CN113836528B - Android application shell checking method and device - Google Patents
Android application shell checking method and device Download PDFInfo
- Publication number
- CN113836528B CN113836528B CN202010513695.9A CN202010513695A CN113836528B CN 113836528 B CN113836528 B CN 113836528B CN 202010513695 A CN202010513695 A CN 202010513695A CN 113836528 B CN113836528 B CN 113836528B
- Authority
- CN
- China
- Prior art keywords
- android application
- static
- shell
- features
- adding mode
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/563—Static detection by source code analysis
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Telephone Function (AREA)
Abstract
The disclosure provides an android application shell checking method and device. The android application shell checking device extracts static characteristics of an android application program package; starting an android application program package to obtain dynamic characteristics of the android application program package; matching the static features with a preset static feature library to respectively obtain indication function values of the static features relative to each shell adding mode; matching the dynamic characteristics with a preset dynamic characteristic library to respectively obtain indication function values of the dynamic characteristics relative to each shell adding mode; calculating a weighted sum of the indication function values for each shell adding mode; judging whether the maximum weighted sum is larger than a preset threshold; and taking the shell adding mode corresponding to the maximum weight as the shell adding mode of the android application program package under the condition that the maximum weight sum is larger than a preset threshold. The method and the device can realize shell checking quickly and in a non-invasive mode, and improve the shell checking accuracy.
Description
Technical Field
The disclosure relates to the field of security, in particular to a method and a device for checking a shell of an android application.
Background
Android systems are one of the mainstream mobile phone operating systems in the world today, and a large number of developers have contributed an unlimited number of applications to this platform. In order to protect the application itself from cracking, many application developers choose to shell APK (Android application package ) files. However, in order to prevent the malicious application developed by the malicious application developer from being detected and killed, the APK is also selected to be shelled. Because of the large number of shelling tools on the market, the cost of the malicious developer for shelling the APK is very low, and the shelling rate of the malicious application is greatly higher than that of the common application. If these malicious applications need to be analyzed in detail, they must be dehulled. The shelling is usually carried out for different shells using corresponding shelling methods, so that the shelling is firstly to accurately identify the shell type.
In the related art, two types of shell checking methods, namely static and dynamic, are mainly included. Static shell-checking methods include the use of PEID tools that analyze binary features of files, PKID tools that match SO file names, etc. The dynamic shell checking method is to capture a system function and a non-system function between the shell program starting and the application formal starting of the application through a hook function hook, and match the captured system function and non-system function with a local feature library to identify the shell.
Disclosure of Invention
The inventors have noted that in the static case method, binary feature matching can be confused by the way feature codes are modified, resulting in low detection rates. The way in which only SO file names are matched is prone to false positives. In the dynamic shell method, since the invasive manner of capturing each function through the hook function hook is required, abnormal program operation may be caused, and the method is complex, the management authority of the device is usually required.
Accordingly, the android application shell checking scheme combining static features and dynamic features can quickly and noninvasively realize shell checking, and the shell checking accuracy is improved.
According to a first aspect of an embodiment of the present disclosure, there is provided an android application shell searching method, including: extracting static characteristics of the android application program package; starting the android application program package to obtain dynamic characteristics of the android application program package; matching the static features with a preset static feature library to respectively obtain indication function values of the static features relative to each shell adding mode; matching the dynamic characteristics with a preset dynamic characteristic library to respectively obtain indication function values of the dynamic characteristics relative to each shell adding mode; calculating a weighted sum of the indication function values for each shell adding mode; judging whether the maximum weighted sum is larger than a preset threshold; and taking a shell adding mode corresponding to the maximum weight as the shell adding mode of the android application program package under the condition that the maximum weight sum is larger than the preset threshold.
In some embodiments, the static features of the android application package include at least one of static file features of the android application package, entry address features of manifest files in the android application package, and feature functions in smali files generated after executable files in the android application package are decompiled.
In some embodiments, the static file characteristics include at least one of a directory name or a file name.
In some embodiments, the obtaining the dynamic characteristics of the android application package comprises: and obtaining dynamic characteristics of the android application program package by analyzing a system log, wherein the dynamic characteristics comprise at least one of calling frequency of each function and calling relation among the functions in the android application program package.
In some embodiments, determining that the shell adding mode of the android application package is unknown if the maximum weighted sum is not greater than the preset threshold.
According to a second aspect of embodiments of the present disclosure, there is provided a housing device for an apparatus Zhuo Ying, comprising: the static feature extraction module is configured to extract static features of the android application program package; the dynamic feature extraction module is configured to start the android application program package to acquire dynamic features of the android application program package; the first matching module is configured to match the static features with a preset static feature library so as to respectively acquire the indication function values of the static features relative to each shell adding mode; the second matching module is configured to match the dynamic characteristics with a preset dynamic characteristic library so as to respectively acquire the indication function values of the dynamic characteristics relative to each shell adding mode; the identification module is configured to calculate a weighted sum of indication function values according to each shell adding mode, judge whether the maximum weighted sum is larger than a preset threshold, and take the shell adding mode corresponding to the maximum weighted sum as the shell adding mode of the android application program package under the condition that the maximum weighted sum is larger than the preset threshold.
In some embodiments, the static features of the android application package include at least one of static file features of the android application package, entry address features of manifest files in the android application package, and feature functions in smali files generated after executable files in the android application package are decompiled.
In some embodiments, the static file characteristics include at least one of a directory name or a file name.
In some embodiments, the dynamic feature extraction module is configured to obtain dynamic features of the android application package by analyzing a system log, where the dynamic features include at least one of a call frequency of each function and a call relationship between each function in the android application package.
In some embodiments, the identification module is further configured to determine that the shell adding manner of the android application package is unknown if the maximum weighted sum is not greater than the preset threshold.
According to a third aspect of embodiments of the present disclosure, there is provided a housing device for an apparatus Zhuo Ying, comprising: a memory configured to store instructions; a processor coupled to the memory, the processor configured to perform a method according to any of the embodiments described above based on instructions stored in the memory.
According to a fourth aspect of embodiments of the present disclosure, there is provided a computer readable storage medium, wherein the computer readable storage medium stores computer instructions which, when executed by a processor, implement a method as referred to in any of the embodiments above.
Other features of the present disclosure and its advantages will become apparent from the following detailed description of exemplary embodiments of the disclosure, which proceeds with reference to the accompanying drawings.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments of the disclosure and together with the description, serve to explain the principles of the disclosure.
The disclosure may be more clearly understood from the following detailed description taken in conjunction with the accompanying drawings in which:
FIG. 1 is a flow diagram of an android application shell method in accordance with one embodiment of the present disclosure;
FIG. 2 is a schematic diagram of the architecture of an android application shell looking-up device in accordance with one embodiment of the present disclosure;
fig. 3 is a schematic structural view of an android application shell checking device according to another embodiment of the present disclosure.
It should be understood that the dimensions of the various elements shown in the figures are not drawn to actual scale. Further, the same or similar reference numerals denote the same or similar members.
Detailed Description
Various exemplary embodiments of the present disclosure will now be described in detail with reference to the accompanying drawings. The description of the exemplary embodiments is merely illustrative, and is in no way intended to limit the disclosure, its application, or uses. The present disclosure may be embodied in many different forms and is not limited to the embodiments described herein. These embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art. It should be noted that: the relative arrangement of parts and steps, the composition of materials, and the numerical values set forth in these examples should be construed as merely illustrative, and not limiting unless specifically stated otherwise.
The use of the terms "comprising" or "including" and the like in this disclosure means that elements preceding the term encompass the elements recited after the term, and does not exclude the possibility of also encompassing other elements.
All terms (including technical or scientific terms) used in this disclosure have the same meaning as commonly understood by one of ordinary skill in the art to which this disclosure belongs, unless specifically defined otherwise. It will be further understood that terms, such as those defined in commonly used dictionaries, should be interpreted as having a meaning that is consistent with their meaning in the context of the relevant art and will not be interpreted in an idealized or overly formal sense unless expressly so defined herein.
Techniques, methods, and apparatus known to one of ordinary skill in the relevant art may not be discussed in detail, but are intended to be part of the specification where appropriate.
Fig. 1 is a flow diagram of an android application shell checking method in accordance with one embodiment of the present disclosure. In some embodiments, the following android application shell checking method steps are performed by the android application shell checking device.
In step 101, the static features of the android application package are extracted.
In some embodiments, the static features of the android application package include at least one of static file features of the android application package, entry address features of a manifest file (android manifest. Xml) in the android application package, and feature functions in a smali file generated after an executable file (dex file) in the android application package is decompiled.
In some embodiments, the static file characteristics include at least one of a directory name or a file name. For example, file names include a.so file, a.jar file, a. aar file, an apk file, a class file, a. Dex file, a. Des file, a. dey file, a. Dat file, a. Bin file, and the like.
In step 102, an android application package is started to obtain dynamic characteristics of the android application package.
In some embodiments, the dynamic characteristics of the android application package are obtained by analyzing a system log, wherein the dynamic characteristics comprise at least one of the calling frequency of each function and the calling relationship between each function in the android application package.
In step 103, the static features are matched with a preset static feature library, so as to obtain the indication function values of the static features relative to each shell adding mode respectively.
In some embodiments, the preset static feature library includes static file features of various known shelling methods, as well as entry address features in the manifest file and feature functions in the smali file obtained by decompiling the dex file. Static file features include directory and file names.
In step 104, the dynamic characteristics are matched with a preset dynamic characteristic library, so as to obtain the indication function value of the dynamic characteristics relative to each shell adding mode respectively.
In some embodiments, the pre-set dynamic feature library includes function call features of various known shelling methods.
In step 105, a weighted sum of the indication function values is calculated for each of the shell adding modes.
In step 106, it is determined whether the maximum weighted sum is greater than a preset threshold.
In step 107, if the maximum weighted sum is greater than the preset threshold, the shell adding mode corresponding to the maximum weighted sum is used as the shell adding mode of the android application package.
In some embodiments, determining that the shell adding mode of the android application package is unknown if the maximum weighted sum is not greater than a preset threshold.
In the android application shell checking method provided by the embodiment of the disclosure, shell checking can be rapidly realized in a non-invasive manner by combining the static characteristics and the dynamic characteristics, and the shell checking accuracy is improved.
For example, the static features of the android application package are extracted to obtain feature 1, feature 2, and feature 3. Feature 1 is a static file feature of the android application package, feature 2 is an entry address feature of a manifest file in the android application package, and feature 3 is a feature function in a smali file generated after an executable file (dex file) in the android application package is decompiled.
Then, the feature 4 is obtained by starting the android application package and obtaining the dynamic feature of the android application package. Feature 4 is included in the call frequency of each function in the android application package and the call relationship between each function.
Next, the features 1 to 3 are respectively matched with a preset static feature library, so as to respectively obtain the indication function values of the features 1 to 3 relative to each shell adding mode. If the characteristic 1 is matched with the A-type shell and the B-type shell and is not matched with the C-type shell, setting the indication function value of the characteristic 1 relative to the A-type shell and the B-type shell as 1, and setting the indication function value of the characteristic 1 relative to the C-type shell as 0. Correspondingly, if the characteristic 2 is matched with the A shell and is not matched with the B shell and the C shell, the indicating function value of the characteristic 2 relative to the A shell is set to be 1, and the indicating function value of the characteristic 2 relative to the B shell and the C shell is set to be 0. And if the characteristic 3 is matched with the C shell and is not matched with the A shell and the B shell, setting the indication function value of the characteristic 3 relative to the A shell and the B shell to be 0, and setting the indication function value of the characteristic 3 relative to the C shell to be 1.
And matching the features 4 with a preset dynamic feature library to obtain the indication function values of the dynamic features relative to each shell adding mode respectively. If the feature 4 is matched with the A-type shell and the B-type shell and is not matched with the C-type shell, setting the indication function value of the feature 4 relative to the A-type shell and the B-type shell to be 1, and setting the indication function value of the feature 4 relative to the C-type shell to be 0.
Next, for each shelling mode, a weighted sum of the indication function values is calculated. For example, let the weight of feature 1 to feature 3 be 0.2 and the weight of feature 4 be 0.4. From this, a weighted sum of the indication function values for each of the shell adding modes can be calculated.
As shown in table 1, for a class a shell, the corresponding weighted sum is:
YA=0.2×1+0.2×1+0.2×0+0.4×1=0.8
for a class B shell, the corresponding weighted sum is:
YB=0.2×1+0.2×0+0.2×0+0.4×1=0.6
for a class C shell, the corresponding weighted sum is:
YB=0.2×0+0.2×0+0.2×1+0.4×0=0.2
| feature 1 | Feature 2 | Feature 3 | Feature 4 | Weighted sum | |
| A | 1 | 1 | 0 | 1 | 0.8 |
| B | 1 | 0 | 0 | 1 | 0.6 |
| C | 0 | 0 | 1 | 0 | 0.2 |
TABLE 1
If the preset threshold is set to 0.65, as can be seen from table 1, the weighted sum of class a shells is 0.8 maximum, and 0.8 is greater than 0.65, so that the shell adding mode of the android application package can be determined to be class a shell adding mode.
In contrast, if the weighted sum of the shells is not greater than the preset threshold through the calculation, the shell adding mode of the android application package is not included in a preset static feature library and a preset dynamic feature library, and therefore the shell adding mode of the android application package is unknown.
In the android application shell checking method provided by the embodiment of the disclosure, shell checking can be rapidly realized in a non-invasive manner by combining the static characteristics and the dynamic characteristics, and the shell checking accuracy is improved.
Fig. 2 is a schematic structural view of an android application shell checking device according to one embodiment of the present disclosure. As shown in fig. 2, the android application shell searching device includes a static feature extraction module 21, a dynamic feature extraction module 22, a first matching module 23, a second matching module 24, and an identification module 25.
The static feature extraction module 21 is configured to extract static features of the android application package.
In some embodiments, the static features of the android application package include at least one of static file features of the android application package, entry address features of a manifest file in the android application package, and feature functions in a smali file generated after an executable file in the android application package is decompiled.
In some embodiments, the static file characteristics include at least one of a directory name or a file name. For example, file names include a.so file, a.jar file, a. aar file, an apk file, a class file, a. Dex file, a. Des file, a. dey file, a. Dat file, a. Bin file, and the like.
The dynamic feature extraction module 22 is configured to launch the android application package to obtain dynamic features of the android application package.
In some embodiments, the dynamic feature extraction module 22 obtains dynamic features of the android application package by analyzing a system log, where the dynamic features include at least one of a call frequency of each function and a call relationship between each function in the android application package.
The first matching module 23 is configured to match the static feature with a preset static feature library, so as to obtain an indication function value of the static feature relative to each shell adding mode respectively.
In some embodiments, the preset static feature library includes static file features of various known shelling methods, as well as entry address features in the manifest file and feature functions in the smali file obtained by decompiling the dex file. Static file features include directory and file names.
The second matching module 24 is configured to match the dynamic feature with a preset dynamic feature library to obtain an indication function value of the dynamic feature relative to each shell adding mode respectively;
in some embodiments, the pre-set dynamic feature library includes function call features of various known shelling methods.
The identifying module 25 is configured to calculate a weighted sum of the indication function values for each shell adding mode, determine whether the maximum weighted sum is greater than a preset threshold, and use the shell adding mode corresponding to the maximum weighted sum as the shell adding mode of the android application package when the maximum weighted sum is greater than the preset threshold.
In some embodiments, determining that the shell adding mode of the android application package is unknown if the maximum weighted sum is not greater than a preset threshold.
In the android application shell checking device provided by the embodiment of the disclosure, shell checking can be quickly and non-invasively realized by combining the static characteristics and the dynamic characteristics, and the shell checking accuracy is improved.
Fig. 3 is a schematic structural view of an android application shell checking device according to another embodiment of the present disclosure. As shown in fig. 3, the android application shell device includes a memory 31 and a processor 32.
The memory 31 is used for storing instructions. The processor 32 is coupled to the memory 31. The processor 32 is configured to perform a method as referred to in any of the embodiments of fig. 1 based on the instructions stored by the memory.
As shown in fig. 3, the android application shell checking device further comprises a communication interface 33 for information interaction with other devices. Meanwhile, the android application shell searching device further comprises a bus 34, and the processor 32, the communication interface 33 and the memory 31 are in communication with each other through the bus 34.
The Memory 31 may include a high-speed RAM (Random Access Memory ) and may further include a Non-Volatile Memory (NVM). Such as at least one disk storage. The memory 31 may also be a memory array. The memory 31 may also be partitioned and the blocks may be combined into virtual volumes according to certain rules.
Further, the processor 32 may be a central processing unit, or may be an ASIC (Application Specific Integrated Circuit ), or one or more integrated circuits configured to implement embodiments of the present disclosure.
The present disclosure also provides a computer-readable storage medium. The computer readable storage medium stores computer instructions that, when executed by a processor, implement a method as referred to in any of the embodiments of fig. 1.
In some embodiments, the functional modules described above may be implemented as general-purpose processors, programmable logic controllers (Programmable Logic Controller, abbreviated as PLCs), digital signal processors (Digital Signal Processor, abbreviated as DSPs), application specific integrated circuits (Application Specific Integrated Circuit, abbreviated as ASICs), field programmable gate arrays (Field-Programmable Gate Array, abbreviated as FPGAs) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or any suitable combination thereof for performing the functions described herein.
Thus, embodiments of the present disclosure have been described in detail. In order to avoid obscuring the concepts of the present disclosure, some details known in the art are not described. How to implement the solutions disclosed herein will be fully apparent to those skilled in the art from the above description.
Although some specific embodiments of the present disclosure have been described in detail by way of example, it should be understood by those skilled in the art that the above examples are for illustration only and are not intended to limit the scope of the present disclosure. It will be understood by those skilled in the art that the foregoing embodiments may be modified and equivalents substituted for elements thereof without departing from the scope and spirit of the disclosure. The scope of the present disclosure is defined by the appended claims.
Claims (12)
1. A method for screening a shell for an amp Zhuo Ying, comprising:
extracting static characteristics of the android application program package;
starting the android application program package to obtain dynamic characteristics of the android application program package;
matching the static features with a preset static feature library to respectively obtain indication function values of the static features relative to each shell adding mode;
matching the dynamic characteristics with a preset dynamic characteristic library to respectively obtain indication function values of the dynamic characteristics relative to each shell adding mode;
calculating a weighted sum of the indication function values for each shell adding mode;
judging whether the maximum weighted sum is larger than a preset threshold;
and taking a shell adding mode corresponding to the maximum weight as the shell adding mode of the android application program package under the condition that the maximum weight sum is larger than the preset threshold.
2. The method of claim 1, wherein,
the static features of the android application package comprise at least one of static file features of the android application package, entry address features of a manifest file in the android application package and feature functions in a smali file generated after executable files in the android application package are decompiled.
3. The method of claim 2, wherein,
the static file characteristics include at least one of a directory name or a file name.
4. The method of claim 1, wherein the obtaining the dynamic characteristics of the android application package comprises:
and obtaining dynamic characteristics of the android application program package by analyzing a system log, wherein the dynamic characteristics comprise at least one of calling frequency of each function and calling relation among the functions in the android application program package.
5. The method of any of claims 1-4, further comprising:
and determining that the shell adding mode of the android application program package is unknown under the condition that the maximum weighted sum is not larger than the preset threshold.
6. A housing device for an Zhuo Ying, comprising:
the static feature extraction module is configured to extract static features of the android application program package;
the dynamic feature extraction module is configured to start the android application program package to acquire dynamic features of the android application program package;
the first matching module is configured to match the static features with a preset static feature library so as to respectively acquire the indication function values of the static features relative to each shell adding mode;
the second matching module is configured to match the dynamic characteristics with a preset dynamic characteristic library so as to respectively acquire the indication function values of the dynamic characteristics relative to each shell adding mode;
the identification module is configured to calculate a weighted sum of indication function values according to each shell adding mode, judge whether the maximum weighted sum is larger than a preset threshold, and take the shell adding mode corresponding to the maximum weighted sum as the shell adding mode of the android application program package under the condition that the maximum weighted sum is larger than the preset threshold.
7. The apparatus of claim 6, wherein,
the static features of the android application package comprise at least one of static file features of the android application package, entry address features of a manifest file in the android application package and feature functions in a smali file generated after executable files in the android application package are decompiled.
8. The apparatus of claim 7, wherein,
the static file characteristics include at least one of a directory name or a file name.
9. The apparatus of claim 6, wherein,
the dynamic feature extraction module is configured to obtain dynamic features of the android application package by analyzing a system log, wherein the dynamic features comprise at least one of calling frequency of each function and calling relation among each function in the android application package.
10. The device according to any one of claims 6-9, wherein,
the identification module is further configured to determine that the shell adding mode of the android application package is unknown under the condition that the maximum weighted sum is not greater than the preset threshold.
11. A housing device for an Zhuo Ying, comprising:
a memory configured to store instructions;
a processor coupled to the memory, the processor configured to perform the method of any of claims 1-5 based on instructions stored by the memory.
12. A computer readable storage medium storing computer instructions which, when executed by a processor, implement the method of any one of claims 1-5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010513695.9A CN113836528B (en) | 2020-06-08 | 2020-06-08 | Android application shell checking method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010513695.9A CN113836528B (en) | 2020-06-08 | 2020-06-08 | Android application shell checking method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113836528A CN113836528A (en) | 2021-12-24 |
| CN113836528B true CN113836528B (en) | 2023-10-13 |
Family
ID=78963636
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010513695.9A Active CN113836528B (en) | 2020-06-08 | 2020-06-08 | Android application shell checking method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113836528B (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102855440A (en) * | 2012-09-13 | 2013-01-02 | 北京奇虎科技有限公司 | Method, device and system for detecting packed executable files |
| CN104392177A (en) * | 2014-12-16 | 2015-03-04 | 武汉虹旭信息技术有限责任公司 | Android platform based virus forensics system and method |
| CN105205398A (en) * | 2015-11-04 | 2015-12-30 | 北京鼎源科技有限公司 | Shell checking method based on dynamic behaviors of APK (android package) packing software |
| CN107180191A (en) * | 2017-05-03 | 2017-09-19 | 北京理工大学 | A kind of malicious code analysis method and system based on semi-supervised learning |
| CN108038376A (en) * | 2017-12-21 | 2018-05-15 | 中国人民解放军战略支援部队信息工程大学 | The general hulling method of cryptor and device based on hybrid analysis |
| KR20190080445A (en) * | 2017-12-28 | 2019-07-08 | 숭실대학교산학협력단 | Whitelist construction method for analyzing malicious code, computer readable medium and device for performing the method |
| CN110795734A (en) * | 2019-10-12 | 2020-02-14 | 南京信息职业技术学院 | Malicious mobile application detection method |
-
2020
- 2020-06-08 CN CN202010513695.9A patent/CN113836528B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102855440A (en) * | 2012-09-13 | 2013-01-02 | 北京奇虎科技有限公司 | Method, device and system for detecting packed executable files |
| CN104392177A (en) * | 2014-12-16 | 2015-03-04 | 武汉虹旭信息技术有限责任公司 | Android platform based virus forensics system and method |
| CN105205398A (en) * | 2015-11-04 | 2015-12-30 | 北京鼎源科技有限公司 | Shell checking method based on dynamic behaviors of APK (android package) packing software |
| CN107180191A (en) * | 2017-05-03 | 2017-09-19 | 北京理工大学 | A kind of malicious code analysis method and system based on semi-supervised learning |
| CN108038376A (en) * | 2017-12-21 | 2018-05-15 | 中国人民解放军战略支援部队信息工程大学 | The general hulling method of cryptor and device based on hybrid analysis |
| KR20190080445A (en) * | 2017-12-28 | 2019-07-08 | 숭실대학교산학협력단 | Whitelist construction method for analyzing malicious code, computer readable medium and device for performing the method |
| CN110795734A (en) * | 2019-10-12 | 2020-02-14 | 南京信息职业技术学院 | Malicious mobile application detection method |
Non-Patent Citations (1)
| Title |
|---|
| 孙贺 等.一种结合动态与静态分析的函数调用图提取方法.计算机工程.2017,第43卷(第03期),第154-162页. * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113836528A (en) | 2021-12-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108090567B (en) | Fault diagnosis method and device for power communication system | |
| US10243967B2 (en) | Method, apparatus and system for detecting fraudulant software promotion | |
| CN109308263B (en) | Applet testing method, device and equipment | |
| CN110866258B (en) | Rapid vulnerability positioning method, electronic device and storage medium | |
| CN110474900B (en) | Game protocol testing method and device | |
| CN108282490B (en) | Processing method and device for abnormal registered user, computer equipment and storage medium | |
| CN109815697B (en) | Method and device for processing false alarm behavior | |
| CN114139154A (en) | Malicious code detection method and device, computer and readable storage medium | |
| CN110674500A (en) | Storage medium virus searching and killing method and device, computer equipment and storage medium | |
| CN113836528B (en) | Android application shell checking method and device | |
| US11316873B2 (en) | Detecting malicious threats via autostart execution point analysis | |
| CN108197475B (en) | Malicious so module detection method and related device | |
| CN108256327B (en) | File detection method and device | |
| CN111338864A (en) | Memory problem detection method and device, computer equipment and storage medium | |
| CN108650249A (en) | POC attack detection methods, device, computer equipment and storage medium | |
| CN114610577A (en) | Target resource locking method, device, equipment and medium | |
| CN113646763B (en) | shellcode detection method and device | |
| CN109117083B (en) | Mobile terminal, built-in storage capacity detection method, and computer-readable storage medium | |
| CN106648558B (en) | Control method and device for TPL (tire pressure level) Dataflow | |
| CN111191234B (en) | Virus information detection method and device | |
| CN111625784B (en) | Anti-debugging method of application, related device and storage medium | |
| CN111241560B (en) | Device detection control method and system, computer device, and computer storage medium | |
| CN109190366B (en) | Program processing method and related device | |
| CN114386035A (en) | Method and device for detecting threat data and electronic equipment | |
| CN114048481A (en) | Method, device, server and storage medium for processing security scanning report |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |