CN116527616A - Method and device for monitoring instant messaging data, electronic equipment and storage medium - Google Patents
Method and device for monitoring instant messaging data, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN116527616A CN116527616A CN202310373274.4A CN202310373274A CN116527616A CN 116527616 A CN116527616 A CN 116527616A CN 202310373274 A CN202310373274 A CN 202310373274A CN 116527616 A CN116527616 A CN 116527616A
- Authority
- CN
- China
- Prior art keywords
- instant messaging
- key
- data
- decrypted
- decryption key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 110
- 238000012544 monitoring process Methods 0.000 title claims abstract description 61
- 238000005516 engineering process Methods 0.000 claims abstract description 23
- 238000004891 communication Methods 0.000 claims description 42
- 230000006870 function Effects 0.000 claims description 25
- 238000004590 computer program Methods 0.000 claims description 13
- 150000003839 salts Chemical class 0.000 claims description 13
- 238000012545 processing Methods 0.000 claims description 9
- 238000011084 recovery Methods 0.000 claims description 3
- 230000008569 process Effects 0.000 description 25
- 230000006399 behavior Effects 0.000 description 9
- 239000000243 solution Substances 0.000 description 9
- 238000012806 monitoring device Methods 0.000 description 5
- 238000010586 diagram Methods 0.000 description 4
- 238000013461 design Methods 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 2
- 238000001914 filtration Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000012216 screening Methods 0.000 description 2
- 238000004883 computer application Methods 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L51/00—User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
- H04L51/04—Real-time or near real-time messaging, e.g. instant messaging [IM]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L51/00—User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
- H04L51/07—User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail characterised by the inclusion of specific contents
- H04L51/10—Multimedia information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/30—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
- H04L63/302—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information gathering intelligence information for situation awareness or reconnaissance
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Multimedia (AREA)
- Evolutionary Computation (AREA)
- Technology Law (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides a method, a device, electronic equipment and a storage medium for monitoring instant messaging data, wherein the method comprises the following steps: determining an instant messaging application to be decrypted, and obtaining a decryption key of the instant messaging application to be decrypted based on a reverse technology; and decrypting a target database based on the decryption key to obtain instant messaging data, wherein the target database is a database corresponding to the instant messaging application to be decrypted. The method for monitoring the instant messaging data can stably and conveniently acquire the instant messaging data, and further lays a foundation for monitoring the instant messaging behavior of the user in real time based on the instant messaging data.
Description
Technical Field
The present invention relates to the field of computer application technologies, and in particular, to a method and apparatus for monitoring instant messaging data, an electronic device, and a storage medium.
Background
The instant messaging data is data generated by a user communicating information based on an instant messaging application.
As known from the related art, in order to monitor the instant communication data generated by the user based on the instant communication application in real time, a HOOK injection method is often used, however, the method is more complex and has poor stability.
The instant messaging data generated by a user based on instant messaging application can be stably and conveniently obtained, and the instant messaging data becomes a research hot spot.
Disclosure of Invention
The invention provides a method, a device, electronic equipment and a storage medium for monitoring instant messaging data, which can stably and conveniently acquire the instant messaging data.
The invention provides a method for monitoring instant messaging data, which comprises the following steps: determining an instant messaging application to be decrypted, and obtaining a decryption key of the instant messaging application to be decrypted based on a reverse technology; and decrypting the target database based on the decryption key to obtain instant messaging data, wherein the target database is a database for storing the instant messaging data to be decrypted.
According to the method for monitoring instant messaging data provided by the invention, the decryption key of the instant messaging application to be decrypted is obtained based on the reverse technology, and the method specifically comprises the following steps: checking a call stack corresponding to the target database under the condition of opening the target database; determining an encryption function in the call stack, wherein the encryption function is a function containing key information of the decryption key; and obtaining the decryption key of the instant messaging application to be decrypted through decompilation based on the encryption function.
According to the method for monitoring instant messaging data provided by the invention, before the decryption key of the instant messaging application to be decrypted is obtained based on the reverse technology, the method further comprises the following steps: acquiring a memory of the instant messaging application to be decrypted, wherein the memory stores a confused key, and the confused key is a key which corresponds to the decryption key and is subjected to confusion processing; scanning the memory to obtain a key after confusion; the obtaining the decryption key of the instant messaging application to be decrypted based on the reverse technology specifically comprises the following steps: determining a target position of the confused key in the target database, wherein the target position stores key restoration algorithm information of the confused key, and the key restoration algorithm is a restoration algorithm for restoring the confused key to the decryption key; based on the target position, reversely compiling the key restoration algorithm of the confused key; and obtaining the decryption key based on the key restoration algorithm and the confused key.
According to the monitoring method of instant messaging data provided by the invention, the key restoration algorithm further comprises the step of salifying the decryption key to obtain salified rule information of the confused key; before the obtaining the decryption key based on the key restoration algorithm and the post-obfuscated key, the method further includes: acquiring a random salt value corresponding to the confused key stored in the target database; the obtaining the decryption key based on the key restoration algorithm and the obfuscated key specifically includes: and restoring the decryption key through the salifying processing rule information in the key restoring algorithm based on the random salt value and the key after confusion.
According to the method for monitoring instant messaging data provided by the invention, the target database is decrypted based on the decryption key to obtain instant messaging data, and the method specifically comprises the following steps: under the condition that the writing of new data into the target database is monitored, decrypting the new data in the target database in real time based on the decryption key to obtain decrypted data corresponding to the new data; and obtaining the instant communication data in real time based on the decrypted data.
According to the method for monitoring the instant messaging data, the instant messaging data comprise chat record data; after the instant communication data is obtained, the method further comprises the following steps: analyzing the instant messaging data to obtain chat records corresponding to the instant messaging data and having different file formats, wherein the file formats at least comprise one or more of a picture format, a text format, a video format and an audio format, and the chat records are information records generated by a user based on information exchange of the instant messaging application to be decrypted.
According to the method for monitoring the instant messaging data, the instant messaging data comprises a target storage path; after the instant communication data is obtained, the method further comprises the following steps: analyzing the instant messaging data to obtain the target storage path corresponding to the instant messaging data; and searching chat records generated by the instant messaging application to be decrypted when information is exchanged based on the target storage path, wherein the target storage path is a storage path of the chat records generated by the user when the information is exchanged based on the instant messaging application to be decrypted.
According to the method for monitoring instant messaging data provided by the invention, the target database comprises a plurality of pages of data files, and each page of data file is obtained by independently encrypting; decrypting the target database based on the decryption key to obtain instant messaging data, wherein the method specifically comprises the following steps: decrypting each page of the data file in the target database based on the decryption key to obtain decrypted data of each page; and obtaining the instant communication data based on the decrypted data of each page.
The invention also provides a device for monitoring the instant messaging data, which comprises: the first module is used for determining the instant messaging application to be decrypted and obtaining a decryption key of the instant messaging application to be decrypted based on a reverse technology; and the second module is used for decrypting the target database based on the decryption key to obtain instant messaging data, wherein the target database is a database for storing the instant messaging data to be decrypted.
The invention also provides an electronic device, which comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein the processor realizes the method for monitoring the instant messaging data according to any one of the above when executing the program.
The present invention also provides a non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements a method of monitoring instant messaging data as described in any of the above.
The invention also provides a computer program product comprising a computer program which when executed by a processor implements a method of monitoring instant messaging data as described in any of the above.
According to the method, the device, the electronic equipment and the storage medium for monitoring the instant messaging data, the decryption key of the instant messaging application to be decrypted is obtained based on the reverse technology, and the target database is decrypted based on the decryption key, so that the instant messaging data can be stably and conveniently obtained, and a foundation is laid for monitoring the instant messaging behavior of a user in real time based on the instant messaging data.
Drawings
In order to more clearly illustrate the invention or the technical solutions of the prior art, the following description will briefly explain the drawings used in the embodiments or the description of the prior art, and it is obvious that the drawings in the following description are some embodiments of the invention, and other drawings can be obtained according to the drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic flow chart of a method for monitoring instant messaging data according to the present invention;
fig. 2 is a schematic flow chart of obtaining a decryption key of an instant messaging application to be decrypted based on a reverse technology according to the present invention;
FIG. 3 is a second flow chart of obtaining a decryption key of an instant messaging application to be decrypted based on a reverse technique according to the present invention;
FIG. 4 is a second flow chart of the method for monitoring instant messaging data according to the present invention;
fig. 5 is a schematic structural diagram of a monitoring device for instant messaging data according to the present invention;
fig. 6 is a schematic structural diagram of an electronic device provided by the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the present invention more apparent, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is apparent that the described embodiments are some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Instant messaging applications may be understood as software that enables online chat, communication, and so forth via instant messaging technology. The method for monitoring the instant messaging data can monitor the communication information generated by the communication of the user at the client of the instant messaging application in real time under the scene that the monitored person cannot perceive.
In an example, the method for monitoring instant messaging data provided by the invention can be applied to a monitoring server. In the application process, the monitoring server can monitor communication information generated by the user in the instant messaging application based on the monitoring request input by the user, so that the user behavior can be monitored in real time.
Fig. 1 is a flow chart of a method for monitoring instant messaging data according to the present invention.
In order to further describe the method for monitoring instant messaging data provided by the present invention, the following will describe with reference to fig. 1.
In an exemplary embodiment of the present invention, as can be seen in fig. 1, the method for monitoring instant messaging data may include a step 110 and a step 120, and each step will be described below.
In step 110, the instant messaging application to be decrypted is determined, and a decryption key for the instant messaging application to be decrypted is obtained based on a reverse technique.
In step 120, the target database is decrypted based on the decryption key to obtain instant messaging data.
The reverse technology is a product design technology reproduction process, namely, a project label product is reversely analyzed and researched, so that design factors such as a processing flow, an organization structure, functional characteristics, technical specifications and the like of the product are deduced and obtained, and products with similar functions but not identical functions are manufactured. Reverse engineering is derived from hardware analysis in the commercial and military fields. The main purpose is to directly deduce the design principle of the product from the analysis of the finished product under the condition that the necessary production information cannot be easily obtained.
In one embodiment, the decryption key for the instant messaging application to be decrypted may be derived based on a reverse technique. Further, the encrypted target database is decrypted based on the decryption key, so that instant messaging data can be obtained. The instant messaging data may be considered as data generated by a user communicating information based on an instant messaging application.
It can be understood that, based on the instant messaging data, chat content corresponding to the user when the user exchanges information based on the instant messaging application can be obtained. By the embodiment, the instant communication data can be stably and conveniently obtained, and a foundation is laid for monitoring the instant communication behavior of the user in real time based on the instant communication data.
In one embodiment, the target database may be a database corresponding to an instant messaging application to be decrypted. In other words, the target database is a database for storing instant messaging data to be decrypted. It can be understood that the instant messaging data can be obtained by decrypting the instant messaging data to be decrypted.
According to the method for monitoring the instant messaging data, the decryption key of the instant messaging application to be decrypted is obtained based on the reverse technology, and the target database is decrypted based on the decryption key, so that the instant messaging data can be stably and conveniently obtained, and a foundation is laid for monitoring the instant messaging behavior of the user in real time based on the instant messaging data.
In order to further describe the method for monitoring instant messaging data provided by the present invention, the following will describe with reference to fig. 2.
Fig. 2 is a schematic flow chart of obtaining a decryption key of an instant messaging application to be decrypted based on a reverse technology according to the present invention.
In an exemplary embodiment of the present invention, as can be seen in fig. 2, obtaining a decryption key for decrypting an instant messaging application based on a reverse technique may include steps 210 to 230, and each step will be described below.
In step 210, in the event that the target database is opened, the call stack corresponding to the target database is viewed.
In step 220, an encryption function is determined in the call stack.
Wherein the encryption function is a function of key information containing a decryption key.
In step 230, a decryption key for the instant messaging application to be decrypted is obtained by decompilation based on the encryption function.
In one embodiment, the call stack corresponding to the target database may be viewed with the target database opened, so that cryptographic functions may be located in the call stack. It should be noted that, the encryption function includes the preset identifier, so the encryption function can be intuitively obtained in the call stack based on the preset identifier.
In yet another embodiment, the encryption function is a function of key information containing a decryption key. In the application process, based on the key information contained in the encryption function, the decryption key of the instant messaging application to be decrypted can be obtained by decompiling the encryption function. It can be understood that after the decryption key is obtained, the target database can be accessed in real time, and the instant messaging data can be dynamically obtained in real time without storing the target database in an open state.
Fig. 3 is a second flowchart of obtaining a decryption key of an instant messaging application to be decrypted based on a reverse technique according to the present invention.
The process of obtaining a decryption key for an instant messaging application to be decrypted based on a reverse technique will be described with reference to fig. 3.
In yet another exemplary embodiment of the present invention, as can be seen in connection with fig. 3, obtaining a decryption key for an instant messaging application to be decrypted based on a reverse technique may include steps 310 to 350, and each step will be described separately.
In step 310, a memory of the instant messaging application to be decrypted is obtained.
The memory stores the confused key, and the confused key is the confused key corresponding to the decryption key.
In step 320, the memory is scanned for the obfuscated key.
In step 330, the target location of the obfuscated key in the target database is determined.
The target location stores key restoration algorithm information of the confused key, and the key restoration algorithm is a restoration algorithm for restoring the confused key to the decryption key.
In step 340, a key recovery algorithm for the obfuscated key is decompiled based on the target location.
In step 350, a decryption key is derived based on the key recovery algorithm and the obfuscated key.
In one embodiment, the memory may also include a process memory. The key after the memory is scanned and confused can also be realized by the following modes:
based on the process handle of the instant messaging application, the process memory is scanned to obtain the obfuscated key.
In one embodiment, a process handle may be understood as a pointer to a piece of memory containing specific information data, which may be used as an index. During the application process, the process memory can be scanned based on the process handle of the instant messaging application to obtain the confused secret key.
It should be noted that the key after confusion may be a key after confusion corresponding to a decryption key of a target database, where the target database is a database of an instant messaging application. In other words, the confused key may be regarded as a decryption key after encryption, and in the application process, when a specific manner of encryption is obtained, the decryption key may be restored based on the confused key and the specific manner of encryption.
In yet another embodiment, based on the process handle of the instant messaging application, scanning the process memory for the obfuscated key may be implemented in the following manner:
based on a process handle of the instant messaging application, scanning a process memory to obtain a plurality of candidate data;
and obtaining the key after confusion from the plurality of candidate data based on the preset identification.
In one embodiment, the obfuscated key has a feature, wherein the feature may be characterized by a preset identification. In the application process, a process memory of the instant messaging application is scanned based on the process handle, and a plurality of candidate data can be obtained. Wherein the candidate data may include a post-confusion key. Furthermore, the mixed secret key can be obtained by screening a plurality of candidate data based on the preset identification. The preset identifier may be determined according to an actual situation, and in this embodiment, the preset identifier is not specifically limited.
In one embodiment, the process of the instant messaging application may be attached and the breakpoint may be dropped at the location where the target database was opened, so that the target location of the obfuscated key in the target database may be obtained. Further, based on the reverse technology and the target position, a key restoration algorithm of the key after confusion is decompiled. In the present embodiment, the key restoration algorithm is not particularly limited, and in an example, the key restoration algorithm may be pkcs5_pbkf2_hmac1 key expansion algorithm.
In yet another exemplary embodiment of the present invention, the key restoration algorithm may further include salifying the decryption key to obtain salified rule information of the obfuscated key. Continuing with the example of the embodiment illustrated in fig. 3, before obtaining the decryption key based on the key restoration algorithm and the post-confusion key (corresponding to step 350), the method for monitoring instant messaging data may further include the steps of:
acquiring a random salt value corresponding to the key after confusion stored in a target database;
based on the key restoration algorithm and the key after confusion, the decryption key is obtained and can be realized in the following way:
and restoring to obtain a decryption key through adding salt processing rule information in a key restoring algorithm based on the random salt value and the key after confusion.
In one embodiment, the random salt value corresponding to the obfuscated key is stored in the target database. Furthermore, the combination mode of the random salt value and the key after confusion can be obtained through the salt adding processing rule information in the key restoring algorithm, so that the decryption key can be restored. By the embodiment, the decryption key can be restored stably and accurately, and a foundation is laid for decrypting the target database based on the decryption key to obtain instant messaging data.
In still another exemplary embodiment of the present invention, the embodiment illustrated in fig. 1 is taken as an example, where the decrypting the target database based on the decryption key in step 120 in fig. 1 may further be implemented in the following manner to obtain the instant communication data:
under the condition that the writing of new data into the target database is monitored, decrypting the new data in the target database in real time based on a decryption key to obtain decrypted data corresponding to the new data;
and obtaining instant communication data in real time based on the decrypted data.
In one embodiment, in order to obtain the latest instant communication data in real time, when it is monitored that the target database writes new data, the new data in the target database may be decrypted in real time based on the decryption key, so as to obtain decrypted data corresponding to the new data.
In one embodiment, it may be determined whether there is new data through Last Sequence Number in the target database. In an example, when it is detected that new data is generated, the new data in the target database may be decrypted in real time based on the decryption key, resulting in decrypted data corresponding to the new data.
In yet another example, the target database delta table sqlite_sequence may be queried to record a record index for the current chat data, indicating that the target database is writing new data if the index number has increased from the last time. In the application process, the new data in the target database can be decrypted in real time based on the decryption key, and decrypted data corresponding to the new data is obtained.
Through the embodiment, the communication information generated by the user based on the instant messaging application can be obtained in real time, so that the chat behavior of the user based on the instant messaging application can be monitored in real time.
In an exemplary embodiment of the present invention, the instant communication data may include chat log data; continuing with the embodiment shown in fig. 1, after obtaining the instant messaging data (corresponding to step 120), the method for monitoring instant messaging data further includes:
analyzing the instant messaging data to obtain chat records corresponding to the instant messaging data and having different file formats, wherein the file formats at least comprise one or more of picture formats, text formats, video formats and audio formats, and the chat records are information records generated by a user based on information exchange of the instant messaging application to be decrypted.
In one embodiment, when the instant messaging data is chat log data corresponding to a chat log (also referred to as chat content), then the corresponding chat log may be obtained directly based on the instant messaging data.
In an example, the instant messaging data may be parsed or converted to obtain chat records having different file formats corresponding to the instant messaging data. Through the embodiment, the chat record generated by the user based on the instant messaging application can be obtained, and the chat behavior of the user based on the instant messaging application can be monitored in real time.
In an exemplary embodiment of the present invention, the instant messaging data may include a target storage path. Continuing with the embodiment shown in fig. 1, after obtaining the instant messaging data (corresponding to step 120), the method for monitoring instant messaging data further includes:
analyzing the instant messaging data to obtain a target storage path corresponding to the instant messaging data;
and searching chat records generated when the instant messaging application to be decrypted exchanges information based on the target storage path, wherein the target storage path is a storage path of the chat records generated when the user exchanges information based on the instant messaging application to be decrypted.
In one embodiment, to save space, instead of storing the chat log in the target database, a storage path is stored that holds the chat log, and then the corresponding chat log can be found based on the storage path. In other words, when the instant messaging data is path data corresponding to a storage path of a chat log (may also be referred to as chat content), the instant messaging data may be first parsed to obtain a target storage path corresponding to the instant messaging data, and further, the chat log generated when the instant messaging application exchanges information may be found based on the target storage path. Through the embodiment, the chat record generated by the user based on the instant messaging application can be obtained, and the chat behavior of the user based on the instant messaging application can be monitored in real time.
In still another exemplary embodiment of the present invention, continuing to describe the foregoing embodiment as an example, after obtaining the chat log, the method for monitoring instant messaging data may further include:
and filtering the chat record based on the preset data information characteristics to obtain a target chat record.
In one embodiment, a keyword filtering method can be added, so that chat content wanted by a user can be quickly located. In one example, the chat log may be filtered based on the data information characteristics to obtain a target chat log. The data information features may be adjusted according to actual situations, and are not specifically limited in this embodiment. In one example, for chat records in which the chat record is in a document format, the data information characteristic may be a keyword. For chat records in a picture format, the data information characteristic may be an image characteristic value. For chat records that are in audio format, the data information characteristic may be an audio characteristic value. By the embodiment, chat contents wanted by the user can be rapidly positioned, and the monitoring efficiency of the user is improved.
In yet another exemplary embodiment of the present invention, the destination database may include a plurality of data files, each data file being separately encrypted; continuing with the description of the embodiment illustrated in fig. 1, the decryption of the target database based on the decryption key to obtain instant messaging data may be implemented in the following manner:
decrypting each page of data file in the target database based on the decryption key to obtain decrypted data of each page;
and obtaining instant communication data based on the decrypted data of each page.
Fig. 4 is a third flow chart of the method for monitoring instant messaging data according to the present invention.
In order to further describe the method for monitoring instant messaging data provided by the present invention, the following description will be made with reference to fig. 4.
In an exemplary embodiment of the present invention, as can be seen in fig. 4, the method for monitoring instant messaging data may include steps 410 to 460, and each step will be described below.
In step 410, a database file of the instant messaging application is looked up.
In step 420, the obfuscated key is looked up from memory.
In one embodiment, the obfuscated key has a feature, wherein the feature may be characterized by a preset identification. In the application process, a process memory of the instant messaging application is scanned based on the process handle, and a plurality of candidate data can be obtained. Wherein the candidate data may include a post-confusion key. Furthermore, the mixed secret key can be obtained by screening a plurality of candidate data based on the preset identification. The preset identifier may be determined according to an actual situation, and in this embodiment, the preset identifier is not specifically limited.
In step 430, the obfuscated key is restored to the decryption key.
In one embodiment, the obfuscated key may be decrypted based on a reverse technique to obtain a decryption key. Further, the encrypted target database is decrypted based on the decryption key, so that instant messaging data can be obtained.
In step 440, the database file is decrypted based on the decryption key to obtain instant messaging data.
In step 450, cached audio, video, pictures and documents are looked up based on the instant messaging data.
In step 460, the communication information of the instant messaging application is restored based on the audio, video, picture and document.
In one embodiment, the instant communication data may be path data corresponding to the target storage path. In the application process, in order to save space, instead of storing the communication information (corresponding to the chat record or the chat content) in the target database, a storage path storing the communication information is stored, and then the corresponding communication information can be found based on the storage path. In other words, when the instant messaging data is path data corresponding to a storage path of the communication information, the instant messaging data may be first parsed to obtain a target storage path corresponding to the instant messaging data, and further, the communication information generated when the instant messaging application performs the communication of the information may be found based on the target storage path. According to the embodiment, the communication information of the audio, video, pictures, documents and other file formats generated by the user based on the instant messaging application can be obtained, and further chat behaviors of the user based on the instant messaging application can be monitored in real time.
According to the above description, the method for monitoring instant messaging data provided by the invention obtains the decryption key of the instant messaging application to be decrypted based on the reverse technology, and decrypts the target database based on the decryption key, so that the instant messaging data can be stably and conveniently obtained, and a foundation is laid for monitoring the instant messaging behavior of the user based on the instant messaging data in real time.
Based on the same conception, the invention also provides a device for monitoring the instant messaging data.
The following describes the instant messaging data monitoring device provided by the invention, and the instant messaging data monitoring device described below and the instant messaging data monitoring method described above can be referred to correspondingly.
Fig. 5 is a schematic structural diagram of an instant messaging data monitoring device provided by the invention.
In an exemplary embodiment of the present invention, as can be seen in fig. 5, the monitoring device for instant messaging data may include a first module 510 and a second module 520, and each module will be described below.
The first module 510 may be configured to determine an instant messaging application to be decrypted, and obtain a decryption key of the instant messaging application to be decrypted based on a reverse technique;
the second module 520 may be configured to decrypt a target database based on the decryption key to obtain instant messaging data, where the target database is a database storing instant messaging data to be decrypted.
In yet another exemplary embodiment of the present invention, the first module 510 may obtain the decryption key of the instant messaging application to be decrypted based on the reverse technique in the following manner:
under the condition of opening the target database, checking a call stack corresponding to the target database;
determining an encryption function in the call stack, wherein the encryption function is a function of key information comprising a decryption key;
and obtaining the decryption key of the instant messaging application to be decrypted through decompilation based on the encryption function.
In an exemplary embodiment of the present invention, the first module 510 may be further configured to:
acquiring a memory of the instant messaging application to be decrypted, wherein the memory stores a mixed key which is a mixed key corresponding to the decryption key;
scanning the memory to obtain a key after confusion;
the first module 510 may obtain the decryption key of the instant messaging application to be decrypted based on the reverse technique in the following manner:
determining a target position of the confused key in a target database, wherein the target position stores key restoration algorithm information of the confused key, and the key restoration algorithm is a restoration algorithm for restoring the confused key to a decryption key;
decompiling a key restoration algorithm of the confused key based on the target position;
and obtaining a decryption key based on the key restoration algorithm and the key after confusion.
In an exemplary embodiment of the present invention, the key restoration algorithm further includes salifying the decryption key to obtain salified rule information of the confused key; the first module 510 may also be configured to:
acquiring a random salt value corresponding to the key after confusion stored in a target database;
the first module 510 may implement the key restoration algorithm and the obfuscated key to obtain the decryption key in the following manner:
and restoring to obtain a decryption key through adding salt processing rule information in a key restoring algorithm based on the random salt value and the key after confusion.
In an exemplary embodiment of the present invention, the second module 520 may decrypt the target database based on the decryption key to obtain the instant communication data in the following manner:
under the condition that the writing of new data into the target database is monitored, decrypting the new data in the target database in real time based on a decryption key to obtain decrypted data corresponding to the new data;
and obtaining instant communication data in real time based on the decrypted data.
In an exemplary embodiment of the present invention, the instant communication data includes chat log data;
the second module 520 may also be configured to:
analyzing the instant messaging data to obtain chat records corresponding to the instant messaging data and having different file formats, wherein the file formats at least comprise one or more of picture formats, text formats, video formats and audio formats, and the chat records are information records generated by a user based on information exchange of the instant messaging application to be decrypted.
In an exemplary embodiment of the present invention, the instant messaging data includes a target storage path;
the second module 520 may also be configured to:
analyzing the instant messaging data to obtain a target storage path corresponding to the instant messaging data;
and searching chat records generated when the instant messaging application to be decrypted exchanges information based on the target storage path, wherein the target storage path is a storage path of the chat records generated when the user exchanges information based on the instant messaging application to be decrypted.
In an exemplary embodiment of the present invention, the destination database includes a plurality of data files, each data file being individually encrypted;
the second module 520 may decrypt the target database based on the decryption key to obtain instant communication data in the following manner:
decrypting each page of data file in the target database based on the decryption key to obtain decrypted data of each page;
and obtaining instant communication data based on the decrypted data of each page.
Fig. 6 illustrates a physical schematic diagram of an electronic device, as shown in fig. 6, which may include: processor 610, communication interface (Communications Interface) 620, memory 630, and communication bus 640, wherein processor 610, communication interface 620, and memory 630 communicate with each other via communication bus 640. The processor 610 may invoke logic instructions in the memory 630 to perform a method of monitoring instant messaging data, the method comprising: determining an instant messaging application to be decrypted, and obtaining a decryption key of the instant messaging application to be decrypted based on a reverse technology; and decrypting the target database based on the decryption key to obtain instant messaging data, wherein the target database is a database for storing the instant messaging data to be decrypted.
Further, the logic instructions in the memory 630 may be implemented in the form of software functional units and stored in a computer-readable storage medium when sold or used as a stand-alone product. Based on this understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
In another aspect, the present invention also provides a computer program product, where the computer program product includes a computer program, where the computer program can be stored on a non-transitory computer readable storage medium, and when the computer program is executed by a processor, the computer can execute a method for monitoring instant messaging data provided by the above methods, and the method includes: determining an instant messaging application to be decrypted, and obtaining a decryption key of the instant messaging application to be decrypted based on a reverse technology; and decrypting the target database based on the decryption key to obtain instant messaging data, wherein the target database is a database for storing the instant messaging data to be decrypted.
In yet another aspect, the present invention further provides a non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, is implemented to perform a method of monitoring instant messaging data provided by the above methods, the method comprising: determining an instant messaging application to be decrypted, and obtaining a decryption key of the instant messaging application to be decrypted based on a reverse technology; and decrypting the target database based on the decryption key to obtain instant messaging data, wherein the target database is a database for storing the instant messaging data to be decrypted.
The apparatus embodiments described above are merely illustrative, wherein the elements illustrated as separate elements may or may not be physically separate, and the elements shown as elements may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
From the above description of the embodiments, it will be apparent to those skilled in the art that the embodiments may be implemented by means of software plus necessary general hardware platforms, or of course may be implemented by means of hardware. Based on this understanding, the foregoing technical solution may be embodied essentially or in a part contributing to the prior art in the form of a software product, which may be stored in a computer readable storage medium, such as ROM/RAM, a magnetic disk, an optical disk, etc., including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method described in the respective embodiments or some parts of the embodiments.
It will further be appreciated that although operations are depicted in the drawings in a particular order, this should not be understood as requiring that such operations be performed in the particular order shown or in sequential order, or that all illustrated operations be performed, to achieve desirable results. In certain circumstances, multitasking and parallel processing may be advantageous.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention, and are not limiting; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.
Claims (11)
1. A method for monitoring instant messaging data, the method comprising:
determining an instant messaging application to be decrypted, and obtaining a decryption key of the instant messaging application to be decrypted based on a reverse technology;
and decrypting the target database based on the decryption key to obtain instant messaging data, wherein the target database is a database for storing the instant messaging data to be decrypted.
2. The method for monitoring instant messaging data according to claim 1, wherein the obtaining the decryption key of the instant messaging application to be decrypted based on the reverse technology specifically comprises:
checking a call stack corresponding to the target database under the condition of opening the target database;
determining an encryption function in the call stack, wherein the encryption function is a function containing key information of the decryption key;
and obtaining the decryption key of the instant messaging application to be decrypted through decompilation based on the encryption function.
3. The method for monitoring instant messaging data according to claim 1, wherein before the obtaining the decryption key of the instant messaging application to be decrypted based on the reverse technique, the method further comprises:
acquiring a memory of the instant messaging application to be decrypted, wherein the memory stores a confused key, and the confused key is a key which corresponds to the decryption key and is subjected to confusion processing;
scanning the memory to obtain a key after confusion;
the obtaining the decryption key of the instant messaging application to be decrypted based on the reverse technology specifically comprises the following steps:
determining a target position of the confused key in the target database, wherein the target position stores key restoration algorithm information of the confused key, and the key restoration algorithm is a restoration algorithm for restoring the confused key to the decryption key;
based on the target position, reversely compiling the key restoration algorithm of the confused key;
and obtaining the decryption key based on the key restoration algorithm and the confused key.
4. The method for monitoring instant messaging data according to claim 3, wherein the key recovery algorithm further comprises salifying the decryption key to obtain salified rule information of the confusing key; before the obtaining the decryption key based on the key restoration algorithm and the post-obfuscated key, the method further includes:
acquiring a random salt value corresponding to the confused key stored in the target database;
the obtaining the decryption key based on the key restoration algorithm and the obfuscated key specifically includes:
and restoring the decryption key through the salifying processing rule information in the key restoring algorithm based on the random salt value and the key after confusion.
5. The method for monitoring instant messaging data according to claim 1, wherein decrypting the target database based on the decryption key to obtain instant messaging data comprises:
under the condition that the writing of new data into the target database is monitored, decrypting the new data in the target database in real time based on the decryption key to obtain decrypted data corresponding to the new data;
and obtaining the instant communication data in real time based on the decrypted data.
6. The method for monitoring instant messaging data according to claim 1, wherein the instant messaging data comprises chat log data; after the instant communication data is obtained, the method further comprises the following steps:
analyzing the instant messaging data to obtain chat records corresponding to the instant messaging data and having different file formats, wherein the file formats at least comprise one or more of a picture format, a text format, a video format and an audio format, and the chat records are information records generated by a user based on information exchange of the instant messaging application to be decrypted.
7. The method for monitoring instant messaging data according to claim 1, wherein the instant messaging data comprises a target storage path; after the instant communication data is obtained, the method further comprises the following steps:
analyzing the instant messaging data to obtain the target storage path corresponding to the instant messaging data;
and searching chat records generated by the instant messaging application to be decrypted when information is exchanged based on the target storage path, wherein the target storage path is a storage path of the chat records generated by the user when the information is exchanged based on the instant messaging application to be decrypted.
8. The method for monitoring instant messaging data according to claim 1, wherein the target database comprises a plurality of pages of data files, each page of data file being obtained by encrypting separately;
decrypting the target database based on the decryption key to obtain instant messaging data, wherein the method specifically comprises the following steps:
decrypting each page of the data file in the target database based on the decryption key to obtain decrypted data of each page;
and obtaining the instant communication data based on the decrypted data of each page.
9. An apparatus for monitoring instant messaging data, the apparatus comprising:
the first module is used for determining the instant messaging application to be decrypted and obtaining a decryption key of the instant messaging application to be decrypted based on a reverse technology;
and the second module is used for decrypting the target database based on the decryption key to obtain instant messaging data, wherein the target database is a database for storing the instant messaging data to be decrypted.
10. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the method of monitoring instant messaging data as claimed in any one of claims 1 to 8 when the program is executed by the processor.
11. A non-transitory computer readable storage medium having stored thereon a computer program, wherein the computer program when executed by a processor implements the method of monitoring instant messaging data according to any of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310373274.4A CN116527616A (en) | 2023-04-06 | 2023-04-06 | Method and device for monitoring instant messaging data, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310373274.4A CN116527616A (en) | 2023-04-06 | 2023-04-06 | Method and device for monitoring instant messaging data, electronic equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116527616A true CN116527616A (en) | 2023-08-01 |
Family
ID=87389497
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310373274.4A Pending CN116527616A (en) | 2023-04-06 | 2023-04-06 | Method and device for monitoring instant messaging data, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116527616A (en) |
-
2023
- 2023-04-06 CN CN202310373274.4A patent/CN116527616A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107948152B (en) | Information storage method, information acquisition method, information storage device, information acquisition device and information acquisition equipment | |
| CN102281141B (en) | Document permission management method, apparatus and system | |
| EP3103048B1 (en) | Content item encryption on mobile devices | |
| US8621237B1 (en) | Protecting against cryptographic key exposure in source code | |
| CN109271798A (en) | Sensitive data processing method and system | |
| CN110221990B (en) | Data storage method and device, storage medium and computer equipment | |
| US20150302202A1 (en) | Program verification apparatus, program verification method, and program verification program | |
| EP2778953A1 (en) | Encoded-search database device, method for adding and deleting data for encoded search, and addition/deletion program | |
| JP2008004018A (en) | System and method for managing personal information-confidential information | |
| CN110889130A (en) | Database-based fine-grained data encryption method, system and device | |
| CN112685753B (en) | Method and equipment for storing encrypted data | |
| US20190363878A1 (en) | Value comparison server, value comparison encryption system, and value comparison method | |
| JP2013061843A (en) | Computer software analysis system and client computer, and operation control method thereof and operation program thereof | |
| CN111931160B (en) | Authority verification method, authority verification device, terminal and storage medium | |
| CN111259382A (en) | Malicious behavior identification method, device and system and storage medium | |
| CN115422570A (en) | Data processing method and system for distributed storage | |
| CN115525916A (en) | Database encryption method and device, electronic equipment and storage medium | |
| CN116663030A (en) | Desensitization processing method and device for interactive data | |
| CN116527616A (en) | Method and device for monitoring instant messaging data, electronic equipment and storage medium | |
| CN115567212A (en) | File processing method and device, computer equipment and computer readable storage medium | |
| JP2020155801A (en) | Information management system and method therefor | |
| JP2013235535A (en) | Data management system and data management program | |
| CN113672876B (en) | OTG-based method and device for quickly obtaining evidence of mobile phone | |
| US20100115261A1 (en) | Extensible seal management for encrypted data | |
| CN117319070A (en) | Data processing method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |