CN114676463A - File tampering detection method and device, electronic equipment and storage medium - Google Patents
File tampering detection method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN114676463A CN114676463A CN202210331373.1A CN202210331373A CN114676463A CN 114676463 A CN114676463 A CN 114676463A CN 202210331373 A CN202210331373 A CN 202210331373A CN 114676463 A CN114676463 A CN 114676463A
- Authority
- CN
- China
- Prior art keywords
- file
- white
- digital signature
- detected
- client
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 31
- 238000000034 method Methods 0.000 claims description 33
- 238000004590 computer program Methods 0.000 claims description 13
- 230000002155 anti-virotic effect Effects 0.000 abstract description 11
- 230000006870 function Effects 0.000 description 13
- 241000700605 Viruses Species 0.000 description 8
- 238000004364 calculation method Methods 0.000 description 6
- 238000013461 design Methods 0.000 description 6
- 238000010586 diagram Methods 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 238000004422 calculation algorithm Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 206010035148 Plague Diseases 0.000 description 1
- 241000607479 Yersinia pestis Species 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000006378 damage Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000008521 reorganization Effects 0.000 description 1
- 230000010076 replication Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/564—Static detection by virus signature recognition
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Bioethics (AREA)
- Storage Device Security (AREA)
Abstract
The embodiment of the invention relates to the technical field of computer security, in particular to a file tampering detection method and device, electronic equipment and a storage medium. The file tampering detection method is applied to a server and comprises the following steps: receiving a query request which is sent by a client and carries a digital signature; decrypting the digital signature to obtain a hash value to be searched; determining a result fed back to the client based on the hash value to be searched and a pre-established database; the database comprises white files and hash values corresponding to the digital signatures of the white files, and the result comprises that the white files corresponding to the digital signature of the query request exist in the server and the white files corresponding to the digital signature of the query request do not exist in the server; and sending the result to the client so that the client detects whether the first file to be detected carrying the digital signature is tampered or not by using the result. The scheme provided by the invention can solve the problem that the antivirus engine cannot realize effective detection of the tampered white file.
Description
Technical Field
The embodiment of the invention relates to the technical field of computer security, in particular to a file tampering detection method and device, electronic equipment and a storage medium.
Background
With the widespread use of computer technology in various fields of social life, viruses have come along as accessories. These viruses have become a significant problem that plagues computer use due to their infectivity, replication, and destruction.
In the related art, the way of virus tampering on the white document issued by the official may be, for example: redundant data such as malicious codes and junk data are added to the tail of the binary codes of the white file, and the malicious codes are hidden in the junk data. The above-mentioned tampered white files increase the difficulty of detection of antivirus engines (e.g., antivirus software), and thus effective detection of such tampered white files cannot be achieved.
Disclosure of Invention
In order to solve the problem that an antivirus engine cannot effectively detect a tampered white file, embodiments of the present invention provide a file tampering detection method, apparatus, electronic device, and storage medium.
In a first aspect, an embodiment of the present invention provides a file tampering detection method, which is applied to a server, and includes:
receiving a query request which is sent by a client and carries a digital signature;
decrypting the digital signature to obtain a hash value to be searched;
determining a result fed back to the client based on the hash value to be searched and a pre-established database; wherein the database comprises white files and hash values corresponding to the digital signatures of the white files, and the result comprises that the white files corresponding to the digital signature of the query request exist in the server and the white files corresponding to the digital signature of the query request do not exist in the server;
and sending the result to the client, so that the client detects whether the first file to be detected carrying the digital signature is tampered by using the result.
In one possible design, the query request also carries an official source of the white document corresponding to the digital signature;
further comprising:
and when the result is that the white file corresponding to the digital signature of the query request does not exist in the server, accessing the official website of the white file according to the official source of the white file carried by the query request sent by each client so as to collect the white file from the official website.
In one possible design, the query request also carries an official source of the white document corresponding to the digital signature;
further comprising:
and when the result is that the server does not have the white file corresponding to the digital signature of the query request, classifying the official websites of the white files according to the official sources of the white files carried by the query request sent by each client so as to analyze the first files to be detected of the same official websites.
In one possible design, the query request also carries an official source of the white document corresponding to the digital signature;
the decrypting the digital signature to obtain the hash value to be searched includes:
accessing an official website of the white document according to the official source of the white document;
acquiring a public key of the white document from the official website;
and decrypting the digital signature by using the public key to obtain a hash value to be searched.
In one possible design, at least part of the white files included in the database are obtained by:
for each client, when the current client determines the first file to be detected as a tampered white file and determines a second file to be detected as an untampered white file, the current client uploads the second file to be detected as a white file to the server; and the second file to be detected is a file obtained by recombining the effective data and the digital signature of the first file to be detected.
In one possible design, the valid data of the first file to be detected is obtained based on a digital signature of the first file to be detected.
In one possible design, the valid data of the first file to be detected is obtained by:
extracting the digital signature of the first file to be detected by using a client to obtain the starting position and the occupied length of the effective data of the first file to be detected in the binary code of the first file to be detected;
and acquiring the effective data of the first file to be detected by utilizing a client based on the starting position and the occupied length.
In a second aspect, an embodiment of the present invention further provides a file tampering detection apparatus, which is applied to a server, and includes:
the receiving module is used for receiving a query request which is sent by a client and carries a digital signature;
the decryption module is used for decrypting the digital signature to obtain a hash value to be searched;
the determining module is used for determining a result fed back to the client based on the hash value to be searched and a pre-established database; the database comprises white files and hash values corresponding to the digital signatures of the white files, and the result comprises that the white files corresponding to the digital signatures of the query requests exist in the server and the white files corresponding to the digital signatures of the query requests do not exist in the server;
and the sending module is used for sending the result to the client so that the client can detect whether the first file to be detected carrying the digital signature is tampered or not by using the result.
In a third aspect, an embodiment of the present invention further provides an electronic device, which includes a memory and a processor, where the memory stores a computer program, and when the processor executes the computer program, the processor implements the method described in any embodiment of this specification.
In a fourth aspect, the present invention further provides a computer-readable storage medium, on which a computer program is stored, and when the computer program is executed in a computer, the computer program causes the computer to execute the method described in any embodiment of the present specification.
The embodiment of the invention provides a file tampering detection method, a file tampering detection device, electronic equipment and a storage medium, wherein a server decrypts a digital signature after receiving a query request which is sent by a client and carries the digital signature to obtain a hash value to be searched; then the server determines a result fed back to the client based on the hash value to be searched and a pre-established database; and finally, the server sends the result to the client, so that the client detects whether the first file to be detected carrying the digital signature is tampered or not by using the result, and the server can help an antivirus engine of the client to realize effective detection of the tampered white file.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
Fig. 1 is a flowchart of a file tampering detection method according to an embodiment of the present invention;
FIG. 2 is a flowchart of another method for detecting file tampering according to an embodiment of the present invention;
FIG. 3 is a diagram of a hardware architecture of an electronic device according to an embodiment of the present invention;
fig. 4 is a structural diagram of a document tampering detection device according to an embodiment of the present invention.
Detailed Description
To make the objects, technical solutions and advantages of the embodiments of the present invention clearer and more complete, the technical solutions in the embodiments of the present invention will be described below with reference to the drawings in the embodiments of the present invention, it is obvious that the described embodiments are some, but not all embodiments of the present invention, and based on the embodiments of the present invention, all other embodiments obtained by a person of ordinary skill in the art without making creative efforts belong to the protection scope of the present invention.
As mentioned above, the way in which the virus tampers with the white document issued by the official may be, for example: redundant data such as malicious codes and junk data are added to the tail of the binary codes of the white file, and the malicious codes are hidden in the junk data.
In order to solve the technical problem, the inventor considers that the documents issued by the authorities often have digital signatures, so whether the documents to be detected are falsified can be detected by using whether the digital signatures are valid, for example, the digital signatures can be used by a server to help an antivirus engine of a client to realize effective detection of the falsified white documents.
Specific implementations of the above concepts are described below.
Referring to fig. 1, an embodiment of the present invention provides a file tampering detection method, where the method includes:
step 100: receiving a query request which is sent by a client and carries a digital signature;
step 102: decrypting the digital signature to obtain a hash value to be searched;
step 104: determining a result fed back to the client based on the hash value to be searched and a pre-established database; the database comprises white files and hash values corresponding to the digital signatures of the white files, and the result comprises that the white files corresponding to the digital signature of the query request exist in the server and the white files corresponding to the digital signature of the query request do not exist in the server;
step 106: and sending the result to the client so that the client detects whether the first file to be detected carrying the digital signature is tampered or not by using the result.
In the embodiment of the invention, after receiving a query request carrying a digital signature sent by a client, a server decrypts the digital signature to obtain a hash value to be searched; then the server determines a result fed back to the client based on the hash value to be searched and a pre-established database; and finally, the server sends the result to the client, so that the client detects whether the first file to be detected carrying the digital signature is tampered or not by using the result, and the server can help an antivirus engine of the client to realize effective detection of the tampered white file.
The manner in which the various steps shown in fig. 1 are performed is described below.
With respect to step 100:
the digital signature means: only the sender of the information can generate a digital string which cannot be forged by others, and the digital string is also a valid proof for the authenticity of the information sent by the sender of the information.
Taking a PE file as an example, there is an IMAGE _ option _ HEADER32 structure in the IMAGE _ NT _ HEADERS structure of the PE file, and the fifth IMAGE _ DATA _ direct entry in the IMAGE _ option _ HEADER32 structure is digitally signed to the PE file. Specifically, VirtualAddress and dwSingSize in the fifth IMAGE _ DATA _ direct entry indicate the position and size of the digital signature, respectively. If the two terms are not zero, it indicates that a digital signature exists in the PE file.
In order to prevent tampering, white files issued by authorities (e.g., office authorities, Windows authorities, etc.) typically carry digital signatures. In order to increase the difficulty of antivirus detection, a lawbreaker may add redundant data such as malicious code and garbage data to the tail of binary code of a white file, and hide the malicious code in the garbage data. Therefore, in order to detect whether the white document issued by the official is tampered, the digital signature carried by the white document can be utilized by the server to feed back the result obtained by the server to the client.
With respect to step 102:
the tamper-resistant logic for digital signatures is: the sender uses a hash function to generate a message digest from the message text, then uses the private key of the sender to encrypt the digest, the encrypted digest is used as the digital signature of the message and sent to the receiver together with the message, the receiver first uses the same hash function as the sender to calculate the message digest (i.e. hash value) from the received original message, then uses the public key to decrypt the digital signature attached to the message, if the two digests are the same, the receiver can confirm that the message is the sender.
The digital signature has two functions: one is to be able to determine that the message was indeed signed and sent by the sender because someone else cannot impersonate the sender's signature; the second is that the digital signature can determine the integrity of the message, because the characteristic of the digital signature is that it represents the characteristics of the file, if the file changes, the value of the digital digest (i.e. the hash value) will also change, i.e. different files will get different digital digests.
In some embodiments, the query request also carries an official source of the white document corresponding to the digital signature, and step 102 may include:
accessing an official website of the white document according to the official source of the white document;
acquiring a public key of a white document from an official website;
and decrypting the digital signature by using the public key to obtain the hash value to be searched.
In this embodiment, the hash value to be searched is an encrypted field in the digital signature, and if the hash value to be searched is to be extracted, the official website where the white file is located needs to be accessed to obtain the public key corresponding to the white file, so that the digital signature is decrypted to obtain the hash value to be searched. It should be noted that, it is not known whether the "white document" mentioned in this step is tampered, and therefore, the server needs to search the digital signature of the "white document" to determine whether the "white document" is tampered from another perspective.
With respect to step 104:
for convenience of white file searching, the hash value to be searched in the digital signature can be utilized for searching.
It will be appreciated that the white documents included in the database may be collected by the server accessing the white document official website, or may be uploaded to the server by various clients.
In some embodiments, when the white file included in the database is obtained by uploading the white file to the server by each client, the white file is obtained by:
for each client, when the current client determines a first file to be detected as a tampered white file and a second file to be detected as an untampered white file, the current client uploads the second file to be detected as a white file to a server; and the second file to be detected is the file obtained by recombining the effective data and the digital signature of the first file to be detected.
That is to say, in this embodiment, the first file to be detected is a file in which redundant data is added to the tail of the binary code of the white file, and the second file to be detected is a file in which the redundant data in the first file to be detected is removed.
In some embodiments, the valid data of the first file to be detected is obtained based on a digital signature of the first file to be detected.
Taking the PE file as an example, for example, the size of the PE file is 11M, and the digital signature is located at a position of 10-11M, then valid data of the PE file can be obtained to be located at a position of 0-10M.
In some embodiments, the valid data of the first file to be detected is obtained by:
extracting a digital signature of the first file to be detected by using the client to obtain the starting position and the occupied length of the effective data of the first file to be detected in the binary code of the first file to be detected;
and acquiring effective data of the first file to be detected by utilizing the client based on the starting position and the occupied length.
In this embodiment, the valid data of the first file to be detected can be obtained by the start position and the occupied length of the valid data extracted from the digital signature.
In step 106, how the client uses the result fed back by the server to detect whether the first file to be detected carrying the digital signature is tampered or not will be described.
For step 106:
in some embodiments, the step "the client detects whether the first to-be-detected file carrying the digital signature is tampered with by using the result" may include:
step S1, the client scans the first file to be detected carrying the digital signature;
step S2, the client verifies whether the digital signature of each first file to be detected is valid;
step S3, if the digital signature of the current first file to be detected is invalid, the client acquires the valid data of the current first file to be detected based on the digital signature of the current first file to be detected;
step S4, the client side recombines the valid data and the digital signature of the current first file to be detected into a second file to be detected;
step S5, the client detects whether the first file to be detected and the second file to be detected are tampered based on the digital signature of the second file to be detected.
In this embodiment, first, the antivirus engine scans the first files to be detected carrying digital signatures, and verifies whether the digital signature of each first file to be detected is valid; if the digital signature of the current first file to be detected is invalid, acquiring valid data of the current first file to be detected based on the digital signature of the current first file to be detected, so that redundant data added to the tail part of the binary code of the white file can be removed; and then recombining the valid data and the digital signature of the current first file to be detected into a second file to be detected, and detecting whether the first file to be detected and the second file to be detected are falsified or not based on the digital signature of the second file to be detected, thereby solving the problem that the antivirus engine cannot realize valid detection of the falsified white file.
In some embodiments, step S2 may include:
for each first file to be detected, the client executes:
extracting a first hash value in a digital signature of a current first file to be detected;
performing hash calculation on data except the digital signature in the current first file to be detected to obtain a second hash value;
and verifying whether the digital signature of the current first file to be detected is valid or not based on the first hash value and the second hash value.
In this embodiment, by comparing the first hash value in the digital signature with the second hash value obtained by hash calculation, it can be determined whether the digital signature of the current first file to be detected is valid.
It can be understood that the first hash value is an encrypted field in the digital signature, and in order to extract the first hash value, the official website where the current first file to be detected is located needs to be accessed to obtain the public key corresponding to the current first file to be detected, so that the digital signature is decrypted to obtain the first hash value. Meanwhile, the hash function corresponding to the first file to be detected can be obtained from the official website where the current first file to be detected is located, so that the hash function is used for carrying out hash calculation on data except for the digital signature in the current first file to be detected, and a second hash value is obtained. The hash function includes, but is not limited to, MD5(Message-Digest Algorithm 5), SHA-1, SHA-2, SHA-3, and RIPEMD-160.
In some embodiments, the step "verifying whether the digital signature of the current first file to be detected is valid based on the first hash value and the second hash value" may include:
if the first hash value is the same as the second hash value, the digital signature of the current first file to be detected is valid;
and if the first hash value is different from the second hash value, the digital signature of the current first file to be detected is invalid.
If the digital signature of the first file to be detected is valid, the first file to be detected is further indicated to be a white file which is not tampered; if the digital signature of the first file to be detected is invalid, it indicates that the white file issued by the official party has been tampered. However, at this time, the true reason for the tampering of the white file cannot be determined, that is, whether valid data of the white file is tampered or redundant data is attached to the tail of the binary code of the white file cannot be determined. Therefore, the true cause of the tampering of the white document needs to be determined continuously through the subsequent steps.
In order to determine the true cause of the white document falsification when the digital signature of the current first file to be detected is invalid, the digital signature of the current first file to be detected may be used to obtain the valid data of the current first file to be detected, and the specific obtaining manner is mentioned in the above, and is not described herein again.
After the valid data of the current first file to be detected is obtained, the valid data of the current first file to be detected and the digital signature can be recombined, so that the recombined second file to be detected can be continuously verified, and the true reason of the white file tampering when the digital signature of the current first file to be detected is invalid can be favorably determined.
It is to be understood that the reorganization may refer to splicing the digitally signed binary code to the tail of the binary code of the valid data.
In some embodiments, step S5 may include:
the client verifies whether the digital signature of the second file to be detected is valid;
and if the digital signature of the second file to be detected is valid, the client determines the second file to be detected as an untampered white file and determines the first file to be detected as a tampered white file.
In this embodiment, by verifying whether the digital signature of the second file to be detected is valid, if the digital signature of the second file to be detected is valid, the second file to be detected can be determined as a white file which has not been tampered with, and meanwhile, it can also be determined that the true reason of the white file tampering when the digital signature of the current first file to be detected is that redundant data is added to the tail of the binary code of the white file, that is, the first file to be detected is a tampered white file.
In some embodiments, step S5 may further include:
the client verifies whether the digital signature of the second file to be detected is valid;
and if the digital signature of the second file to be detected is invalid and the result shows that the server has the white file corresponding to the digital signature of the query request, the client determines the first file to be detected and the second file to be detected as the tampered white file.
In this embodiment, if the digital signature of the second file to be detected is invalid and the result is that the server has a white file corresponding to the digital signature of the query request, it indicates that the valid data of the second file to be detected and the digital signature are not matched, that is, at least one of the two is tampered. That is, when the digital signature of the second document to be detected is invalid, the white document which is not tampered with cannot be determined, that is, the true reason for tampering with the white document cannot be determined.
In some embodiments, step S5 may further include:
the client verifies whether the digital signature of the second file to be detected is valid;
and if the digital signature of the second file to be detected is invalid and the result shows that the server does not have a white file corresponding to the digital signature of the query request, the client determines the first file to be detected and the second file to be detected as suspected malicious files.
In this embodiment, if the server still cannot determine the true reason for tampering the white file, but due to the scheme of determination by the server, the malicious degrees of the first file to be detected and the second file to be detected can be increased, so that it is reasonable to determine the first file to be detected and the second file to be detected as suspected malicious files to remind the user of careful operation.
In some embodiments, the step "the client verifies whether the digital signature of the second file to be detected is valid" may include:
the client extracts a third hash value in the digital signature of the second file to be detected;
the client performs hash calculation on data except the digital signature in the second file to be detected to obtain a fourth hash value;
and the client verifies whether the digital signature of the second file to be detected is valid or not based on the third hash value and the fourth hash value.
In this embodiment, by comparing the third hash value in the digital signature with the fourth hash value obtained by the hash calculation, it can be determined whether the digital signature of the second file to be detected is valid.
It is understood that the first hash value of the digital signature of a first file to be detected is the same as the third hash value of the second file to be detected obtained from the first file to be detected.
It can also be understood that the third hash value is encrypted in the digital signature, and in order to extract the third hash value, the official website where the second file to be detected is located needs to be accessed to obtain the public key corresponding to the second file to be detected, so that the digital signature is decrypted to obtain the third hash value. Of course, the first hash value obtained in step S2 may be used as the third hash value in the digital signature of the second file to be detected.
Meanwhile, the hash function corresponding to the second file to be detected can be obtained from the official website where the second file to be detected is located, so that the hash function is used for carrying out hash calculation on data except the digital signature in the second file to be detected, and a fourth hash value is obtained. The hash function includes, but is not limited to, MD5(Message-Digest Algorithm 5), SHA-1, SHA-2, SHA-3, and RIPEMD-160.
In some embodiments, the step "the client verifies whether the digital signature of the second file to be detected is valid based on the third hash value and the fourth hash value" may include:
if the third hash value is the same as the fourth hash value, the digital signature of the current second file to be detected is valid;
and if the third hash value is different from the fourth hash value, the digital signature of the current second file to be detected is invalid.
If the digital signature of the second file to be detected is valid, the second file to be detected is further indicated to be a white file which is not tampered; and if the digital signature of the second file to be detected is invalid, the valid data of the second file to be detected and the digital signature are not matched, namely at least one of the two is tampered. That is, when the digital signature of the second document to be detected is invalid, the white document which is not tampered with cannot be determined, that is, the true reason for tampering with the white document cannot be determined.
In order to continuously determine the true reason for tampering the white file, the server may be used to determine whether a white file corresponding to the digital signature of the second file to be detected exists, and if so, it may be verified that the digital signature of the second file to be detected is correct and the valid data of the second file to be detected is tampered, and meanwhile, the server may also feed back the white file that is not tampered to the client.
In addition, in order to improve the response capability of the server, the corresponding official website can be accessed according to the query request sent by each client, and the white files corresponding to the query request can be collected.
In some embodiments, the query request further carries an official source of the white document corresponding to the digital signature, and the method may further include:
and when the result is that the white file corresponding to the digital signature of the query request does not exist in the server, accessing the official website of the white file according to the official source of the white file carried by the query request sent by each client so as to collect the white file from the official website.
In this embodiment, when each client sends a query request to the server, it indicates that the client may be infected by a virus that has tampered with a specific white document, so the server can access a corresponding official website to collect a corresponding white document and feed the corresponding white document back to the client, which can improve the response capability of the server.
Since some viruses infecting specific white files belong to a virus family and have similar tampering habits, the specific white files can be analyzed in a centralized manner by virtue of query requests sent by various clients.
In some embodiments, the query request further carries an official source of the white document corresponding to the digital signature, and the method may further include:
and when the result is that the white file corresponding to the digital signature of the query request does not exist in the server, classifying the official websites of the white files according to the official sources of the white files carried by the query request sent by each client so as to analyze the first to-be-detected files of the same official websites.
In the embodiment, the official websites of the white documents are classified, so that the user can conveniently analyze the first to-be-detected documents of the same official website to identify the virus family, and the antivirus engine of the client can be further improved in searching and killing capacity.
FIG. 2 shows a flow diagram of a file tampering detection method according to another embodiment. Referring to fig. 2, when the method is applied to the client, the method includes:
step 200: a client scans a first file to be detected carrying a digital signature;
step 202: the client verifies whether the digital signature of each first file to be detected is valid; if yes, go to step 204; if not, go to step 206;
step 204: the client determines the first file to be detected as a white file which is not tampered;
step 206: the client acquires effective data of the current first file to be detected based on the digital signature of the current first file to be detected;
step 208: the client side recombines the effective data and the digital signature of the current first file to be detected into a second file to be detected;
step 210: the client verifies whether the digital signature of the second file to be detected is valid; if yes, go to step 212; if not, go to step 214;
step 212: the client determines the second file to be detected as a white file which is not tampered, and determines the first file to be detected as a tampered white file;
step 214: the client uploads the digital signature of the second file to be detected to the server;
step 216: the client receives a result fed back by the server;
step 218: and the client receives the white files sent by the server, and determines the first file to be detected and the second file to be detected as the tampered white files.
When the method is applied to the server, the method comprises the following steps:
step 300: the server receives a query request which is sent by the client and carries a digital signature of a second file to be detected;
step 302: the server decrypts the digital signature to obtain a hash value to be searched;
step 304: the server determines a result fed back to the client based on the hash value to be searched and a pre-established database; steps 306, 308 and 310 are performed, respectively;
step 306: the server sends the result to the client;
step 308: when the result is that the white file corresponding to the digital signature of the query request does not exist in the server, the server accesses the official website of the white file according to the official source of the white file carried by the query request sent by each client so as to collect the white file from the official website;
step 310: and when the result is that the white file corresponding to the digital signature of the query request does not exist in the server, the server classifies the official websites of the white files according to the official sources of the white files carried by the query request sent by each client so as to analyze the first files to be detected of the same official websites.
As shown in fig. 3 and 4, an embodiment of the present invention provides a file tampering detection apparatus. The device embodiments may be implemented by software, or by hardware, or by a combination of hardware and software. From a hardware aspect, as shown in fig. 3, for a hardware architecture diagram of an electronic device in which a file tampering detection apparatus according to an embodiment of the present invention is located, in addition to the processor, the memory, the network interface, and the nonvolatile memory shown in fig. 3, the electronic device in which the apparatus is located may also include other hardware, such as a forwarding chip responsible for processing a message. Taking a software implementation as an example, as shown in fig. 4, as a logical device, a CPU of the electronic device reads a corresponding computer program in the non-volatile memory into the memory for running.
As shown in fig. 4, the file tampering detection device provided in this embodiment includes:
a receiving module 400, configured to receive a query request with a digital signature sent by a client;
a decryption module 402, configured to decrypt the digital signature to obtain a hash value to be searched;
a determining module 404, configured to determine a result to be fed back to the client based on the hash value to be searched and a pre-created database; the database comprises white files and hash values corresponding to the digital signatures of the white files, and the result comprises that the white files corresponding to the digital signature of the query request exist in the server and the white files corresponding to the digital signature of the query request do not exist in the server;
the sending module 406 is configured to send the result to the client, so that the client detects whether the first file to be detected carrying the digital signature is tampered with by using the result.
In an embodiment of the present invention, the receiving module 400 may be configured to perform step 100 in the above-described method embodiment, the decrypting module 402 may be configured to perform step 102 in the above-described method embodiment, the determining module 404 may be configured to perform step 104 in the above-described method embodiment, and the sending module 406 may be configured to perform step 106 in the above-described method embodiment.
In one embodiment of the invention, the query request also carries an official source of the white document corresponding to the digital signature;
further comprising:
and the collection module is used for accessing the official website of the white files according to the official source of the white files carried by the query requests sent by the clients when the result is that the white files corresponding to the digital signature of the query request do not exist in the server, so as to collect the white files from the official website.
In one embodiment of the invention, the query request also carries an official source of the white document corresponding to the digital signature;
further comprising:
and the classification module is used for classifying the official websites of the white files according to the official sources of the white files carried by the query requests sent by the clients when the server does not have the white files corresponding to the digital signature of the query request as a result so as to analyze the first files to be detected of the same official websites.
In one embodiment of the invention, the query request also carries an official source of the white document corresponding to the digital signature;
a decryption module 402, configured to perform the following operations:
accessing an official website of the white document according to the official source of the white document;
acquiring a public key of a white document from an official website;
and decrypting the digital signature by using the public key to obtain the hash value to be searched.
In one embodiment of the invention, at least part of the white files comprised by the database are obtained by:
for each client, when the current client determines a first file to be detected as a tampered white file and a second file to be detected as an untampered white file, the current client uploads the second file to be detected as a white file to a server; and the second file to be detected is the file obtained by recombining the effective data and the digital signature of the first file to be detected.
In one embodiment of the invention, the valid data of the first file to be detected is obtained based on a digital signature of the first file to be detected.
In an embodiment of the present invention, the valid data of the first file to be detected is obtained by:
extracting a digital signature of the first file to be detected by using the client to obtain the starting position and the occupied length of the effective data of the first file to be detected in the binary code of the first file to be detected;
and acquiring effective data of the first file to be detected by utilizing the client based on the starting position and the occupied length.
It is to be understood that the structure illustrated in the embodiment of the present invention does not specifically limit a document tampering detection apparatus. In other embodiments of the invention, a document tampering detection device may include more or fewer components than shown, or some components may be combined, some components may be separated, or a different arrangement of components may be used. The illustrated components may be implemented in hardware, software, or a combination of software and hardware.
Because the content of information interaction, execution process, and the like among the modules in the device is based on the same concept as the method embodiment of the present invention, specific content can be referred to the description in the method embodiment of the present invention, and is not described herein again.
The embodiment of the invention also provides electronic equipment which comprises a memory and a processor, wherein the memory stores a computer program, and when the processor executes the computer program, the file tampering detection method in any embodiment of the invention is realized.
An embodiment of the present invention further provides a computer-readable storage medium, where a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the processor is caused to execute a file tampering detection method in any embodiment of the present invention.
Specifically, a system or an apparatus equipped with a storage medium on which software program codes that realize the functions of any of the above-described embodiments are stored may be provided, and a computer (or a CPU or MPU) of the system or the apparatus is caused to read out and execute the program codes stored in the storage medium.
In this case, the program code itself read from the storage medium can realize the functions of any of the above-described embodiments, and thus the program code and the storage medium storing the program code constitute a part of the present invention.
Examples of the storage medium for supplying the program code include a floppy disk, a hard disk, a magneto-optical disk, an optical disk (e.g., CD-ROM, CD-R, CD-RW, DVD-ROM, DVD-RAM, DVD-RW, DVD + RW), a magnetic tape, a nonvolatile memory card, and a ROM. Alternatively, the program code may be downloaded from a server computer via a communications network.
Further, it should be clear that the functions of any one of the above-described embodiments may be implemented not only by executing the program code read out by the computer, but also by causing an operating system or the like operating on the computer to perform a part or all of the actual operations based on instructions of the program code.
Further, it is to be understood that the program code read out from the storage medium is written to a memory provided in an expansion board inserted into the computer or to a memory provided in an expansion module connected to the computer, and then causes a CPU or the like mounted on the expansion board or the expansion module to perform part or all of the actual operations based on instructions of the program code, thereby realizing the functions of any of the above-described embodiments.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an …" does not exclude the presence of other similar elements in a process, method, article, or apparatus that comprises the element.
Those of ordinary skill in the art will understand that: all or part of the steps for realizing the method embodiments can be completed by hardware related to program instructions, the program can be stored in a computer readable storage medium, and the program executes the steps comprising the method embodiments when executed; and the aforementioned storage medium includes: various media that can store program codes, such as ROM, RAM, magnetic or optical disks.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (10)
1. A file tampering detection method is applied to a server and comprises the following steps:
receiving a query request which is sent by a client and carries a digital signature;
decrypting the digital signature to obtain a hash value to be searched;
determining a result fed back to the client based on the hash value to be searched and a pre-established database; wherein the database comprises white files and hash values corresponding to the digital signatures of the white files, and the result comprises that the white files corresponding to the digital signature of the query request exist in the server and the white files corresponding to the digital signature of the query request do not exist in the server;
and sending the result to the client, so that the client detects whether the first file to be detected carrying the digital signature is tampered by using the result.
2. The method of claim 1, wherein the query request further carries an official source of a white document corresponding to the digital signature;
further comprising:
and when the result is that the white file corresponding to the digital signature of the query request does not exist in the server, accessing the official website of the white file according to the official source of the white file carried by the query request sent by each client so as to collect the white file from the official website.
3. The method of claim 1, wherein the query request further carries an official source of a white document corresponding to the digital signature;
further comprising:
and when the result is that the server does not have the white file corresponding to the digital signature of the query request, classifying the official websites of the white files according to the official sources of the white files carried by the query request sent by each client so as to analyze the first to-be-detected files of the same official websites.
4. The method of claim 1, wherein the query request further carries an official source of a white document corresponding to the digital signature;
the decrypting the digital signature to obtain the hash value to be searched includes:
accessing an official website of the white document according to the official source of the white document;
acquiring a public key of the white document from the official website;
and decrypting the digital signature by using the public key to obtain a hash value to be searched.
5. Method according to any of claims 1-4, wherein at least part of the white files comprised by the database are obtained by:
for each client, when the current client determines the first file to be detected as a tampered white file and determines a second file to be detected as an untampered white file, the current client uploads the second file to be detected as a white file to the server; and the second file to be detected is a file obtained by recombining the effective data and the digital signature of the first file to be detected.
6. The method according to claim 5, wherein the valid data of the first file to be detected is obtained based on a digital signature of the first file to be detected.
7. The method according to claim 6, wherein the valid data of the first file to be detected is obtained by:
extracting the digital signature of the first file to be detected by using a client to obtain the starting position and the occupied length of the effective data of the first file to be detected in the binary code of the first file to be detected;
and acquiring the effective data of the first file to be detected by utilizing a client based on the starting position and the occupied length.
8. A file tampering detection device, applied to a server, includes:
the receiving module is used for receiving a query request which is sent by a client and carries a digital signature;
the decryption module is used for decrypting the digital signature to obtain a hash value to be searched;
the determining module is used for determining a result fed back to the client based on the hash value to be searched and a pre-established database; wherein the database comprises white files and hash values corresponding to the digital signatures of the white files, and the result comprises that the white files corresponding to the digital signature of the query request exist in the server and the white files corresponding to the digital signature of the query request do not exist in the server;
and the sending module is used for sending the result to the client so that the client can detect whether the first file to be detected carrying the digital signature is tampered or not by using the result.
9. An electronic device comprising a memory having stored therein a computer program and a processor that, when executing the computer program, implements the method of any of claims 1-7.
10. A computer-readable storage medium, on which a computer program is stored which, when executed in a computer, causes the computer to carry out the method of any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210331373.1A CN114676463B (en) | 2022-03-31 | 2022-03-31 | File tamper detection method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210331373.1A CN114676463B (en) | 2022-03-31 | 2022-03-31 | File tamper detection method and device, electronic equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114676463A true CN114676463A (en) | 2022-06-28 |
| CN114676463B CN114676463B (en) | 2024-09-24 |
Family
ID=82076190
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210331373.1A Active CN114676463B (en) | 2022-03-31 | 2022-03-31 | File tamper detection method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114676463B (en) |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2007043321A (en) * | 2005-08-01 | 2007-02-15 | Hitachi Ltd | Authenticity verification method and system of electronic document |
| US20080022407A1 (en) * | 2006-07-19 | 2008-01-24 | Rolf Repasi | Detecting malicious activity |
| CN104751049A (en) * | 2015-03-09 | 2015-07-01 | 广东欧珀移动通信有限公司 | Application program installing method and mobile terminal |
| US20160323106A1 (en) * | 2015-04-29 | 2016-11-03 | Ncr Corporation | Validating resources execution |
| CN107480519A (en) * | 2017-08-04 | 2017-12-15 | 深圳市金立通信设备有限公司 | A kind of method and server for identifying risk application |
| CA2935130A1 (en) * | 2016-07-26 | 2018-01-26 | Mirza Kamaludeen | Encrypted data - computer virus, malware and ransom ware detection system |
| CN108304722A (en) * | 2017-12-21 | 2018-07-20 | 广州小鹏汽车科技有限公司 | A kind of software installation packet and its generation method, upgrade method and system |
| CN110830257A (en) * | 2018-08-14 | 2020-02-21 | 珠海金山办公软件有限公司 | File signature method and device, electronic equipment and readable storage medium |
| CN111726322A (en) * | 2019-03-19 | 2020-09-29 | 国家计算机网络与信息安全管理中心 | Method and device for detecting file tampering hijacking and storage medium |
-
2022
- 2022-03-31 CN CN202210331373.1A patent/CN114676463B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2007043321A (en) * | 2005-08-01 | 2007-02-15 | Hitachi Ltd | Authenticity verification method and system of electronic document |
| US20080022407A1 (en) * | 2006-07-19 | 2008-01-24 | Rolf Repasi | Detecting malicious activity |
| CN104751049A (en) * | 2015-03-09 | 2015-07-01 | 广东欧珀移动通信有限公司 | Application program installing method and mobile terminal |
| US20160323106A1 (en) * | 2015-04-29 | 2016-11-03 | Ncr Corporation | Validating resources execution |
| CA2935130A1 (en) * | 2016-07-26 | 2018-01-26 | Mirza Kamaludeen | Encrypted data - computer virus, malware and ransom ware detection system |
| CN107480519A (en) * | 2017-08-04 | 2017-12-15 | 深圳市金立通信设备有限公司 | A kind of method and server for identifying risk application |
| CN108304722A (en) * | 2017-12-21 | 2018-07-20 | 广州小鹏汽车科技有限公司 | A kind of software installation packet and its generation method, upgrade method and system |
| CN110830257A (en) * | 2018-08-14 | 2020-02-21 | 珠海金山办公软件有限公司 | File signature method and device, electronic equipment and readable storage medium |
| CN111726322A (en) * | 2019-03-19 | 2020-09-29 | 国家计算机网络与信息安全管理中心 | Method and device for detecting file tampering hijacking and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114676463B (en) | 2024-09-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11863686B2 (en) | Validating authenticity of electronic documents shared via computer networks | |
| CN106878264B (en) | Data management method and server | |
| US7603344B2 (en) | Methods for searching forensic data | |
| US7941386B2 (en) | Forensic systems and methods using search packs that can be edited for enterprise-wide data identification, data sharing, and management | |
| US8892532B2 (en) | Document management with verifiable time-of-archive capability | |
| EP0940945A2 (en) | A method and apparatus for certification and safe storage of electronic documents | |
| US20070283158A1 (en) | System and method for generating a forensic file | |
| US9519800B2 (en) | Device and method for online storage, transmission device and method, and receiving device and method | |
| US20140165203A1 (en) | Method and Apparatus for Retroactively Detecting Malicious or Otherwise Undesirable Software As Well As Clean Software Through Intelligent Rescanning | |
| US11863678B2 (en) | Rendering blockchain operations resistant to advanced persistent threats (APTs) | |
| US20050177725A1 (en) | Verifying captured objects before presentation | |
| TW201325179A (en) | Method and system for proving a digital file | |
| CN111444479B (en) | Digital fingerprint ownership verification method and system | |
| CN110826091B (en) | File signature method and device, electronic equipment and readable storage medium | |
| CN114756863A (en) | File tampering detection method and device, electronic equipment and storage medium | |
| Boyar et al. | Quotable signatures for authenticating shared quotes | |
| Halboob et al. | Computer Forensics Framework for Efficient and Lawful Privacy-Preserved Investigation. | |
| Alruban et al. | Biometrically linking document leakage to the individuals responsible | |
| CN114676463B (en) | File tamper detection method and device, electronic equipment and storage medium | |
| WO2007075813A2 (en) | Enterprise-wide data identification, sharing and management, and searching forensic data | |
| Elbegbayan | Winnowing, a document fingerprinting algorithm | |
| van Liebergen et al. | A Deep Dive into the VirusTotal File Feed | |
| KR20170011754A (en) | Electronic Document Managing System | |
| CN114996693A (en) | Information safety protection method and device, vehicle and storage medium | |
| JP2004118791A (en) | Patrol system and patrol method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |