CN113836528A - Android application shell checking method and device - Google Patents
Android application shell checking method and device Download PDFInfo
- Publication number
- CN113836528A CN113836528A CN202010513695.9A CN202010513695A CN113836528A CN 113836528 A CN113836528 A CN 113836528A CN 202010513695 A CN202010513695 A CN 202010513695A CN 113836528 A CN113836528 A CN 113836528A
- Authority
- CN
- China
- Prior art keywords
- android application
- shell
- static
- dynamic
- package
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/563—Static detection by source code analysis
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Telephone Function (AREA)
Abstract
The disclosure provides a shell checking method and device for android applications. Extracting static characteristics of the android application program package by the android application shell checking device; starting an android application program package to obtain dynamic characteristics of the android application program package; matching the static features with a preset static feature library to respectively obtain an indication function value of the static features relative to each shell adding mode; matching the dynamic features with a preset dynamic feature library to respectively obtain an indication function value of the dynamic features relative to each shell adding mode; calculating a weighted sum of the indication function values for each shell adding mode; judging whether the maximum weighted sum is larger than a preset threshold or not; and under the condition that the maximum weighted sum is greater than a preset threshold, taking the shell adding mode corresponding to the maximum weighting as the shell adding mode of the android application package. The shell checking method and the shell checking device can realize shell checking rapidly and in a non-invasive mode, and improve shell checking accuracy.
Description
Technical Field
The disclosure relates to the field of security, in particular to a shell checking method and device for android applications.
Background
The android system is one of the mainstream mobile phone operating systems in the world, and a large number of developers contribute countless applications to the platform. In order to protect the application from being cracked, many application developers may choose to shell an APK (Android application package) file. But the malicious application developer can choose to add the shell to the APK in order to prevent the malicious application developed by the malicious application developer from being killed. As a large number of shell adding tools are filled in the market, the cost of adding shells to APK by malicious developers is low, and the shell adding rate of malicious applications is greatly higher than that of common applications. If these malicious applications need to be analyzed in detail, they necessarily need to be shelled. For different shells, corresponding shelling methods are usually used for shelling, so that accurate shell type identification is required for shelling firstly.
In the related art, two types of shell checking methods, namely static and dynamic, are mainly included. Static hull-finding methods include using PEID tools that analyze binary features of the file, PKID tools that match SO filenames, and the like. The dynamic shell checking method includes capturing system functions and non-system functions between shell program starting and application formal starting of the application through a hook function hook, and matching the captured system functions and non-system functions with a local feature library to identify a shell.
Disclosure of Invention
The inventors have noted that in the static shell-finding method, binary feature matching can be confused by the way the feature code is modified, resulting in a low detection rate. The way of matching only the SO file name is likely to generate erroneous judgment. In the dynamic shell-checking method, an intrusive way of capturing each function through a hook function hook may cause abnormal operation of the program, and the method is complex in itself and usually requires management authority of the device.
Accordingly, the android application shell checking scheme combining the static characteristic and the dynamic characteristic can quickly check the shell in a non-invasive mode and improve the shell checking accuracy.
According to a first aspect of the embodiments of the present disclosure, there is provided an android application shell checking method, including: extracting static characteristics of the android application program package; starting the android application program package to acquire the dynamic characteristics of the android application program package; matching the static features with a preset static feature library to respectively obtain an indication function value of the static features relative to each shell adding mode; matching the dynamic features with a preset dynamic feature library to respectively obtain an indication function value of the dynamic features relative to each shell adding mode; calculating a weighted sum of the indication function values for each shell adding mode; judging whether the maximum weighted sum is larger than a preset threshold or not; and taking the shell adding mode corresponding to the maximum weighting as the shell adding mode of the android application package under the condition that the maximum weighting sum is larger than the preset threshold.
In some embodiments, the static characteristics of the android application package comprise at least one of static file characteristics of the android application package, entry address characteristics of manifest files in the android application package, and characteristic functions in a smali file generated after an executable file in the android application package is decompiled.
In some embodiments, the static file characteristics include at least one of a directory name or a file name.
In some embodiments, the obtaining the dynamic characteristics of the android application package comprises: and acquiring dynamic characteristics of the android application program package by analyzing the system log, wherein the dynamic characteristics comprise at least one of the calling frequency of each function in the android application program package and the calling relation among the functions.
In some embodiments, in the event that the maximum weighted sum is not greater than the preset threshold, determining that a manner of shelling the android application package is unknown.
According to a second aspect of the embodiments of the present disclosure, there is provided an android application shell inspection device, including: the static feature extraction module is configured to extract static features of the android application package; the dynamic feature extraction module is configured to start the android application program package to acquire dynamic features of the android application program package; the first matching module is configured to match the static features with a preset static feature library so as to respectively obtain an indication function value of the static features relative to each shell adding mode; the second matching module is configured to match the dynamic features with a preset dynamic feature library so as to respectively obtain an indication function value of the dynamic features relative to each shell adding mode; the identification module is configured to calculate a weighted sum of indication function values for each shell adding mode, judge whether a maximum weighted sum is greater than a preset threshold, and take the shell adding mode corresponding to the maximum weighting as the shell adding mode of the android application package under the condition that the maximum weighted sum is greater than the preset threshold.
In some embodiments, the static characteristics of the android application package comprise at least one of static file characteristics of the android application package, entry address characteristics of manifest files in the android application package, and characteristic functions in a smali file generated after an executable file in the android application package is decompiled.
In some embodiments, the static file characteristics include at least one of a directory name or a file name.
In some embodiments, the dynamic feature extraction module is configured to obtain dynamic features of the android application package by analyzing a system log, where the dynamic features include at least one of a calling frequency of each function in the android application package and a calling relationship between each function.
In some embodiments, the identification module is further configured to determine that a manner of shelling for the android application package is unknown if the maximum weighted sum is not greater than the preset threshold.
According to a third aspect of the embodiments of the present disclosure, there is provided an android application shell inspection device, including: a memory configured to store instructions; a processor coupled to the memory, the processor configured to perform a method implementing any of the embodiments described above based on instructions stored by the memory.
According to a fourth aspect of the embodiments of the present disclosure, a computer-readable storage medium is provided, in which computer instructions are stored, and when executed by a processor, the computer-readable storage medium implements the method according to any of the embodiments described above.
Other features of the present disclosure and advantages thereof will become apparent from the following detailed description of exemplary embodiments thereof, which proceeds with reference to the accompanying drawings.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments of the disclosure and together with the description, serve to explain the principles of the disclosure.
The present disclosure may be more clearly understood from the following detailed description, taken with reference to the accompanying drawings, in which:
FIG. 1 is a schematic flow diagram of an android application shell inspection method according to an embodiment of the present disclosure;
FIG. 2 is a schematic structural diagram of an android application shell inspection device according to an embodiment of the present disclosure;
fig. 3 is a schematic structural diagram of an android application shell inspection device according to another embodiment of the present disclosure.
It should be understood that the dimensions of the various parts shown in the figures are not drawn to scale. Further, the same or similar reference numerals denote the same or similar components.
Detailed Description
Various exemplary embodiments of the present disclosure will now be described in detail with reference to the accompanying drawings. The description of the exemplary embodiments is merely illustrative and is in no way intended to limit the disclosure, its application, or uses. The present disclosure may be embodied in many different forms and is not limited to the embodiments described herein. These embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art. It should be noted that: the relative arrangement of parts and steps, the composition of materials and values set forth in these embodiments are to be construed as illustrative only and not as limiting unless otherwise specifically stated.
The use of the word "comprising" or "comprises" and the like in this disclosure means that the elements listed before the word encompass the elements listed after the word and do not exclude the possibility that other elements may also be encompassed.
All terms (including technical or scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this disclosure belongs unless specifically defined otherwise. It will be further understood that terms, such as those defined in commonly used dictionaries, should be interpreted as having a meaning that is consistent with their meaning in the context of the relevant art and will not be interpreted in an idealized or overly formal sense unless expressly so defined herein.
Techniques, methods, and apparatus known to those of ordinary skill in the relevant art may not be discussed in detail but are intended to be part of the specification where appropriate.
Fig. 1 is a schematic flow diagram of an android application shell inspection method according to an embodiment of the present disclosure. In some embodiments, the following android application shell-checking method steps are performed by an android application shell-checking device.
In step 101, static features of an android application package are extracted.
In some embodiments, the static characteristics of the android application package include at least one of static file characteristics of the android application package, entry address characteristics of a manifest file (android manifest. xml) in the android application package, and a characteristic function in a smali file generated after an executable file (dex file) in the android application package is decompiled.
In some embodiments, the static file characteristics include at least one of a directory name or a file name. For example, the file name includes a.so file, a.jar file, a.aar file, a.apk file, a.class file, a.dex file, a.des file, a. dey file, a.dat file, a.bin file, and the like.
At step 102, the android application package is started to obtain dynamic characteristics of the android application package.
In some embodiments, dynamic characteristics of the android application package are obtained by analyzing a system log, and the dynamic characteristics include at least one of calling frequency of functions and calling relation between the functions in the android application package.
In step 103, the static features are matched with a preset static feature library to obtain an indication function value of the static features relative to each shelling mode.
In some embodiments, the preset static feature library includes static file features of various known shell adding methods, as well as entry address features in the manifest file and feature functions in the smali file obtained by decompiling the dex file. Static file characteristics include directory and file names.
In step 104, the dynamic features are matched with a preset dynamic feature library to obtain an indication function value of the dynamic features relative to each shelling mode.
In some embodiments, the preset dynamic feature library includes function call features of various known shelling methods.
At step 105, a weighted sum is calculated indicating the function values for each of the hull modes.
In step 106, it is determined whether the maximum weighted sum is greater than a predetermined threshold.
In step 107, when the maximum weighted sum is greater than the preset threshold, the shell adding mode corresponding to the maximum weighted sum is used as the shell adding mode of the android application package.
In some embodiments, in the event that the maximum weighted sum is not greater than a preset threshold, it is determined that the manner in which the android application package is shelled is unknown.
In the android application shell checking method provided by the embodiment of the disclosure, the shell checking can be realized quickly and in a non-invasive manner by combining the static characteristic and the dynamic characteristic, and the shell checking accuracy is improved.
For example, by extracting static features of the android application package to obtain feature 1, feature 2, and feature 3. The characteristic 1 is a static file characteristic of the android application package, the characteristic 2 is an entry address characteristic of a manifest file in the android application package, and the characteristic 3 is a characteristic function in a smali file generated after an executable file (dex file) in the android application package is decompiled.
Then, the characteristics 4 are obtained by starting the android application package and acquiring the dynamic characteristics of the android application package. The characteristics 4 comprise the calling frequency of each function in the android application package and the calling relation among the functions.
Next, the features 1 to 3 are respectively matched with a preset static feature library to respectively obtain indication function values of the features 1 to 3 with respect to each shelling mode. If the feature 1 is matched with the class A shell and the class B shell and is not matched with the class C shell, setting the indication function value of the feature 1 relative to the class A shell and the class B shell to be 1, and setting the indication function value of the feature 1 relative to the class C shell to be 0. Accordingly, if feature 2 matches the class a shell and does not match the class B shell and the class C shell, the indication function value of feature 2 with respect to the class a shell is set to 1, and the indication function value of feature 2 with respect to the class B shell and the class C shell is set to 0. And if the feature 3 is matched with the class C shell and is not matched with the class A shell and the class B shell, setting the indication function value of the feature 3 relative to the class A shell and the class B shell to be 0, and setting the indication function value of the feature 3 relative to the class C shell to be 1.
And matching the characteristics 4 with a preset dynamic characteristic library to respectively obtain the indication function values of the dynamic characteristics relative to each shell adding mode. If the feature 4 is matched with the class A shell and the class B shell and is not matched with the class C shell, the indication function value of the feature 4 relative to the class A shell and the class B shell is set to be 1, and the indication function value of the feature 4 relative to the class C shell is set to be 0.
Next, a weighted sum indicating function values is calculated for each of the shell-adding manners. For example, let the weight of feature 1 to feature 3 be 0.2, and the weight of feature 4 be 0.4. From this a weighted sum of the indicated function values for each of the hull modes can be calculated.
As shown in table 1, for a class a shell, the corresponding weighted sum is:
YA=0.2×1+0.2×1+0.2×0+0.4×1=0.8
for a class B shell, the corresponding weighted sum is:
YB=0.2×1+0.2×0+0.2×0+0.4×1=0.6
for a class C shell, the corresponding weighted sum is:
YB=0.2×0+0.2×0+0.2×1+0.4×0=0.2
| feature 1 | Feature 2 | Feature 3 | Feature 4 | Weighted sum | |
| A | 1 | 1 | 0 | 1 | 0.8 |
| B | 1 | 0 | 0 | 1 | 0.6 |
| C | 0 | 0 | 1 | 0 | 0.2 |
TABLE 1
If the preset threshold is set to 0.65, it can be seen from table 1 that the weighted sum of the class a shells is the largest, and 0.8 is greater than 0.65, so that it can be determined that the shell adding manner of the android application package is the class a shell adding manner.
On the contrary, if the weighted sum of the shells is not greater than the preset threshold through the calculation, it is indicated that the shell adding mode of the android application package is not included in the preset static feature library and dynamic feature library, and thus it is determined that the shell adding mode of the android application package is unknown.
In the android application shell checking method provided by the embodiment of the disclosure, the shell checking can be realized quickly and in a non-invasive manner by combining the static characteristic and the dynamic characteristic, and the shell checking accuracy is improved.
Fig. 2 is a schematic structural diagram of an android application shell inspection device according to an embodiment of the present disclosure. If shown in fig. 2, the android application shell checking device includes a static feature extraction module 21, a dynamic feature extraction module 22, a first matching module 23, a second matching module 24, and an identification module 25.
The static feature extraction module 21 is configured to extract static features of the android application package.
In some embodiments, the static characteristics of the android application package comprise at least one of static file characteristics of the android application package, entry address characteristics of manifest files in the android application package, and characteristic functions in a smali file generated after an executable file in the android application package is decompiled.
In some embodiments, the static file characteristics include at least one of a directory name or a file name. For example, the file name includes a.so file, a.jar file, a.aar file, a.apk file, a.class file, a.dex file, a.des file, a. dey file, a.dat file, a.bin file, and the like.
The dynamic feature extraction module 22 is configured to launch the android application package to obtain dynamic features of the android application package.
In some embodiments, the dynamic feature extraction module 22 obtains the dynamic features of the android application package by analyzing the system log, where the dynamic features include at least one of a call frequency of each function in the android application package and a call relationship between each function.
The first matching module 23 is configured to match the static features with a preset static feature library to obtain the indicated function values of the static features with respect to each shelling mode, respectively.
In some embodiments, the preset static feature library includes static file features of various known shell adding methods, as well as entry address features in the manifest file and feature functions in the smali file obtained by decompiling the dex file. Static file characteristics include directory and file names.
The second matching module 24 is configured to match the dynamic features with a preset dynamic feature library to obtain indication function values of the dynamic features relative to each shelling mode respectively;
in some embodiments, the preset dynamic feature library includes function call features of various known shelling methods.
The identification module 25 is configured to calculate a weighted sum of the indication function values for each of the shelling modes, determine whether a maximum weighted sum is greater than a preset threshold, and take the shelling mode corresponding to the maximum weighting as the shelling mode of the android application package when the maximum weighted sum is greater than the preset threshold.
In some embodiments, in the event that the maximum weighted sum is not greater than a preset threshold, it is determined that the manner in which the android application package is shelled is unknown.
In the android application shell checking device provided by the embodiment of the disclosure, the shell checking can be realized quickly and in a non-invasive manner by combining the static characteristic and the dynamic characteristic, and the shell checking accuracy is improved.
Fig. 3 is a schematic structural diagram of an android application shell inspection device according to another embodiment of the present disclosure. As shown in fig. 3, the android application shell-checking device includes a memory 31 and a processor 32.
The memory 31 is used to store instructions. The processor 32 is coupled to the memory 31. The processor 32 is configured to perform a method as referred to in any of the embodiments of fig. 1 based on the instructions stored by the memory.
As shown in fig. 3, the android application shell inspection device further includes a communication interface 33, which is used for information interaction with other devices. Meanwhile, the android application shell checking device further comprises a bus 34, and the processor 32, the communication interface 33 and the memory 31 complete mutual communication through the bus 34.
The Memory 31 may include a Random Access Memory (RAM) or a Non-Volatile Memory (NVM). Such as at least one disk storage. The memory 31 may also be a memory array. The storage 31 may also be partitioned and the blocks may be combined into virtual volumes according to certain rules.
Further, the processor 32 may be a central processing unit, or may be an ASIC (Application Specific Integrated Circuit), or one or more Integrated circuits configured to implement embodiments of the present disclosure.
The present disclosure also provides a computer-readable storage medium. The computer-readable storage medium stores computer instructions, and the instructions, when executed by the processor, implement the method according to any one of the embodiments in fig. 1.
In some embodiments, the functional modules may be implemented as a general purpose Processor, a Programmable Logic Controller (PLC), a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA), or other Programmable Logic device, discrete Gate or transistor Logic, discrete hardware components, or any suitable combination thereof, for performing the functions described in this disclosure.
So far, embodiments of the present disclosure have been described in detail. Some details that are well known in the art have not been described in order to avoid obscuring the concepts of the present disclosure. It will be fully apparent to those skilled in the art from the foregoing description how to practice the presently disclosed embodiments.
Although some specific embodiments of the present disclosure have been described in detail by way of example, it should be understood by those skilled in the art that the foregoing examples are for purposes of illustration only and are not intended to limit the scope of the present disclosure. It will be understood by those skilled in the art that various changes may be made in the above embodiments or equivalents may be substituted for elements thereof without departing from the scope and spirit of the present disclosure. The scope of the present disclosure is defined by the appended claims.
Claims (12)
1. An android application shell-checking method comprises the following steps:
extracting static characteristics of the android application program package;
starting the android application program package to acquire the dynamic characteristics of the android application program package;
matching the static features with a preset static feature library to respectively obtain an indication function value of the static features relative to each shell adding mode;
matching the dynamic features with a preset dynamic feature library to respectively obtain an indication function value of the dynamic features relative to each shell adding mode;
calculating a weighted sum of the indication function values for each shell adding mode;
judging whether the maximum weighted sum is larger than a preset threshold or not;
and taking the shell adding mode corresponding to the maximum weighting as the shell adding mode of the android application package under the condition that the maximum weighting sum is larger than the preset threshold.
2. The method of claim 1, wherein,
the static characteristics of the android application package comprise at least one of static file characteristics of the android application package, entry address characteristics of a manifest file in the android application package, and a characteristic function in a smali file generated after an executable file in the android application package is decompiled.
3. The method of claim 2, wherein,
the static file characteristics include at least one of a directory name or a file name.
4. The method of claim 1, wherein the obtaining dynamic features of the android application package comprises:
and acquiring dynamic characteristics of the android application program package by analyzing the system log, wherein the dynamic characteristics comprise at least one of the calling frequency of each function in the android application program package and the calling relation among the functions.
5. The method of any of claims 1-4, further comprising:
and determining that the shell adding mode of the android application package is unknown under the condition that the maximum weighted sum is not greater than the preset threshold.
6. An android application looks shell device, includes:
the static feature extraction module is configured to extract static features of the android application package;
the dynamic feature extraction module is configured to start the android application program package to acquire dynamic features of the android application program package;
the first matching module is configured to match the static features with a preset static feature library so as to respectively obtain an indication function value of the static features relative to each shell adding mode;
the second matching module is configured to match the dynamic features with a preset dynamic feature library so as to respectively obtain an indication function value of the dynamic features relative to each shell adding mode;
the identification module is configured to calculate a weighted sum of indication function values for each shell adding mode, judge whether a maximum weighted sum is greater than a preset threshold, and take the shell adding mode corresponding to the maximum weighting as the shell adding mode of the android application package under the condition that the maximum weighted sum is greater than the preset threshold.
7. The apparatus of claim 6, wherein,
the static characteristics of the android application package comprise at least one of static file characteristics of the android application package, entry address characteristics of a manifest file in the android application package, and a characteristic function in a smali file generated after an executable file in the android application package is decompiled.
8. The apparatus of claim 7, wherein,
the static file characteristics include at least one of a directory name or a file name.
9. The apparatus of claim 6, wherein,
the dynamic feature extraction module is configured to obtain dynamic features of the android application program package by analyzing a system log and by analyzing the system log, wherein the dynamic features include at least one of call frequency of each function in the android application program package and call relations among the functions.
10. The apparatus of any one of claims 6-9,
the identification module is further configured to determine that a shell style of the android application package is unknown if the maximum weighted sum is not greater than the preset threshold.
11. An android application looks shell device, includes:
a memory configured to store instructions;
a processor coupled to the memory, the processor configured to perform implementing the method of any of claims 1-5 based on instructions stored by the memory.
12. A computer-readable storage medium, wherein the computer-readable storage medium stores computer instructions which, when executed by a processor, implement the method of any one of claims 1-5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010513695.9A CN113836528B (en) | 2020-06-08 | 2020-06-08 | Android application shell checking method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010513695.9A CN113836528B (en) | 2020-06-08 | 2020-06-08 | Android application shell checking method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113836528A true CN113836528A (en) | 2021-12-24 |
| CN113836528B CN113836528B (en) | 2023-10-13 |
Family
ID=78963636
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010513695.9A Active CN113836528B (en) | 2020-06-08 | 2020-06-08 | Android application shell checking method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113836528B (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102855440A (en) * | 2012-09-13 | 2013-01-02 | 北京奇虎科技有限公司 | Method, device and system for detecting packed executable files |
| CN104392177A (en) * | 2014-12-16 | 2015-03-04 | 武汉虹旭信息技术有限责任公司 | Android platform based virus forensics system and method |
| CN105205398A (en) * | 2015-11-04 | 2015-12-30 | 北京鼎源科技有限公司 | Shell checking method based on dynamic behaviors of APK (android package) packing software |
| CN107180191A (en) * | 2017-05-03 | 2017-09-19 | 北京理工大学 | A kind of malicious code analysis method and system based on semi-supervised learning |
| CN108038376A (en) * | 2017-12-21 | 2018-05-15 | 中国人民解放军战略支援部队信息工程大学 | The general hulling method of cryptor and device based on hybrid analysis |
| KR20190080445A (en) * | 2017-12-28 | 2019-07-08 | 숭실대학교산학협력단 | Whitelist construction method for analyzing malicious code, computer readable medium and device for performing the method |
| CN110795734A (en) * | 2019-10-12 | 2020-02-14 | 南京信息职业技术学院 | Malicious mobile application detection method |
-
2020
- 2020-06-08 CN CN202010513695.9A patent/CN113836528B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102855440A (en) * | 2012-09-13 | 2013-01-02 | 北京奇虎科技有限公司 | Method, device and system for detecting packed executable files |
| CN104392177A (en) * | 2014-12-16 | 2015-03-04 | 武汉虹旭信息技术有限责任公司 | Android platform based virus forensics system and method |
| CN105205398A (en) * | 2015-11-04 | 2015-12-30 | 北京鼎源科技有限公司 | Shell checking method based on dynamic behaviors of APK (android package) packing software |
| CN107180191A (en) * | 2017-05-03 | 2017-09-19 | 北京理工大学 | A kind of malicious code analysis method and system based on semi-supervised learning |
| CN108038376A (en) * | 2017-12-21 | 2018-05-15 | 中国人民解放军战略支援部队信息工程大学 | The general hulling method of cryptor and device based on hybrid analysis |
| KR20190080445A (en) * | 2017-12-28 | 2019-07-08 | 숭실대학교산학협력단 | Whitelist construction method for analyzing malicious code, computer readable medium and device for performing the method |
| CN110795734A (en) * | 2019-10-12 | 2020-02-14 | 南京信息职业技术学院 | Malicious mobile application detection method |
Non-Patent Citations (1)
| Title |
|---|
| 孙贺 等: "一种结合动态与静态分析的函数调用图提取方法", 计算机工程, vol. 43, no. 03, pages 154 - 162 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113836528B (en) | 2023-10-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| WO2016015680A1 (en) | Security detection method and security detection apparatus for mobile terminal input window | |
| US20160087998A1 (en) | Detecting a malware process | |
| CN110474900B (en) | Game protocol testing method and device | |
| CN108256322B (en) | Security testing method and device, computer equipment and storage medium | |
| CN112363937A (en) | Method and device for testing differential coverage rate, computer equipment and storage medium | |
| CN110674500B (en) | Storage medium virus searching and killing method and device, computer equipment and storage medium | |
| CN114139154A (en) | Malicious code detection method and device, computer and readable storage medium | |
| CN116204891B (en) | Vulnerability exploitation analysis method, device and storage medium | |
| CN113836528B (en) | Android application shell checking method and device | |
| CN108197475B (en) | Malicious so module detection method and related device | |
| CN108256327B (en) | File detection method and device | |
| CN112884258A (en) | Method and device for detecting application risk | |
| CN115935356A (en) | Software security testing method, system and application | |
| CN108650249A (en) | POC attack detection methods, device, computer equipment and storage medium | |
| US20140173392A1 (en) | Hardware enforced protection of software data structures | |
| CN111191234B (en) | Virus information detection method and device | |
| CN112328515B (en) | Equipment detection method and device | |
| CN114610577A (en) | Target resource locking method, device, equipment and medium | |
| KR20230082388A (en) | Apparatus for verifying bootloader of ecu and method thereof | |
| CN114915578A (en) | WAF test method and device | |
| CN106648558B (en) | Control method and device for TPL (tire pressure level) Dataflow | |
| CN109190366B (en) | Program processing method and related device | |
| CN110119618B (en) | Malicious script detection method and device | |
| CN115004185A (en) | Detection method and device for private information leakage and electronic equipment | |
| CN114048481A (en) | Method, device, server and storage medium for processing security scanning report |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |