CN113901483A - Application detection method and device, computer storage medium and electronic equipment - Google Patents

Application detection method and device, computer storage medium and electronic equipment Download PDF

Info

Publication number
CN113901483A
CN113901483A CN202111320683.5A CN202111320683A CN113901483A CN 113901483 A CN113901483 A CN 113901483A CN 202111320683 A CN202111320683 A CN 202111320683A CN 113901483 A CN113901483 A CN 113901483A
Authority
CN
China
Prior art keywords
application
information
running
detection
detection program
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111320683.5A
Other languages
Chinese (zh)
Inventor
巫鸿豪
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangzhou Boguan Information Technology Co Ltd
Original Assignee
Guangzhou Boguan Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangzhou Boguan Information Technology Co Ltd filed Critical Guangzhou Boguan Information Technology Co Ltd
Priority to CN202111320683.5A priority Critical patent/CN113901483A/en
Publication of CN113901483A publication Critical patent/CN113901483A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security

Abstract

The disclosure relates to the technical field of computers, and in particular relates to an application detection method and device, a storage medium and an electronic device. The method comprises the following steps: adding a hook function based on an Xpos frame to the target function to generate a detection program file; acquiring information of a packet to be detected, and if the information of the packet to be detected is matched with the information of the currently running application, injecting the detection program file into the running program of the currently running application; and respectively operating the detection program file and the current operation application by adopting different processes, and detecting the calling behavior of the target function in the current operation application process by calling the operation information of the operation process of the detection program file. The method and the device can simultaneously detect various target functions with privacy calling behaviors, and also detect various running applications in a mode of cross-running detection program files and current running applications, and are high in detection efficiency and few in code change.

Description

Application detection method and device, computer storage medium and electronic equipment
Technical Field
The present disclosure relates to the field of computer technologies, and in particular, to an application detection method, an application detection apparatus, a computer storage medium, and an electronic device.
Background
The android system is the most popular smart phone software platform at present, has the characteristics of openness and customizability, and due to the openness of the android system, the issuing of the application program lacks identity authentication, the auditing strength is relatively weak, and the android malicious application is increasingly abused, so that great challenges are brought to the individual privacy and property safety of users, and therefore, the method has very important practical significance on accurately detecting the violation behaviors in the application program.
Illegal behaviors such as android applications have the problems of illegal collection of personal information, excessive right to ask, expense consumption, privacy stealing, frequent harassment and the like, the detection aiming at malicious applications is to check project codes through a program developer, repeatedly communicate with officers of the department of industry and trust and carry out corresponding avoidance processing, and to develop corresponding detection plug-ins aiming at each type of android application, but each detection plug-in can only detect specific applications, so that a detection method capable of detecting various illegal behaviors and simultaneously applied to various applications is required to be provided.
It is to be noted that the information invented in the background section above is only for enhancement of understanding of the background of the present disclosure, and thus may include information that does not constitute prior art known to those of ordinary skill in the art.
Disclosure of Invention
The application detection method and device, the computer storage medium and the electronic device can simultaneously detect various behaviors of calling user privacy information illegally and are suitable for various applications, so that the application detection efficiency is improved, and the development cost is reduced.
Additional features and advantages of the disclosure will be set forth in the detailed description which follows, or in part will be obvious from the description, or may be learned by practice of the disclosure.
According to an aspect of the present disclosure, there is provided an application detection method including: adding a hook function based on an Xpos frame to the target function to generate a detection program file; acquiring information of a packet to be detected, and if the information of the packet to be detected is matched with the information of the currently running application, injecting the detection program file into the running program of the currently running application; and respectively operating the detection program file and the current operation application by adopting different processes, and detecting the calling behavior of the target function in the current operation application process by calling the operation information of the operation process of the detection program file.
In an exemplary embodiment of the disclosure, before adding an Xposed framework-based hook function to the target function to obtain a detection program file, the method further includes: acquiring the highest root authority of the android system; and installing an Xpos module, and replacing a system process zygate file in the android system by the Xpos module.
In an exemplary embodiment of the present disclosure, the running information of the running process of the detection program file is stored in a local file; before the information of the packet to be detected is matched with the information of the current running application, the method further comprises the following steps: injecting an Xposed file in the current running application process, wherein the running of the Xposee file depends on the detection program file; and obtaining the information of the package to be checked stored in the local file by operating the Xpos file to refer to the detection program file.
In an exemplary embodiment of the present disclosure, the respectively operating the detection program file and the currently operating application by using different processes, and detecting a call behavior to the target function in the currently operating application process by calling operation information in an operating process of the detection program file includes: the detection program file injected in the running program of the currently running application is run, so that the currently running application progresses to the local file to obtain target data; and detecting whether the calling behavior of the target function exists in the current running program process or not based on the target data.
In an exemplary embodiment of the present disclosure, the packet to be inspected information includes an application packet name of the packet to be inspected; the acquiring of the information of the packet to be detected, if the information of the packet to be detected is matched with the information of the currently running application, injecting the detection program file into the running program of the currently running application, and the acquiring comprises the following steps: and if a plurality of application package names matched with the currently running application information exist, respectively injecting the detection program file into the running program of the currently running application corresponding to each application package name. Wherein each currently running application has an independent running process.
In an exemplary embodiment of the present disclosure, the injecting the detection program into the running program of the currently running application corresponding to each application package name respectively includes: and marking the detection program file injected into the running program of each currently running application respectively.
In an exemplary embodiment of the present disclosure, the respectively operating the detection program file and the currently operating application by using different processes, and detecting a call behavior to the target function in the currently operating application process by calling operation information of an operating process of the detection program file includes: each process respectively operates the detection program file and the corresponding current operation application; and if the fact that the target currently running application process calls the target function is detected, generating early warning information carrying the marking information of the detection program file in the target currently running process.
In an exemplary embodiment of the present disclosure, the detecting, by calling operation information of an operating process of a detection program file, a call behavior of the target function in a currently operating application process includes: detecting and intercepting a calling behavior of the target function in a currently running application program; processing the privacy item data corresponding to the calling behavior of the target function according to a preset rule, and taking the processed privacy item data as a calling result; and correspondingly storing the privacy item data before and after processing.
In an exemplary embodiment of the present disclosure, the method further comprises: recording the running process of the currently running application, and generating a detection result document of the currently running application according to a recording result; and storing the detection result document, generating a document link and feeding back the document link to a user so that the user can obtain the detection result document by using the document link.
According to an aspect of the present disclosure, there is provided an application detection apparatus, the apparatus including: the file acquisition module is used for adding a hook function based on an Xpos frame to the target function to generate a detection program file; the file injection module is used for acquiring information of a packet to be detected, and if the information of the packet to be detected is matched with the information of the currently running application, injecting the detection program file into the running program of the currently running application; and the detection module is used for adopting different processes to respectively operate the detection program file and the currently operated application, and detecting the calling behavior of the target function in the currently operated application process by calling the operation information of the operation process of the detection program file.
According to an aspect of the present disclosure, there is provided a computer storage medium having stored thereon a computer program which, when executed by a processor, implements the application detection method of any one of the above.
According to an aspect of the present disclosure, there is provided an electronic device including: a processor; and a memory for storing executable instructions of the processor; wherein the processor is configured to perform any of the application detection methods described above via execution of the executable instructions.
According to the application detection method in the exemplary embodiment of the disclosure, Xpos is used for operating in a hook frame of an android operating system, a hook function is performed on a target function which has a function of illegally acquiring a user privacy calling behavior, a detection program file is generated, when information of a package to be detected is matched with information of a currently-operating application, the detection program file is injected into the currently-operating application, and the calling behavior of the target function in a currently-operating application process is detected in a mode of operating the detection program and the currently-operating application in a cross-process mode. On one hand, the target function added with the hook function generates a detection program file and is injected into the running program of the current running application, so that various target functions with privacy calling behaviors can be detected at the same time, and the detection efficiency is improved; on the other hand, different processes are adopted to respectively run the detection program file and the currently running application, in the process, the calling behavior of the target function is detected by calling the running information of the running process of the detection program file, the detection program file is not influenced by the type of the currently running application, and only the obtained information of the to-be-detected package is required to be matched with the information of the currently running application, so that different types of applications can be detected based on the same detection program file, the detection program file has reusability, and developers are prevented from repeatedly modifying codes for each type of application; on the other hand, the method is suitable for detecting the application before a program developer is used for online products, can be separated from the developer, automatically executes detection of illegal calling privacy behaviors in the current running application process by inputting information to be detected by a person without technical experience, such as an application user, and is wide in application range.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
The above and other objects, features and advantages of exemplary embodiments of the present disclosure will become readily apparent from the following detailed description read in conjunction with the accompanying drawings. Several embodiments of the present disclosure are illustrated by way of example, and not by way of limitation, in the figures of the accompanying drawings and in which:
FIG. 1 shows a flow diagram of an application detection method according to an example embodiment of the present disclosure;
FIG. 2 illustrates a schematic diagram of a user entering a pending application package name according to an exemplary embodiment of the present disclosure;
FIG. 3 shows a schematic diagram of providing a list of pending application package names to a user according to an example embodiment of the present disclosure;
FIG. 4 illustrates a diagram of a user entering a plurality of pending application package names according to an exemplary embodiment of the present disclosure;
FIG. 5 is a flowchart illustrating a method for detecting a call behavior of a target function in a currently running application process by calling running information of a running process of a detection program file according to an exemplary embodiment of the present disclosure;
fig. 6 shows a schematic structural diagram of an application detection apparatus according to an exemplary embodiment of the present disclosure;
FIG. 7 shows a schematic diagram of a storage medium according to an exemplary embodiment of the present disclosure; and
fig. 8 shows a block diagram of an electronic device according to an exemplary embodiment of the present disclosure.
In the drawings, the same or corresponding reference numerals indicate the same or corresponding parts.
Detailed Description
Exemplary embodiments will now be described more fully with reference to the accompanying drawings. The exemplary embodiments, however, may be embodied in many different forms and should not be construed as limited to the examples set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of exemplary embodiments to those skilled in the art. The same reference numerals in the drawings denote the same or similar structures, and thus their detailed description will be omitted.
Furthermore, the described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided to give a thorough understanding of embodiments of the disclosure. One skilled in the relevant art will recognize, however, that the subject matter of the present disclosure can be practiced without one or more of the specific details, or with other methods, components, devices, steps, and so forth. In other instances, well-known structures, methods, devices, implementations, or operations are not shown or described in detail to avoid obscuring aspects of the disclosure.
The block diagrams shown in the figures are functional entities only and do not necessarily correspond to physically separate entities. That is, these functional entities may be implemented in the form of software, or in one or more software-hardened modules, or in different networks and/or processor devices and/or microcontroller devices.
According to the arrangement of the windward construction and windward correction work in the information communication industry, the industry and informatization department develops the special treatment work of the Application program (APP) invading the user rights and interests, strictly checks and warns the android Application with the behaviors of illegally acquiring the personal information of the mobile phone user, overrange acquiring the personal information of the mobile phone and the like, notifies the improvement, and strictly punishes the Application in the modes of bulletin criticizing, putting down the shelf and the like after overdue, so that an Application product development enterprise needs to detect the Application developed by the Application product development enterprise before going on line and completes the modification conforming to the privacy policy, and an official detection scheme is still not provided by the industry and informatization department.
In the related technology in the field, a program developer can check a project code and repeatedly communicate with an industrial and informatization department to avoid illegal behaviors, however, a manual search mode is complex in calling and easy to miss under the condition that the project code is complex, namely, the detection efficiency and the detection accuracy are not high; currently, by developing a detection tool or a plug-in for each application, but only for a specific application, if a plurality of applications are to be detected, the code needs to be modified and the tool or the plug-in needs to be recompiled, so that the reusability of the method is low; when the SDK (Software Development Kit) provided by a third party is adopted for detection, codes cannot be consulted and modified, omission is easy, and the detection accuracy is not high; in addition, for a person without technical experience, such as an application user, detection of running applications in the android device cannot be achieved, that is, the use range of the detection method is limited.
Based on this, in the exemplary embodiment of the present disclosure, firstly, an application detection method is provided, which may be applied to detection of running applications in smart devices such as a mobile phone and a tablet computer with an android system. Referring to fig. 1, the application detection method includes the steps of:
step S110: adding a hook function based on an Xpos frame to the target function to generate a detection program file;
step S120: acquiring information of a packet to be detected, and if the information of the packet to be detected is matched with the information of the currently running application, injecting a detection program file into the running program of the currently running application;
step S130: and respectively operating the detection program file and the current operation application by adopting different processes, and detecting the calling behavior of the target function in the current operation application process by calling the operation information of the operation process of the detection program file.
According to the application detection method in the embodiment of the example, the target function added with the hook function generates a detection program file and is injected into the running program of the current running application, so that various target functions with privacy calling behaviors can be detected at the same time, and the detection efficiency is improved; the method comprises the steps that different processes are adopted to respectively run a detection program file and a currently running application, in the process, the calling behavior of a target function is detected by calling running information of the running process of the detection program file, the method is not influenced by the type of the currently running application, and only the obtained information of a packet to be detected is required to be matched with the information of the currently running application, so that different types of applications can be detected based on the same detection program file, the detection program file has reusability, and developers are prevented from repeatedly modifying codes for each application; the method is suitable for detecting the application before a program developer is used for online products, can be separated from the developer, automatically executes detection of illegal calling behaviors in the current running application process by inputting information of a packet to be detected through personnel without technical experience, such as an application user, and is wide in application range.
The application detection method in the exemplary embodiment of the present disclosure is further described below with reference to fig. 1.
In step S110, a hook function based on the Xposed framework is added to the target function, and a detection program file is generated.
In an exemplary embodiment of the present disclosure, the objective function is a system function with a function of acquiring user privacy information, such as a system function of acquiring information such as a user Equipment identifier, a MAC (Message Authentication Code), geographic location information, and an IMEI (International Mobile Equipment Identity). The Xpos frame is a set of open-source frame services which run in an Android high-authority mode, can affect the frame services of program running under the condition that an APK (Android application package) file is not modified, and can run a plurality of functional modules simultaneously under the condition that functions are not in conflict based on the Xpos frame. Based on the framework, the calling of any java function of the android system is intercepted by replacing a key problem element (such as a system process zygate file) of the android system. The Hook function, Hook, intercepts and monitors the transmission of events before they are transmitted to the endpoint, and is able to handle preset specific events when hooking events. By adding the Hook function to the target function, when the target function is called, the Hook function is already used, so that the calling behavior can be acquired before or after calling.
Specifically, according to the method, a target function needing Hook is registered as a Native layer (local service layer) function based on an Xpos framework, and then a Native Func (local function) of the registered function points to a Native method realized by the registered function, so that the registered function can call the Native method realized by the registered function when being called, and the control right is taken over. In the native method corresponding to the registered function, Xposed directly calls a java method, the java method calls a target function before registration, hooks are inserted before and after the calling, and then the target function is held by hook.
Based on the exemplary embodiment, a plurality of different target functions are added to hook functions based on an Xposed framework, a detection program file integrating a plurality of target function detection functions is generated, a plurality of illegal calling behaviors of running applications can be detected simultaneously, and therefore the detection efficiency of the applications is improved.
In the exemplary embodiment of the present disclosure, before adding a hook function based on an Xposed frame to a target function to obtain a detection program file, a highest root (super user permission) of an android system needs to be obtained, so as to completely master a system bottom layer and a system file; further, installing an Xpos module, and replacing a system process zygate file in the android system by the Xpos module; specifically, a system process zygate is a kernel of an android, when an APP is run in the android system, each time the APP is run, the zygate executes an APP by using a fork (copy) virtual machine instance, after an Xposed frame is installed in the android system, the frame covers APP _ process files provided by the android native by using APP _ process realized by the frame, and when the system is started, the process files replaced by the Xposed frame are loaded. Based on this, the replaced APP _ process starts the module first and then enters the zygate process, and the APPs are all created by the zygate, so that hooks based on the Xposed module are global, and control over all APP running processes on the device with the android system installed is achieved.
It should be noted that the detection program file obtained in the exemplary embodiment of the present disclosure, as a tool having a function for detecting an illegal call behavior, may be installed in an intelligent device with an android system, and meanwhile, an Xposed module and an application to be detected need to be installed in the intelligent device, so as to further perform application detection.
In step S120, package information to be detected is obtained, and if the package information to be detected matches the currently running application information, the detection program file is injected into the running program of the currently running application.
In the exemplary embodiment of the present disclosure, the packet to be inspected information includes an application packet name, an application identifier, and the like of the packet to be inspected, which are used to identify unique identification information of the application to be inspected; optionally, the information of the to-be-detected package that needs to be subjected to application detection may be manually input by the user, as shown in fig. 2, the user inputs the name of the to-be-detected application package "com. Optionally, in response to an application detection trigger operation instruction of the user, a list of the to-be-detected package information may be provided to the user, so that the user selects the to-be-detected package information that needs to be detected, as shown in fig. 3, and the list of the names of the to-be-detected application packages is provided to the user for selection. The current running application information comprises information such as an application package name, an application type, an identification and running data of the current running application, and the current application running information can be acquired by installing the application to be detected in the intelligent device and running the application.
And further, matching the information of the to-be-detected package with the information of the currently running application, and if the information of the to-be-detected package is matched with the information of the currently running application, injecting the detection program file into the running program of the currently running application. Specifically, firstly, determining a target application process, namely a current running application process, according to a matching result of information of a packet to be detected and current running application information; secondly, an objective function of the so library (shared library file) corresponding to the currently running application is loaded, so that the execution flow of the currently running application process can jump to the code execution of the injected detection program file.
Based on the exemplary embodiment, the information of the to-be-detected package input or selected by the user is matched with the information of the currently running application, and the detection program file is injected into the running program of the currently running application under the condition that the matching result is determined, so that the calling behaviors of a plurality of target functions are detected simultaneously in the running process of the currently running program, and the detection efficiency is high.
In the exemplary embodiment of the present disclosure, the running information of the running process of the detection program file is stored in a local file, for example, the running information of the running process of the detection program file may be directly stored on an intelligent device (such as a mobile phone). Before matching the information of the packet to be detected with the current running application information, the method further comprises the following steps: and injecting an Xpos file in the current running application process, wherein the Xpos file runs on the detection program file, and the detection program file is referred by running the Xpos file to acquire the information of the to-be-detected package stored in the local file. That is to say, the running information of the detection program file is stored in the intelligent device, when the running code of the Xposed file injected in the current application process runs, the code in the detection program file needs to be referred, and data is obtained from the local file through the running of the code in the detection program file, wherein the data comprises the information of the package to be detected.
According to the exemplary embodiment, the running information of the detection program file can be stored in the local file in a cross-process running and storing mode, the running information of the detection program file process in the local file is called to obtain the information of the package to be detected in the running process of the current running application process, the running-free application is detected through different processes, the detection is not limited by the type of the current running application, and the universality of application detection is improved.
In the exemplary embodiment of the present disclosure, if there are a plurality of application package names matching the currently running application information, the detection program file is respectively injected into the running program of the currently running application corresponding to each application package name, where each currently running application has an independent running process.
Specifically, fig. 4 shows an exemplary diagram of a user inputting a plurality of application packet names to be detected, wherein the respective application packet names may be distinguished by spaces, separators, etc., as distinguished by the separator "&" between com. When a user inputs a plurality of application package names, matching each application package name with the running information of the currently running application, if at least two application package names are matched with the currently running application information, namely the at least two currently running applications need to be detected simultaneously, adopting an independent process to respectively run each currently running application for detection.
Further, the exemplary embodiments of the present disclosure may mark the detection program file injected into the running program of each currently running application, respectively. Optionally, the detection program file injected into each currently running application may carry enclosure information, such as an enclosure name; optionally, a unique identifier, for example, a form of a number, a character, or a combination of numbers and characters, may be assigned to the detection program file injected into each currently running application, and based on this, in the running process of each currently running application process, the detection result also carries the flag information, so as to distinguish the detection result of each currently running application.
Further, if the calling behavior of the target currently running application process to the target function is detected, generating early warning information carrying the marking information of the detection program file in the target currently running application process to prompt that the illegal calling behavior of the target currently running application exists.
In step S130, the detection program file and the currently running application are respectively run by using different processes, and the call behavior of the target function in the currently running application process is detected by calling the running information of the running process of the detection program file.
In the exemplary embodiment of the present disclosure, different processes are adopted to respectively run a detection program file and a current running file, run running data of the detection program file to be stored in a local file, and in the running process of the current running application process, the injected detection program file is run, so that the current running application process obtains target data from the local file, and thus, based on the target data, whether a calling behavior of a target function exists in the current running program process is detected. The target data includes, but is not limited to, the name of the application package, the calling information of the target function added with the hook function based on the Xposed framework, and the detection result information such as whether to trigger the parameter variable of the prompt.
In an exemplary embodiment of the present disclosure, referring to fig. 5, detecting a call behavior of a target function in a currently running application process by calling running information of a running process of a detection program file may include the following steps:
in step S510, detecting and intercepting a call behavior to a target function existing in a currently running application; in the present exemplary embodiment, if there is a call behavior of the target function, the call behavior is intercepted. In step S520, the privacy item data corresponding to the calling behavior of the target function is processed according to a preset rule, and the processed privacy item data is used as a calling result. In the present exemplary embodiment, when the currently running application has a calling behavior of the target function, the privacy item data corresponding to the calling behavior is subjected to processing such as spoofing and falsification, and the data that is easy to expose the privacy information of the user is hidden, so that the leakage of the true privacy information of the user is avoided, and the normal running of the application is not affected at the same time. In addition, the privacy item data before and after the processing can be correspondingly stored for subsequent checking and correcting of the calling behavior.
In the exemplary embodiment of the disclosure, the running process of the currently running application may also be recorded, a detection result document of the currently running application is generated according to the recording result, the detection result document is stored, and a document link is generated and fed back to the user, so that the user acquires the detection result document by using the document link, thereby realizing trace tracking of application detection.
According to the application detection method in the embodiment of the example, the target function added with the hook function generates a detection program file and is injected into the running program of the current running application, so that various target functions with privacy calling behaviors can be detected at the same time, and the detection efficiency is improved; the method comprises the steps that different processes are adopted to respectively run a detection program file and a currently running application, in the process, the calling behavior of a target function is detected by calling running information of the running process of the detection program file, the method is not influenced by the type of the currently running application, and only the obtained information of a packet to be detected is required to be matched with the information of the currently running application, so that different types of applications can be detected based on the same detection program file, the detection program file has reusability, and developers are prevented from repeatedly modifying codes for each application; the method is suitable for detecting the application before a program developer is used for online products, can be separated from the developer, automatically executes detection of illegal calling behaviors in the current running application process by inputting information of a packet to be detected through personnel without technical experience, such as an application user, and is wide in application range.
In an exemplary embodiment of the present disclosure, an application detection apparatus is also provided. Referring to fig. 6, the application detection apparatus 600 may include a file acquisition module 610, a file injection module 620, and a detection module 630. In particular, the amount of the solvent to be used,
the file acquisition module 610 is configured to add a hook function based on an Xposed framework to the target function, and generate a detection program file;
the file injection module 620 is configured to obtain information of a packet to be detected, and if the information of the packet to be detected matches information of a currently running application, inject the detection program file into a running program of the currently running application;
the detecting module 630 is configured to use different processes to run the detection program file and the currently running application, and detect a call behavior of the target function in the currently running application process by calling the running information of the running process of the detection program file.
Since each functional module of the application detection apparatus in the exemplary embodiment of the present disclosure is the same as that in the embodiment of the application detection method, it is not described herein again.
It should be noted that although in the above detailed description reference is made to several modules or units applying the detection means, such a division is not mandatory. Indeed, the features and functionality of two or more modules or units described above may be embodied in one module or unit, according to embodiments of the present disclosure. Conversely, the features and functions of one module or unit described above may be further divided into embodiments by a plurality of modules or units.
In addition, in the exemplary embodiments of the present disclosure, a computer storage medium capable of implementing the above method is also provided. On which a program product capable of implementing the above-described method of the present specification is stored. In some possible embodiments, aspects of the present disclosure may also be implemented in the form of a program product comprising program code for causing a terminal device to perform the steps according to various exemplary embodiments of the present disclosure described in the "exemplary methods" section above of this specification, when the program product is run on the terminal device.
Referring to fig. 7, a program product 700 for implementing the above method according to an exemplary embodiment of the present disclosure is described, which may employ a portable compact disc read only memory (CD-ROM) and include program code, and may be run on a terminal device, such as a personal computer. However, the program product of the present disclosure is not limited thereto, and in this document, a readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable disk, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
A computer readable signal medium may include a propagated data signal with readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A readable signal medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Program code for carrying out operations for the present disclosure may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device and partly on a remote computing device, or entirely on the remote computing device or server. In the case of a remote computing device, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., through the internet using an internet service provider).
In addition, in an exemplary embodiment of the present disclosure, an electronic device capable of implementing the above method is also provided. As will be appreciated by one skilled in the art, aspects of the present disclosure may be embodied as a system, method or program product. Accordingly, various aspects of the present disclosure may be embodied in the form of: an entirely hardware embodiment, an entirely software embodiment (including firmware, microcode, etc.) or an embodiment combining hardware and software aspects that may all generally be referred to herein as a "circuit," module "or" system.
An electronic device 800 according to such an embodiment of the disclosure is described below with reference to fig. 8. The electronic device 800 shown in fig. 8 is only an example and should not bring any limitations to the functionality and scope of use of the embodiments of the present disclosure.
As shown in fig. 8, electronic device 800 is in the form of a general purpose computing device. The components of the electronic device 800 may include, but are not limited to: the at least one processing unit 810, the at least one memory unit 820, a bus 830 connecting different system components (including the memory unit 820 and the processing unit 810), and a display unit 840.
Wherein the storage unit stores program code that is executable by the processing unit 810 to cause the processing unit 810 to perform steps according to various exemplary embodiments of the present disclosure as described in the "exemplary methods" section above in this specification.
The storage unit 820 may include readable media in the form of volatile storage units, such as a random access storage unit (RAM)821 and/or a cache storage unit 822, and may further include a read only storage unit (ROM) 823.
Storage unit 820 may also include a program/utility 824 having a set (at least one) of program modules 825, such program modules 825 including, but not limited to: an operating system, one or more application programs, other program modules, and program data, each of which, or some combination thereof, may comprise an implementation of a network environment.
Bus 830 may be any of several types of bus structures including a memory unit bus or memory unit controller, a peripheral bus, an accelerated graphics port, a processing unit, or a local bus using any of a variety of bus architectures.
The electronic device 800 may also communicate with one or more external devices 900 (e.g., keyboard, pointing device, bluetooth device, etc.), with one or more devices that enable a user to interact with the electronic device 800, and/or with any devices (e.g., router, modem, etc.) that enable the electronic device 800 to communicate with one or more other computing devices. Such communication may occur via input/output (I/O) interfaces 850. Also, the electronic device 800 may communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network, such as the internet) via the network adapter 860. As shown, the network adapter 860 communicates with the other modules of the electronic device 800 via the bus 830. It should be appreciated that although not shown, other hardware and/or software modules may be used in conjunction with the electronic device 800, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, among others.
Through the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein may be implemented by software, or by software in combination with necessary hardware. Therefore, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.) or on a network, and includes several instructions to enable a computing device (which may be a personal computer, a server, a terminal device, or a network device, etc.) to execute the method according to the embodiments of the present disclosure.
Furthermore, the above-described figures are merely schematic illustrations of processes included in methods according to exemplary embodiments of the present disclosure, and are not intended to be limiting. It will be readily understood that the processes shown in the above figures are not intended to indicate or limit the chronological order of the processes. In addition, it is also readily understood that these processes may be performed synchronously or asynchronously, e.g., in multiple modules.
Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure disclosed herein. This disclosure is intended to cover any variations, uses, or adaptations of the disclosure following, in general, the principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.
It will be understood that the present disclosure is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the present disclosure is to be limited only by the terms of the appended claims.

Claims (12)

1. An application detection method, comprising:
adding a hook function based on an Xpos frame to the target function to generate a detection program file;
acquiring information of a packet to be detected, and if the information of the packet to be detected is matched with the information of the currently running application, injecting the detection program file into the running program of the currently running application;
and respectively operating the detection program file and the current operation application by adopting different processes, and detecting the calling behavior of the target function in the current operation application process by calling the operation information of the operation process of the detection program file.
2. The method of claim 1, wherein before adding an Xposed framework-based hook function to the target function to obtain the detection program file, the method further comprises:
acquiring the highest root authority of the android system;
and installing an Xpos module, and replacing a system process zygate file in the android system by the Xpos module.
3. The method according to claim 1, wherein the running information of the running process of the detection program file is stored in a local file;
before the information of the packet to be detected is matched with the information of the current running application, the method further comprises the following steps:
injecting an Xposed file in the current running application process, wherein the running of the Xposee file depends on the detection program file;
and obtaining the information of the package to be checked stored in the local file by operating the Xpos file to refer to the detection program file.
4. The method according to claim 3, wherein the using different processes to run the detection program file and the currently running application respectively, and detecting a calling behavior of the target function in the currently running application process by calling the running information in the running process of the detection program file comprises:
the detection program file injected in the running program of the currently running application is run, so that the currently running application progresses to the local file to obtain target data;
and detecting whether the calling behavior of the target function exists in the current running program process or not based on the target data.
5. The method according to claim 1, wherein the packet to be inspected information includes an application packet name of the packet to be inspected;
the acquiring of the information of the packet to be detected, if the information of the packet to be detected is matched with the information of the currently running application, injecting the detection program file into the running program of the currently running application, and the acquiring comprises the following steps:
and if a plurality of application package names matched with the currently running application information exist, respectively injecting the detection program file into the running program of the currently running application corresponding to each application package name.
Wherein each currently running application has an independent running process.
6. The method according to claim 5, wherein the injecting the detection program into the running program of the currently running application corresponding to each application package name respectively comprises:
and marking the detection program file injected into the running program of each currently running application respectively.
7. The method according to claim 6, wherein the using different processes to run the detection program file and the currently running application respectively, and detecting a calling behavior of the target function in the currently running application process by calling the running information of the running process of the detection program file comprises:
each process respectively operates the detection program file and the corresponding current operation application;
and if the fact that the target currently running application process calls the target function is detected, generating early warning information carrying the marking information of the detection program file in the target currently running process.
8. The method according to any one of claims 1 to 7, wherein the detecting the calling behavior of the target function in the currently running application process by calling the running information of the running process of the detection program file comprises:
detecting and intercepting a calling behavior of the target function in a currently running application program;
processing the privacy item data corresponding to the calling behavior of the target function according to a preset rule, and taking the processed privacy item data as a calling result;
and correspondingly storing the privacy item data before and after processing.
9. The method according to any one of claims 1 to 7, further comprising:
recording the running process of the currently running application, and generating a detection result document of the currently running application according to a recording result;
and storing the detection result document, generating a document link and feeding back the document link to a user so that the user can obtain the detection result document by using the document link.
10. An application detection apparatus, characterized in that the apparatus comprises:
the file acquisition module is used for adding a hook function based on an Xpos frame to the target function to generate a detection program file;
the file injection module is used for acquiring information of a packet to be detected, and if the information of the packet to be detected is matched with the information of the currently running application, injecting the detection program file into the running program of the currently running application;
and the detection module is used for adopting different processes to respectively operate the detection program file and the currently operated application, and detecting the calling behavior of the target function in the currently operated application process by calling the operation information of the operation process of the detection program file.
11. A storage medium having stored thereon a computer program which, when executed by a processor, implements an application detection method according to any one of claims 1 to 9.
12. An electronic device, comprising:
a processor; and
a memory for storing executable instructions of the processor;
wherein the processor is configured to perform the application detection method of any of claims 1 to 9 via execution of the executable instructions.
CN202111320683.5A 2021-11-09 2021-11-09 Application detection method and device, computer storage medium and electronic equipment Pending CN113901483A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111320683.5A CN113901483A (en) 2021-11-09 2021-11-09 Application detection method and device, computer storage medium and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111320683.5A CN113901483A (en) 2021-11-09 2021-11-09 Application detection method and device, computer storage medium and electronic equipment

Publications (1)

Publication Number Publication Date
CN113901483A true CN113901483A (en) 2022-01-07

Family

ID=79193745

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111320683.5A Pending CN113901483A (en) 2021-11-09 2021-11-09 Application detection method and device, computer storage medium and electronic equipment

Country Status (1)

Country Link
CN (1) CN113901483A (en)

Similar Documents

Publication Publication Date Title
CN111353146B (en) Method, device, equipment and storage medium for detecting sensitive permission of application program
Gibler et al. Androidleaks: Automatically detecting potential privacy leaks in android applications on a large scale
US20150332043A1 (en) Application analysis system for electronic devices
US9280665B2 (en) Fast and accurate identification of message-based API calls in application binaries
US10176327B2 (en) Method and device for preventing application in an operating system from being uninstalled
CN108763951B (en) Data protection method and device
CN109471697B (en) Method, device and storage medium for monitoring system call in virtual machine
US10754717B2 (en) Fast and accurate identification of message-based API calls in application binaries
US8667298B2 (en) Module signing for unprivileged users to create and load trustworthy kernel modules
CN104517054A (en) Method, device, client and server for detecting malicious APK
WO2020019485A1 (en) Simulator identification method, identification device, and computer readable medium
CN109271789B (en) Malicious process detection method and device, electronic equipment and storage medium
US11846972B2 (en) Method and apparatus for generating software test reports
KR20130116409A (en) Method and apparatus to evaluate required permissions for application
CN113569246A (en) Vulnerability detection method and device, computer equipment and storage medium
CN112035354A (en) Method, device and equipment for positioning risk code and storage medium
CN114282212A (en) Rogue software identification method and device, electronic equipment and storage medium
EP3136278B1 (en) Dynamically loaded code analysis device, dynamically loaded code analysis method, and dynamically loaded code analysis program
CN110597496A (en) Method and device for acquiring bytecode file of application program
WO2023121825A1 (en) Application identity account compromise detection
CN113901483A (en) Application detection method and device, computer storage medium and electronic equipment
US11550925B2 (en) Information security system for identifying potential security threats in software package deployment
CN109167785B (en) Calling method of virtual trusted root and service server
CN110955595A (en) Problem repairing method and device, electronic equipment and computer readable storage medium
Sellwood et al. Sleeping android: Exploit through dormant permission requests

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination