store class requests related data of the game application from a server, and at this time, since a hook function set in a dynamic loading library of the virtual environment bypasses a function of a certificate check logic function of a target application, the application of the application store class displays an interface as shown in fig. 5, and displays information such as application details, comments, and the like acquired from the server.
Referring to fig. 6, in one embodiment of the present application, a further description is given of a manner of setting a hook function, where the hook function is set according to a certificate verification logic function of a target application, and specifically includes, but is not limited to, step 110, step 120, and step 130.
Step 110: and determining a certificate verification logic function in the program logic text of the installation package corresponding to the target application program.
In this step, in order to enable the hook function to accurately bypass the function of the certificate check logic function of the target application program, the certificate check logic function may be determined in advance in the program logic text of the installation package corresponding to the target application program, so that the hook function may be set in the virtual environment according to the certificate check logic function in the subsequent step.
It should be noted that, the certificate verification logic function is determined in advance in the program logic text of the installation package corresponding to the target application program, and different embodiments are possible. For example, when the target application is a locally developed application, that is, when the original program logic text of the target application is locally provided, the certificate check logic function may be directly determined in the program logic text of the installation package corresponding to the target application; for another example, when the target application is an application developed by a third party, that is, when there is no original program logic text of the target application locally, the target application may be downloaded from the server, and then the static decompilation process is performed on the installation package of the target application to obtain a program logic text of the installation package corresponding to the target application, and then the certificate verification logic function is determined in the program logic text.
Step 120: the hook point is determined from the certificate verification logic function.
In this step, since the certificate verification logic function is determined in step 110, the hook point may be determined according to the certificate verification logic function, so that the subsequent step may set the corresponding hook function in the virtual environment according to the hook point.
In the following, a specific example will be described, as shown in fig. 7 to fig. 9, fig. 7 is a logic relationship diagram of related codes for representing and managing digital certificates of hypertext transfer security protocol (Hypertext Transfer Protocol Secure, HTTPS) in an android system, fig. 8 is a verification execution flow chart related to certificate verification in an android system, and fig. 9 is a verification execution flow chart related to domain name verification in an android system. As can be seen from fig. 7, the digital certificate is represented by using the X509 certificate interface, and the implementation classes for managing the digital certificate mainly include a trust manager impler class, a netsecurity trust manager class, a netsecurity config class, a roottrium class, and the like. As can be seen from fig. 8 and 9, the target application program realizes the packet grabbing detection function mainly through digital certificate verification and domain name verification. Referring to fig. 8, when a target application executes verification logic of a digital certificate, handshake connection is requested to a server through an openssiscocketlmpl#starthandshake () function, handshake connection is implemented through a native crypto#ssl_do_handshake () function, a verification digital certificate chain is triggered through the openssiscocketlmpl#verifyblutification chain () function, and then the digital certificate chain is forwarded to a corresponding verification module through a platform#checkservertroused () function to perform corresponding verification processing. Referring to fig. 9, when the target application program executes the verification logic of the domain name, the verification of the domain name is triggered by the realnterconnecting #connections () function, and then the corresponding domain name verification process is performed in the corresponding verification module. When the digital certificate is constructed by using the packet capturing tool and transmitted to the target application program, the domain name information in the digital certificate constructed by the packet capturing tool is consistent with the domain name information in the real digital certificate, so that when the hook function is set, the execution of the domain name checking logic is not required to be concerned, and the hook function can bypass the execution of the digital certificate checking logic, therefore, by executing the step 110 to determine the certificate checking logic function and the step 120 to determine the hook point according to the certificate checking logic function, the follow-up step can accurately set the hook function according to the hook point, and the compliance detection processing of the target application program in the follow-up step can be smoothly executed.
It should be noted that, the above-mentioned related code logic relationship for the representation and management of the HTTPS digital certificate and the verification execution flow related to the verification of the certificate are only a simple introduction of the verification principle of the digital certificate, and do not represent the whole content of the verification principle of the digital certificate. Since the verification principle of the digital certificate is a mature technical principle in the field, other content descriptions about the verification principle of the digital certificate can refer to related descriptions about the verification principle of the digital certificate in the related art, and are not repeated herein.
Step 130: a hook function is set in the virtual environment according to the hook point.
In this step, since the hook point is determined in step 120, a corresponding hook function may be set in the virtual environment according to the hook point, so that when the target application program is operated in the virtual environment in the subsequent step, the hook function may be injected into the program operation logic of the target application program at the determined hook point, so that the program operation logic of the target application program may be changed, and the certificate verification logic function of the target application program may be bypassed, thereby facilitating implementation of the compliance detection processing for the target application program.
In an alternative implementation manner, an associated plug-in executable file may be preset in the installation directory of the virtual environment, where the plug-in executable file includes hook functions corresponding to various certificate verification logic functions one-to-one, so when step 130 is performed to set the hook functions in the virtual environment according to the hook points, the corresponding hook functions may be called from the plug-in executable file, so as to achieve the purpose of setting the hook functions in the virtual environment.
Referring to fig. 10, in one embodiment of the present application, step 120 is further described, and step 120 may include, but is not limited to, step 121 and step 122.
Step 121: the execution position of the certificate checking logic function in the program logic text is determined.
In this step, since the certificate check logic function is determined in step 110, the execution position of the certificate check logic function can be determined in the program logic text of the installation package corresponding to the target application program, so that the hook point can be accurately determined in the subsequent steps.
It should be noted that, the certificate verification logic function includes a function entry and a function exit, where the function entry refers to a location where the certificate verification logic function is called, the function exit refers to a location where the certificate verification logic function outputs a return value, and the return value of the certificate verification logic function may be returned to the target application program as a result of calling the certificate verification logic function, for example, the return value may be a value indicating that the certificate passes or a value not passing the verification. Thus, in performing step 121 to determine the execution location of the certificate check logic function in the program logic text, the function entry and the function exit of the certificate check logic function may be determined, so that subsequent steps may be facilitated to accurately determine the hook point.
Step 122: the hook point is determined according to the execution position.
In this step, since the execution position of the certificate check logic function in the program logic text is determined in step 121, the hook point may be determined according to the execution position, so that the subsequent step may set the corresponding hook function in the virtual environment according to the hook point.
As shown in table 1 below, table 1 is the location of the logical code in the target application that may trigger the packet-grabbing detection function.
TABLE 1
The Hook point in table 1 is key logic of the certificate verification function in the target application program, and the certificate verification function in the target application program can be disabled by performing Hook processing on the certificate verification logic in table 1, so that interaction data of the target application program and the server can be effectively obtained, and compliance detection processing of the target application program can be conveniently realized.
In addition, in an embodiment of the present application, where the execution position includes a start execution position and an end execution position, further describing step 122, step 122 may include the following steps:
firstly, determining a starting hook point according to a starting execution position;
then, an end hook point is determined from the end execution position.
Note that, the start execution position in the present embodiment corresponds to the function entry in the embodiment shown in fig. 10, and the end execution position corresponds to the function exit in the embodiment shown in fig. 10. Since the hook function needs to be set in the virtual environment for the hook point after the hook point is determined, so that the hook function can bypass the function of the certificate verification logic function of the target application, in determining the hook point, it is necessary to determine the start hook point according to the start execution position and determine the end hook point according to the end execution position, so that in setting the hook function in the virtual environment, the hook function capable of bypassing the certificate verification logic function of the target application can be set according to the start hook point and the end hook point.
It should be noted that, the starting execution position is a starting position of the running logic of the certificate verification logic function, and thus, in an alternative implementation, the determining the starting hook point according to the starting execution position may specifically be: a logical execution position in front of the certificate verification logic function is determined in the program logic text according to the initial execution position, and then the logical execution position is determined to be a position corresponding to the initial hook point. In addition, the end execution position is an end position of the execution logic of the certificate verification logic function, and thus, in an alternative implementation, the end hook point may be determined according to the end execution position specifically: a logical execution position behind the certificate verification logic function is determined in a program logic text according to the ending execution position, and then the logical execution position is determined as a position corresponding to the ending hook point.
Referring to fig. 11, in one embodiment of the present application, the function of bypassing the certificate checking logic function of the target application through the hook function in step 300 is further described, and the function of bypassing the certificate checking logic function of the target application through the hook function in step 300 may include, but is not limited to, steps 310 and 320.
Step 310: when the target application program runs to a first target logic position in the program logic text, the hook function is skipped to execute.
In this step, the first target logical position is a position of the start hook point corresponding to the program logical text. Since the hook function in the dynamic load library of the virtual environment has been injected into the program execution logic of the target application during execution of step 200, the execution logic of the target application changes when the target application is executed to the first target logic location in the program logic text, and execution of the hook function is skipped.
Step 320: and when the hook function is executed, jumping to a second target logic position in the program logic text, and enabling the target application program to continue to run from the second target logic position.
In this step, the second target logical position is a position of the end hook point corresponding to the program logical text. Since the target application program is caused to jump from its original execution logic to the execution logic of the hook function in step 310, after the execution logic of the hook function is executed, the execution logic of the whole program jumps to a second target logic position in the program logic text, so that the target application program can continue to run from the second target logic position.
In this embodiment, by executing step 310 and step 320, when the target application program runs to the first target logic position corresponding to the initial hook point in the program logic text, the hook function can be skipped; after the hook function is executed, the second target logic position in the program logic text can be skipped to enable the target application program to continue to run from the second target logic position, so that the certificate check logic function in the target application program can be bypassed without modifying and recompiling the target application program, the function of the certificate check logic function of the target application program is disabled, and interaction data between the target application program and the server can be effectively acquired in subsequent steps.
Referring to fig. 12, for a further description of step 310, step 310 may include, but is not limited to, the following steps:
step 311: when the target application program runs to a first target logic position in the program logic text, jumping to the virtual environment from the target application program;
step 312: the hook function is invoked through the virtual environment.
In this embodiment, since the hook function in the dynamic load library of the virtual environment is already injected into the program execution logic of the target application program during the execution of step 200, when the target application program is executed to the first target logic position in the program logic text, the target application program jumps to call the hook function. Because the hook function is arranged in the dynamic loading library of the virtual environment, in the process of jumping and calling the hook function, the running logic of the whole program is firstly jumped to the virtual environment from the target application program, and then the hook function is called through the virtual environment, so that the running logic of the hook function can be smoothly executed, the bypass processing of the certificate checking logic function of the target application program can be conveniently realized, and the purpose of disabling the function of the certificate checking logic function is achieved.
Referring to fig. 13, for a further description of step 110, step 110 may include, but is not limited to, the following steps:
step 111: acquiring an installation package corresponding to a target application program;
step 112: decompiling the installation package to obtain a program logic text of the installation package;
step 113: a certificate checking logic function is determined in the program logic text.
In this embodiment, in order to enable the hook function to accurately bypass the function of the certificate check logic function of the target application, step 110 may be executed to determine the certificate check logic function in the program logic text of the installation package corresponding to the target application. In the process of executing step 110, it is necessary to obtain an installation package corresponding to the target application program, decompil the installation package to obtain a program logic text of the installation package, and then determine a certificate verification logic function in the program logic text.
In this embodiment, step 111, step 112, and step 113 are steps that are performed in advance before step 100 is performed. The installation package corresponding to the target application program may be copied or downloaded to the terminal device in advance, so when step 111 is executed, the terminal device may directly obtain the installation package corresponding to the target application program from the storage space thereof. In addition, the installation package corresponding to the target application program may be obtained by directly downloading the installation package from the server when the terminal device executes step 111. In addition, a static decompilation tool may be further provided in the terminal device, and after the terminal device executes step 111 to obtain an installation package corresponding to the target application program, the terminal device may call to run the static decompilation tool, decompile the installation package, and obtain a program logic text of the installation package. In addition, after the terminal device performs step 112 to obtain the program logic text of the installation package, the terminal device may determine a certificate verification logic function in the program logic text. It should be noted that, the terminal device may determine the certificate verification logic function in the program logic text by performing processes such as identifying or comparing the content in the program logic text, and when the terminal device performs the process of determining the certificate verification logic function in the program logic text, the content in the program logic text may be displayed to the user, so that the certificate verification logic function may be determined in the program logic text more accurately through the auxiliary process of the user.
Referring to fig. 14, in one embodiment of the present application, the application processing method may further include, but is not limited to, steps 400 and 500 before performing step 100.
Step 400: a hook function is set in a dynamic load library of the virtual environment.
In this step, before executing step 100, a hook function needs to be set in the dynamic load library of the virtual environment. It should be noted that, different embodiments are possible to set the hook function in the dynamic loading library of the virtual environment. For example, different plug-in executable files may be preset in the storage space of the terminal device, where each plug-in executable file is provided with a hook function, and the different plug-in executable files correspond to different certificate verification logic functions, so when the terminal device performs step 400 to set the hook function in the dynamic loading library of the virtual environment, the terminal device may copy the corresponding plug-in executable file into the dynamic loading library, thereby completing the process of setting the hook function in the dynamic loading library. For another example, different plug-in executable files may be preset in the server, each plug-in executable file is provided with a hook function, and the different plug-in executable files correspond to different certificate verification logic functions, so when the terminal device executes step 400 to set the hook function in the dynamic loading library of the virtual environment, the terminal device may first request the corresponding plug-in executable file from the server, and after the terminal device receives the plug-in executable file fed back by the server, the terminal device copies the plug-in executable file into the dynamic loading library, thereby completing the process of setting the hook function in the dynamic loading library.
Step 500: compiling the virtual environment provided with the hook function to obtain a compiled virtual environment.
In this step, since the hook function is already set in the dynamic loading library of the virtual environment in step 400, the virtual environment provided with the hook function may be compiled to obtain a compiled virtual environment, so that the target application program may be operated through the compiled virtual environment in the subsequent step, and the hook function may bypass the function of the certificate verification logic function of the target application program.
It should be noted that after the hook function is set in the dynamic loading library of the virtual environment, the program logic text of the virtual environment is changed, so that the program logic text of the modified virtual environment needs to be compiled again to generate an executable virtual environment capable of injecting the hook function into the program running logic of the target application program, so that the target application program can be run in the virtual environment after the virtual environment is run in the subsequent step, and the function of checking the logic function by bypassing the certificate of the target application program through the hook function, so that the interaction data of the target application program and the server can be acquired.
Referring to FIG. 15, in the case where the virtual environment includes a simulated running process, further describing step 200, step 200 may include, but is not limited to, the following steps:
step 210: installing an installation package corresponding to the target application program in the virtual environment;
step 220: and running the target application program through the simulation running process.
In this embodiment, when step 200 is performed to run the target application in the virtual environment, the installation package corresponding to the target application may be installed in the virtual environment first, so that the target application is installed in the virtual environment in a simulation manner, and then the target application is run through the simulated running process in the virtual environment, so that in the process of running the target application, the function of the certificate verification logic function of the target application can be bypassed through the hook function, so that the interactive data between the target application and the server can be effectively obtained.
The architecture of the virtual environment is described below with a specific example.
As shown in fig. 16, fig. 16 is a schematic diagram of a virtual environment architecture provided by a specific example. The virtual environment framework comprises a virtual environment main process, a unified management process and a simulation running process.
The virtual environment main process is the main process of the virtual environment and is mainly responsible for the presentation work of a User Interface (UI) of the virtual environment. The virtual environment main process has at least an interface frame management function and a file export function. The interface frame management function is a user interface frame in which a virtual environment host process can construct a virtual environment and is responsible for operation management of a user interface, and in the user interface frame, a file export button, an installation button for selecting an installation package to install, an uninstallation button for uninstalling the installation package, and the like are displayed. The file export function refers to that the virtual environment host process can copy the file output by the target application program from the data directory of the target application program to the designated directory after the target application program has been run.
The unified management process is mainly responsible for realizing the works of installation management of an installation package, starting of an Activity component (Activity), stack management, simulation running process management and the like. The unified management process at least has an installation package installation management function, an active component stack management function, a simulation running process management function and a cross-process interface calling function. The installation package installation management function means that a unified management process can copy an installation package to be installed to a designated directory, decompress the installation package to obtain an executable file (such as a so file), and construct a ClassLoader object to load the installation package. The movable component stack management function is that the unified management process can manage movable component pages of the simulated running installation package, so that all pages of the simulated running installation package can be displayed. The simulation running process management function means that the unified management process can record the process information currently running in the virtual environment and can provide the operations of process exiting, opening and the like. The cross-process interface calling function means that the unified management process can maintain interface capacity required by some main processes and simulation running processes, and can provide a unified capacity output interface for other processes to call.
The simulated running process is the process in which the simulated running installation package is actually located, and is mainly responsible for completely presenting the running logic contained in the installation package. In order to achieve the purpose of running the installation package, a large number of Hook logics for native application program interfaces (Application Programming Interface, APIs) of the android system can be contained in the simulated running process, so that the running logic in the installation package can normally run the process without being shielded and misplaced by the android system when triggering the call of the APIs of the android framework. In addition, the implementation logic for file path replacement may also be included in these Hook logic for APIs. The simulated running process has at least a Hook function for the android native service, a file storage path replacement function, and a function of running logic of the running target application itself. The Hook function of the android native service refers to that the simulation running process can carry out Hook processing on APIs of an android system framework so as to ensure that the system APIs can be correctly called and executed. The file storage path replacing function means that the simulated running process can modify the return path of the return value of the function to return to the sub-directory named with the package name of the installation package by modifying the getDateDir interface, getfiles dir interface and getDir interface of the Context object for running the installation package, so that all final files obtained by the actions of obtaining the storage path and performing the file writing operation based on the interfaces are written to the sub-directory named with the package name of the installation package. The export operation of the file may be performed based on such logic, and the entire contents in the subdirectory named with the package name of the installation package may be exported directly. The function of running the running logic of the target application program refers to that the simulated running process can simulate the running logic of the target application program, so that the running logic of the target application program in the virtual environment is basically consistent with the running logic of the target application program in the android system or the hong-and-Monte system.
Referring to fig. 17, a further description of the application processing method is provided, and after performing step 300, the application processing method may further include, but is not limited to, the following steps:
step 600: acquiring interaction data of a target application program and a server;
step 700: and carrying out at least one of data interaction correctness checking, data flow detection or data information detection according to the interaction data.
In this embodiment, after the function of the certificate verification logic function of the target application program is bypassed by the hook function in step 300, the function of the certificate verification logic function of the target application program may be disabled, at this time, the interactive data of the target application program and the server may be obtained first, and then at least one of the data interaction correctness verification, the data traffic detection and the data information detection is performed according to the interactive data, so as to implement the compliance detection processing for the target application program.
It should be noted that, in step 600, the interaction data between the target application and the server may be obtained in different embodiments. For example, a Package Capture tool such as Package Capture, charles, or Fiddler may be deployed in the terminal device, and interaction data between the target application and the server may then be acquired by the Package Capture tool. In addition, a Package capturing tool such as Package Capture, charles or Fiddler may be deployed in other device apparatuses, and then interaction data between the target application program and the server is acquired through the Package capturing tool, and then the terminal apparatus acquires the interaction data from the device apparatus.
Referring to fig. 18, a further description of step 600 is provided in one embodiment of the present application, and step 600 may include, but is not limited to, step 610 and step 620.
Step 610: and in the process of data interaction between the target application program and the server, acquiring interaction data between the target application program and the server through a data acquisition tool.
In this step, since the function of the certificate verification logic function of the target application is bypassed by the hook function in step 300, the interaction data between the target application and the server can be acquired by the data acquisition tool in the process of data interaction between the target application and the server, so that the compliance detection processing can be performed on the target application according to the interaction data in the subsequent steps.
It should be noted that the data obtaining tool may be a conventional packet capturing tool, for example, package Capture, charles, or Fiddler, which is not limited in this embodiment. In addition, the data acquisition tool may be disposed in a terminal device that executes the application processing method, or may be disposed in another device that is communicatively connected to the terminal device, which is not particularly limited in this embodiment.
Step 620: and acquiring the interaction data sent by the data acquisition tool.
In this step, after the interactive data of the target application and the server is acquired by the data acquisition tool in step 610, the data acquisition tool may cache the interactive data, so that a data acquisition instruction may be sent to the data acquisition tool, and the interactive data may be acquired from the data acquisition tool, so that a subsequent step may perform compliance detection processing on the target application according to the interactive data.
It should be noted that, the interactive data sent by the acquired data acquiring tool in step 620 may have different embodiments. For example, after the data acquisition tool acquires the interactive data of the target application program and the server, the data acquisition tool may buffer the interactive data first, and after the data acquisition tool receives the data acquisition instruction from the terminal device, the data acquisition tool acquires the interactive data from the buffer space of the data acquisition tool, and then sends the interactive data to the terminal device. For another example, after the data acquisition tool acquires the interactive data of the target application program and the server, the data acquisition tool can directly send the interactive data to the terminal equipment, so that instruction interaction between the terminal equipment and the data acquisition tool is saved, and the efficiency of acquiring the interactive data can be improved.
Referring to fig. 19, in one embodiment of the present application, step 610 is further described, and step 610 may include, but is not limited to, step 611 and step 612.
Step 611: when the target application program sends first interaction information to the server, the first interaction information is acquired through the data acquisition tool, and the target application program is simulated to send second interaction information to the server through the data acquisition tool, wherein the second interaction information is obtained according to the first interaction information.
In the step, when the interactive data between the target application program and the server is acquired by the data acquisition tool, the target application program sends first interactive information to the server, the first interactive information can be acquired by the data acquisition tool, and after the first interactive information is acquired by the data acquisition tool, the first interactive information can be cached by the data acquisition tool, and the first interactive information can also be directly sent to the terminal equipment executing the application program processing method; in addition, after the data acquisition tool acquires the first interaction information, the second interaction information can be sent to the server through the data acquisition tool simulation target application program. Therefore, the data acquisition tool can effectively acquire the first interaction information sent by the target application program to the server under the condition that normal data interaction between the target application program and the server is not affected, and accordingly follow-up steps can be facilitated to carry out compliance detection processing on the target application program according to the first interaction information.
Step 612: when the server sends the third interaction information to the target application program, the third interaction information is acquired through the data acquisition tool, and the fourth interaction information is sent to the target application program through the data acquisition tool simulation server, wherein the fourth interaction information is obtained according to the third interaction information.
In this step, when the data acquisition tool acquires the interaction data between the target application program and the server, when the server sends the third interaction information to the target application program, the third interaction information may be acquired by the data acquisition tool, and after the data acquisition tool acquires the third interaction information, the data acquisition tool may buffer the third interaction information first, or may directly send the third interaction information to the terminal device executing the application program processing method; in addition, after the data acquisition tool acquires the third interaction information, the fourth interaction information may be sent to the target application program through the data acquisition tool simulation server. Therefore, the data acquisition tool can effectively acquire the third interaction information sent by the server to the target application program under the condition that normal data interaction between the target application program and the server is not affected, and therefore follow-up steps can be facilitated to carry out compliance detection processing on the target application program according to the third interaction information.
With respect to the present embodiment, description will be made below with a specific example, and as shown in fig. 20, fig. 20 is a flowchart for acquiring interaction data between a target application and a server by a data acquisition tool. Specifically, the data acquisition tool for acquiring the interaction data between the target application program and the server may include the following steps:
step 801: the target application program initiates an HTTPS request to a server;
step 802: the data acquisition tool intercepts the HTTPS request and initiates the HTTPS request to the server instead of the target application program;
step 803: the data acquisition tool acquires a digital certificate chain returned by the server;
step 804: the data acquisition tool returns the digital certificate chain provided by the data acquisition tool to the target application;
step 805: the target application program encrypts the symmetric key A by using the public key provided by the data acquisition tool to obtain first key information and sends the first key information to the server;
step 806: the data acquisition tool intercepts the first key information, decrypts the first key information by utilizing a private key of the first key information to obtain and store a symmetric key A, encrypts a symmetric key B by using a public key provided by a server to obtain second key information, and sends the second key information to the server;
Step 807: the server decrypts the second key information by using the private key to obtain a symmetric key B, encrypts plaintext response data to be sent to the target application program by using the symmetric key B to obtain ciphertext response data, and sends the ciphertext response data to the target application program;
step 808: the data acquisition tool intercepts ciphertext response data, decrypts the ciphertext response data by using the symmetric key B to obtain and store plaintext response data, encrypts the plaintext response data by using the symmetric key A, and sends the encrypted plaintext response data to a target application program;
step 809: the target application program decrypts the received information by using the symmetric key A to obtain plaintext response data.
In this example, the data acquisition tool acts as a server when in data communication with the target application such that the target application considers it to be in communication with the server; the data acquisition tool acts as a target application when in data communication with the server such that the server considers it to be in communication with the target application. Therefore, the data acquisition tool can acquire the data transmitted by the target application program and the data transmitted by the server, so that the aim of acquiring the interactive data between the target application program and the server is fulfilled, and the follow-up step can conveniently carry out compliance detection processing on the target application program according to the interactive data.
Referring to fig. 21, the embodiment of the present application further discloses an application processing apparatus 900, where the application processing apparatus 900 is capable of implementing an application processing method that uses a terminal device as an execution body as in the previous embodiment, and the application processing apparatus 900 includes:
a first program running unit 901, configured to run a virtual environment, where a dynamic loading library of the virtual environment is provided with a hook function, and the hook function is set according to a certificate verification logic function of a target application program;
a second program running unit 902 for running the target application program in the virtual environment;
the function bypass unit 903 is configured to bypass, during the running process of the target application, the function of the certificate verification logic function of the target application through the hook function, so that the interaction data between the target application and the server can be obtained.
In one embodiment, the application processing device 900 further includes:
the function determining unit is used for determining a certificate checking logic function in the program logic text of the installation package corresponding to the target application program;
a hook point determining unit for determining a hook point according to the certificate verification logic function;
a first function setting unit for setting a hook function in the virtual environment according to the hook point.
In an embodiment, the hook point determining unit includes:
an execution position determining unit for determining an execution position of the certificate checking logic function in the program logic text;
a hook point determining subunit for determining a hook point according to the execution position.
In an embodiment, in the case where the execution position includes a start execution position and an end execution position, the hook point determination subunit includes:
a first determination subunit configured to determine a start hook point according to a start execution position;
and a second determination subunit for determining an end hook point according to the end execution position.
In one embodiment, the function bypass unit 903 includes:
the first jump execution unit is used for jumping to execute the hook function when the target application program runs to a first target logic position in the program logic text;
the second jump execution unit is used for jumping to a second target logic position in the program logic text when the hook function is executed, so that the target application program continues to run from the second target logic position;
the first target logic position is a position corresponding to the start hook point in the program logic text, and the second target logic position is a position corresponding to the end hook point in the program logic text.
In one embodiment, the first jump execution unit comprises:
a jump execution subunit, configured to jump from the target application program to the virtual environment when the target application program runs to the first target logic location in the program logic text;
and the function calling unit is used for calling the hook function through the virtual environment.
In an embodiment, the function determination unit includes:
the installation package acquisition unit is used for acquiring an installation package corresponding to the target application program;
the decompilation unit is used for decompiling the installation package to obtain a program logic text of the installation package;
and the function determining subunit is used for determining a certificate checking logic function in the program logic text.
In one embodiment, the application processing device 900 further includes:
a second function setting unit for setting a hook function in a dynamic loading library of the virtual environment;
and the compiling unit is used for compiling the virtual environment provided with the hook function to obtain a compiled virtual environment.
In an embodiment, in the case where the virtual environment includes a simulation run process, the second program running unit 902 includes:
the program installation unit is used for installing an installation package corresponding to the target application program in the virtual environment;
And the program running subunit is used for running the target application program through the simulation running process.
In one embodiment, the application processing device 900 further includes:
the data acquisition unit is used for acquiring interaction data of the target application program and the server;
and the data processing unit is used for performing at least one of data interaction correctness checking, data flow detection or data information detection according to the interaction data.
In one embodiment, the data acquisition unit includes:
the first acquisition subunit is used for acquiring interaction data of the target application program and the server through the data acquisition tool in the process of carrying out data interaction between the target application program and the server;
and the second acquisition subunit is used for acquiring the interactive data sent by the data acquisition tool.
In an embodiment, the first acquisition subunit comprises:
the first data processing subunit is used for sending first interaction information to the server when the target application program sends the first interaction information to the server, acquiring the first interaction information through the data acquisition tool, and sending second interaction information to the server through the data acquisition tool by simulating the target application program, wherein the second interaction information is obtained according to the first interaction information;
And the second data processing subunit is used for sending third interaction information to the target application program when the server sends the third interaction information to the target application program, acquiring the third interaction information through the data acquisition tool, and sending fourth interaction information to the target application program through the data acquisition tool simulation server, wherein the fourth interaction information is obtained according to the third interaction information.
It should be noted that, since the application processing apparatus 900 of the present embodiment can implement the application processing method using the terminal device as the execution body in the foregoing embodiment, the application processing apparatus 900 of the present embodiment has the same technical principle and the same beneficial effects as the application processing method using the terminal device as the execution body in the foregoing embodiment, and in order to avoid repetition of the content, a description is omitted here.
The above described apparatus embodiments are merely illustrative, wherein the units illustrated as separate components may or may not be physically separate, i.e. may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, the embodiment of the application also discloses an application processing device, which comprises:
at least one processor;
at least one memory for storing at least one program;
the application processing method as described in any of the previous embodiments is implemented when at least one of said programs is executed by at least one of said processors.
The embodiment of the application also discloses a computer readable storage medium, in which a program executable by a processor is stored, where the program executable by the processor is used to implement the application processing method according to any of the previous embodiments.
The present application also discloses a computer program product or a computer program comprising computer instructions stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions to cause the computer device to perform the application processing method described in any of the previous embodiments.
The terms "first," "second," "third," "fourth," and the like in the description of the present application and in the above-described figures, if any, are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that embodiments of the present application described herein may be capable of operation in sequences other than those illustrated or described herein, for example. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed or inherent to such process, method, article, or apparatus.
It should be understood that in this application, "at least one" means one or more, and "a plurality" means two or more. "and/or" for describing the association relationship of the association object, the representation may have three relationships, for example, "a and/or B" may represent: only a, only B and both a and B are present, wherein a, B may be singular or plural. The character "/" generally indicates that the context-dependent object is an "or" relationship. "at least one of" or the like means any combination of these items, including any combination of single item(s) or plural items(s). For example, at least one (one) of a, b or c may represent: a, b, c, "a and b", "a and c", "b and c", or "a and b and c", wherein a, b, c may be single or plural.
In the several embodiments provided in the present application, it should be understood that the disclosed systems, apparatuses, and methods may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of the units is merely a logical function division, and there may be additional divisions when actually implemented, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices, or units, which may be in electrical, mechanical, or other forms.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in each embodiment of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or all or part of the technical solution in the form of a software product stored in a storage medium, including several instructions to cause a computer device (which may be a personal computer, a server, a network device, or the like) to perform all or part of the steps of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The step numbers in the above method embodiments are set for convenience of illustration, and the order of steps is not limited in any way, and the execution order of the steps in the embodiments may be adaptively adjusted according to the understanding of those skilled in the art.

Claims (15)

1. An application processing method, comprising the steps of:
running a virtual environment, wherein a dynamic loading library of the virtual environment is provided with a hook function, and the hook function is set according to a certificate verification logic function of a target application program;
running the target application in the virtual environment;
and in the running process of the target application program, skipping the call of the certificate verification logic function of the target application program through the hook function, so that the function of the certificate verification logic function is disabled, and the interaction data of the target application program and a server can be acquired.
2. The application processing method according to claim 1, wherein the hook function setting according to the certificate verification logic function of the target application specifically includes:
determining the certificate verification logic function in a program logic text of an installation package corresponding to the target application program;
Determining a hook point according to the certificate verification logic function;
and setting the hook function in the virtual environment according to the hook point.
3. The application processing method according to claim 2, wherein the determining a hook point according to the certificate verification logic function includes:
determining the execution position of the certificate verification logic function in the program logic text;
and determining a hook point according to the execution position.
4. The application processing method according to claim 3, wherein the execution position includes a start execution position and an end execution position; the determining a hook point according to the execution position includes:
determining a starting hook point according to the starting execution position;
and determining an end hook point according to the end execution position.
5. The application processing method according to claim 4, wherein the skipping of the call to the certificate verification logic function of the target application by the hook function includes:
when the target application program runs to a first target logic position in the program logic text, skipping to execute the hook function;
When the hook function is executed, jumping to a second target logic position in the program logic text, and enabling the target application program to continue to run from the second target logic position;
the first target logic position is a position of the starting hook point corresponding to the program logic text, and the second target logic position is a position of the ending hook point corresponding to the program logic text.
6. The application processing method of claim 5, wherein jumping to execute the hook function when the target application is running to a first target logical location in the program logic text comprises:
jumping from the target application to the virtual environment when the target application runs to a first target logical position in the program logical text;
and calling the hook function through the virtual environment.
7. The application processing method according to claim 2, wherein determining the certificate verification logic function in the program logic text of the installation package corresponding to the target application includes:
acquiring an installation package corresponding to the target application program;
Decompiling the installation package to obtain a program logic text of the installation package;
the certificate checking logic function is determined in the program logic text.
8. The application processing method according to claim 1, wherein before the running the virtual environment, the application processing method further comprises:
setting the hook function in a dynamic loading library of the virtual environment;
compiling the virtual environment provided with the hook function to obtain the compiled virtual environment.
9. The application processing method according to claim 1, wherein the virtual environment includes a simulation run process; the running the target application in the virtual environment includes:
installing an installation package corresponding to the target application program in the virtual environment;
and operating the target application program through the simulation operation process.
10. The application processing method according to any one of claims 1 to 9, characterized in that after skipping the call to the certificate-checking logic function of the target application by the hook function, the application processing method further comprises:
Acquiring the interaction data of the target application program and the server;
and carrying out at least one of data interaction correctness checking, data flow detection or data information detection according to the interaction data.
11. The application processing method according to claim 10, wherein the acquiring the interaction data of the target application and the server includes:
in the process of carrying out data interaction between the target application program and the server, acquiring interaction data between the target application program and the server through a data acquisition tool;
and acquiring the interaction data sent by the data acquisition tool.
12. The application processing method according to claim 11, wherein the acquiring, by a data acquisition tool, the interaction data of the target application program and the server during the data interaction of the target application program and the server includes:
when the target application program sends first interaction information to the server, acquiring the first interaction information through a data acquisition tool, and simulating the target application program to send second interaction information to the server through the data acquisition tool, wherein the second interaction information is obtained according to the first interaction information;
And when the server sends third interaction information to the target application program, acquiring the third interaction information through the data acquisition tool, and simulating the server to send fourth interaction information to the target application program through the data acquisition tool, wherein the fourth interaction information is obtained according to the third interaction information.
13. An application processing apparatus, comprising:
the first program running unit is used for running a virtual environment, wherein a dynamic loading library of the virtual environment is provided with a hook function, and the hook function is set according to a certificate verification logic function of a target application program;
a second program running unit for running the target application program in the virtual environment;
and the function bypass unit is used for skipping the call of the certificate verification logic function of the target application program through the hook function in the running process of the target application program, so that the function of the certificate verification logic function is disabled, and the interaction data of the target application program and the server can be acquired.
14. An application processing apparatus, comprising:
At least one processor;
at least one memory for storing at least one program;
an application processing method according to any one of claims 1 to 12, when at least one of said programs is executed by at least one of said processors.
15. A computer-readable storage medium, characterized by: in which a processor executable program is stored which when executed by a processor is adapted to carry out the application processing method according to any one of claims 1 to 12.
CN202110834851.6A 2021-07-23 2021-07-23 Application processing method and device and computer readable storage medium Active CN113467784B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110834851.6A CN113467784B (en) 2021-07-23 2021-07-23 Application processing method and device and computer readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110834851.6A CN113467784B (en) 2021-07-23 2021-07-23 Application processing method and device and computer readable storage medium

Publications (2)

Publication Number Publication Date
CN113467784A CN113467784A (en) 2021-10-01
CN113467784B true CN113467784B (en) 2023-12-22

Family

ID=77882008

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110834851.6A Active CN113467784B (en) 2021-07-23 2021-07-23 Application processing method and device and computer readable storage medium

Country Status (1)

Country Link
CN (1) CN113467784B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113810431A (en) * 2021-11-19 2021-12-17 北京云星宇交通科技股份有限公司 Method and system for traffic Internet of things terminal security detection based on Hook
CN117472720A (en) * 2023-12-28 2024-01-30 北京中科闻歌科技股份有限公司 General data acquisition system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107220083A (en) * 2017-05-22 2017-09-29 韩皓 Exempt from the method and system of installation and operation application program in a kind of Android system
CN111027070A (en) * 2019-12-02 2020-04-17 厦门大学 Malicious application detection method, medium, device and apparatus
CN111046387A (en) * 2019-12-05 2020-04-21 深圳市任子行科技开发有限公司 Analysis and detection method and system for APP uploading user information

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7627896B2 (en) * 2004-12-24 2009-12-01 Check Point Software Technologies, Inc. Security system providing methodology for cooperative enforcement of security policies during SSL sessions
US10762193B2 (en) * 2018-05-09 2020-09-01 International Business Machines Corporation Dynamically generating and injecting trusted root certificates

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107220083A (en) * 2017-05-22 2017-09-29 韩皓 Exempt from the method and system of installation and operation application program in a kind of Android system
CN111027070A (en) * 2019-12-02 2020-04-17 厦门大学 Malicious application detection method, medium, device and apparatus
CN111046387A (en) * 2019-12-05 2020-04-21 深圳市任子行科技开发有限公司 Analysis and detection method and system for APP uploading user information

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
Resilient User-Side Android Application Repackaging and Tampering Detection Using Cryptographically Obfuscated Logic Bombs;Qiang Zeng等;《IEEE Transactions on Dependable and Secure Computing》;第2582-2600页 *
基于Android平台的动态加载技术的研究与实现;李俊晨;《中国优秀硕士学位论文全文数据库 信息科技辑》;第I138-704页 *

Also Published As

Publication number Publication date
CN113467784A (en) 2021-10-01

Similar Documents

Publication Publication Date Title
US20200125730A1 (en) System and method for vetting mobile phone software applications
Jeon et al. Dr. Android and Mr. Hide: fine-grained permissions in android applications
Backes et al. Appguard–fine-grained policy enforcement for untrusted android applications
US9396082B2 (en) Systems and methods of analyzing a software component
CN113467784B (en) Application processing method and device and computer readable storage medium
CN111143869B (en) Application package processing method and device, electronic equipment and storage medium
Rizzo et al. Babelview: Evaluating the impact of code injection attacks in mobile webviews
US11880458B2 (en) Malware detection based on user interactions
Dai Zovi Apple iOS 4 security evaluation
Merlo et al. You shall not repackage! demystifying anti-repackaging on android
Li et al. Android-based cryptocurrency wallets: Attacks and countermeasures
Bordoni et al. Mirage: Toward a stealthier and modular malware analysis sandbox for android
Velu Mobile Application Penetration Testing
Kurtz et al. Dios: Dynamic privacy analysis of ios applications
CN104965701B (en) Obtain the method and device of application message
US9600672B1 (en) Dynamic function switching
EP2942728B1 (en) Systems and methods of analyzing a software component
CN114238870A (en) Network request processing method, device, equipment and storage medium
US20180053016A1 (en) Visually configurable privacy enforcement
Lin et al. FA3: Fine-Grained Android Application Analysis
Lin et al. 𝐹𝐴3: Fine-Grained Android Application Analysis
Estrela Android Security by Introspection
Ahmad Mobile application security in the presence of dynamic code updates
Mellberg Secure Updating of Configurations in a System of Devices
Marcantoni A Study on the Use of Mobile-specific HTML5 WebAPI Calls on the Web

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant