CN116702120A - Application detection method, device, equipment and storage medium - Google Patents
Application detection method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN116702120A CN116702120A CN202310715817.6A CN202310715817A CN116702120A CN 116702120 A CN116702120 A CN 116702120A CN 202310715817 A CN202310715817 A CN 202310715817A CN 116702120 A CN116702120 A CN 116702120A
- Authority
- CN
- China
- Prior art keywords
- application
- information
- data storage
- detected
- dynamic library
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 31
- 238000013500 data storage Methods 0.000 claims abstract description 155
- 238000000034 method Methods 0.000 claims abstract description 23
- 238000012545 processing Methods 0.000 claims description 12
- 238000004891 communication Methods 0.000 claims description 4
- 230000008569 process Effects 0.000 description 8
- 238000010586 diagram Methods 0.000 description 7
- 239000000243 solution Substances 0.000 description 7
- 230000004044 response Effects 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000004590 computer program Methods 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 238000013475 authorization Methods 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000005336 cracking Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 239000011229 interlayer Substances 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
Abstract
The embodiment of the invention provides an application detection method, an application detection device, application detection equipment and a storage medium, wherein the method comprises the following steps: acquiring first dynamic library information of an application to be detected; and if the first dynamic library information is not matched with the second dynamic library information of the authorized application, determining the application to be detected as an unauthorized application, wherein the application to be detected is identical with the application identification information of the authorized application. If the first dynamic library information is matched with the second dynamic library information, acquiring first application data storage information of the application to be detected; and if the first application data storage information is not matched with the second application data storage information of the authorized application, determining that the application to be detected is an unauthorized application. The method and the device can determine whether the application to be detected is an unauthorized application or not by comparing the dynamic library information of the application to be detected and the authorized application with the application data storage information.
Description
Technical Field
The present invention relates to the field of communications technologies, and in particular, to an application detection method, apparatus, device, and storage medium.
Background
iOS is a mobile operating system developed by apple inc. Based on the characteristic that the iOS is not open, an Application (APP) running on an iOS system, namely the APP of the iOS version, has higher security, and can better guarantee the information security of a user.
However, with the development of the reverse iOS technology, the structure, flow, algorithm, code and the like of the target file of the APP can be deduced from the functions and behaviors of the APP through a series of technical means such as unshelling, run-time analysis, static analysis, dynamic debugging, hook, injection and the like, so that the APP is cracked. And then, modifying the APP under the condition that the APP manufacturer authorization is not obtained, and publishing the modified APP. These unauthorized APPs, known as hacked APPs, induce users to download by masquerading to a similar form to APPs authorized by the manufacturer (e.g., APPs published by the manufacturer official website, APPs on top of APP store), and steal users' private information during use by the users. On the one hand, the use of unauthorized APP can threaten the information security of users, and on the other hand, users infringe the rights and interests of APP manufacturers. Therefore, how to identify whether the iOS version of APP used by the user is an unauthorized APP becomes a problem to be solved.
Disclosure of Invention
The embodiment of the invention provides an application detection method, an application detection device, application detection equipment and a storage medium, which are used for identifying unauthorized applications and guaranteeing user information security.
In a first aspect, an embodiment of the present invention provides an application detection method, where the method includes:
acquiring first dynamic library information of an application to be detected;
if the first dynamic library information is not matched with the second dynamic library information of the authorized application, determining that the application to be detected is an unauthorized application; the application to be detected is identical to the application identification information of the authorized application;
if the first dynamic library information is matched with the second dynamic library information, acquiring first application data storage information of the application to be detected;
and if the first application data storage information is not matched with the second application data storage information of the authorized application, determining that the application to be detected is an unauthorized application.
In a second aspect, an embodiment of the present invention provides an application detection apparatus, including:
the first acquisition module is used for acquiring first dynamic library information of an application to be detected;
the first processing module is used for determining that the application to be detected is an unauthorized application if the first dynamic library information is not matched with the second dynamic library information of the authorized application; the application to be detected is identical to the application identification information of the authorized application;
the second acquisition module is used for acquiring the first application data storage information of the application to be detected if the first dynamic library information is matched with the second dynamic library information;
and the second processing module is used for determining the application to be detected as an unauthorized application if the first application data storage information is not matched with the second application data storage information of the authorized application.
In a third aspect, an embodiment of the present invention provides an electronic device, including: a memory, a processor, a communication interface; wherein the memory has executable code stored thereon, which when executed by the processor, causes the processor to at least implement the application detection method as described in the first aspect.
In a fourth aspect, embodiments of the present invention provide a non-transitory machine-readable storage medium having stored thereon executable code, which when executed by a processor of an electronic device, causes the processor to at least implement an application detection method as described in the first aspect.
In the scheme provided by the embodiment of the invention, when judging whether the software to be detected is an unauthorized application, acquiring first dynamic library information of the application to be detected; and if the first dynamic library information is not matched with the second dynamic library information of the authorized application, determining the application to be detected as an unauthorized application, wherein the application to be detected is identical with the application identification information of the authorized application. If the first dynamic library information is matched with the second dynamic library information, acquiring first application data storage information of the application to be detected; and if the first application data storage information is not matched with the second application data storage information of the authorized application, determining that the application to be detected is an unauthorized application. Since unauthorized applications typically modify the application information to obtain user information after cracking the authorized applications, some information of the authorized applications is unchanged after the package is generated, such as dynamic library information and application data storage information. Thus, by comparing the dynamic library information of the application to be detected with the authorized application and the application data storage information, it is possible to determine whether the application to be detected is an unauthorized application. In addition, because the information amount of the dynamic library information is less and the modification is easy to occur, whether the first dynamic library information of the application to be detected is matched with the second dynamic library information of the authorized application is judged, and the efficiency of judging whether the software to be detected is an unauthorized application can be improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flowchart of an application detection method according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of a dynamic library information according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of an application data storage information according to an embodiment of the present invention;
FIG. 4 is a flowchart of a method for matching application data storage information according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of an application detection device according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of an electronic device corresponding to the application detection apparatus provided in the embodiment shown in fig. 5.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The terminology used in the embodiments of the invention is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used in this application and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise, the "plurality" generally includes at least two, but does not exclude the case of at least one.
In addition, the sequence of steps in the method embodiments described below is only an example and is not strictly limited.
Before describing the application detection method provided by the embodiment of the invention, the following concepts will be described.
Authorized application refers to software that has been authorized by an acquired manufacturer (i.e., the application copyright owner), and that is legally used, also known as copyrighted software. Such as: an application which is released by a factory official website and is developed by the user, an application which is put on shelf in an apple software Store App Store and is authorized by the factory, and the like.
Unauthorized application refers to software that is not authorized by the manufacturer and is used illegally, also known as hacking software. For example, the authorized application is cracked through the iOS reverse technology, and the application is modified under the condition that the authorized application is not authorized by a manufacturer.
In this embodiment, the unauthorized application is obtained by modifying the authorized application, where the modification is to illegally obtain some application data, such as: user information, etc. For a certain application X developed by a manufacturer, the unauthorized application X' has a certain similarity with the corresponding authorized application X, and in colloquial, the unauthorized application is disguised into the authorized application, so that a user can install and use the unauthorized application under the condition that the user cannot identify the unauthorized application as the unauthorized application. In the process that the user uses the unauthorized application, the unauthorized application obtains the information of the user and threatens the information security of the user.
In practice, unauthorized applications typically modify the dynamic library of authorized applications, i.e., the dynamic link library (Dynamic Link Library), in order to be able to obtain application data. In order to transfer the acquired application data to the corresponding server, the application data is usually required to be stored locally, such as in a mobile phone; then, transmitting the application data to the transit application through an established local data transmission channel between the unauthorized application and other applications (called transit applications); and finally, transmitting the application data to the corresponding server by the transit application through the network interface. That is, in the implementation process, in order to obtain application data such as user information, an unauthorized application typically modifies dynamic library information, application data storage information, and the like of the authorized application.
In this embodiment, the dynamic library information includes the name and number of dynamic libraries. The application data storage information includes names of a plurality of folders for storing application data and names of files contained in the plurality of folders, respectively, and describes a storage location and a storage content of the application data.
However, after the application developed by the manufacturer is packaged and generated into the program package, the corresponding dynamic library information, the storage information of the application data and the like are always fixed, that is, the dynamic library information of the authorized application, the storage information of the application data and the like are determined. Such as: some authorized application can determine that the dynamic library corresponding to i different names is stored in four folders Documents, library, systemData and temp during the running process, and the content contained in each file is determined, for example, the following files are stored in the folder Documents: database, db, picture, png, table, xml, table, plist.
Based on the characteristics of the authorized application and the unauthorized application, the scheme determines whether the application to be detected is the unauthorized application by judging whether the application to be detected is matched with the dynamic library information of the authorized application and the application data storage information. The following is a detailed description of specific embodiments.
The application detection method provided by the embodiment of the invention can be executed by an electronic device, wherein the electronic device can be a terminal device such as a PC (personal computer), a notebook computer, a smart phone and the like, or can be a server, and the server can be a physical server comprising an independent host, or can be a virtual server, or can be a cloud server or a server cluster.
Fig. 1 is a flowchart of an application detection method according to an embodiment of the present invention, as shown in fig. 1, may include the following steps:
101. and acquiring first dynamic library information of the application to be detected.
102. If the first dynamic library information is not matched with the second dynamic library information of the authorized application, determining that the application to be detected is an unauthorized application; the application to be detected is identical to the application identification information of the authorized application.
103. And if the first dynamic library information is matched with the second dynamic library information, acquiring first application data storage information of the application to be detected.
104. And if the first application data storage information is not matched with the second application data storage information of the authorized application, determining that the application to be detected is an unauthorized application.
In this embodiment, the purpose of application detection is to: and judging whether the application to be detected is an unauthorized application or not. If the application to be detected is an unauthorized application, the application to be detected can be marked with unauthorized information and fed back to a user or a manufacturer in time, so that the use of the application to be detected is terminated, and the leakage of information of the user is avoided.
In this embodiment, for convenience of description, the dynamic library information and the application data storage information of the application to be detected are referred to as first dynamic library information and first application data storage information; the dynamic library information and the application data storage information of the authorized application are referred to as second dynamic library information and second application data storage information. When judging whether the first dynamic library information of the application to be detected and the first application data storage information are matched with the second dynamic library information of the authorized application and the second application data, the first dynamic library information of the application to be detected is acquired firstly and matched with the second dynamic library information of the authorized application when judging in order to improve the efficiency of judging whether the software to be detected is an unauthorized application because the data size of the dynamic library information is generally smaller than that of the application data storage information. And under the condition that the dynamic library information matching result cannot determine that the application to be detected is an unauthorized application, acquiring first application data storage information of the application to be detected, and matching second application data storage information with second application data storage information of the authorized application so as to determine whether the application to be detected is an unauthorized application.
Optionally, after the first dynamic library information and the first application data storage information of the application to be detected are acquired, the first dynamic library information and the second dynamic library information, and the first application data storage information and the second application data storage information are simultaneously matched, and whether the application to be detected is an unauthorized application or not is determined according to a matching result.
In the implementation process, the dynamic library needs to be loaded when the application is started. Thus, alternatively, in response to the start of the application to be detected, the name of the dynamic library may be read during the process of loading the dynamic library, so as to obtain the first dynamic library information of the application to be detected. Wherein the first dynamic library information comprises: name and number of dynamic libraries.
The first application data storage information of the application to be detected comprises: names of a plurality of folders for storing application data and names of files contained in the plurality of folders, respectively. The application data storage information describes a storage location and a storage content of the application data. It will be appreciated that if during the start-up of an application, the build thread traverses each folder for storing application data step by step starting from the root folder of the application data store, this may have an impact on the start-up of the application, such as increasing the start-up time, etc. Therefore, in order to ensure normal use of the application to be detected, optionally, a thread may be established to monitor the working state of the application to be detected, and in response to monitoring that the application to be detected is in an idle state, the first application data storage information of the application to be detected is acquired.
In this embodiment, the second dynamic library information of the authorized application and the second application data storage information are obtained in the same manner as the application to be detected, and in this embodiment, no further description is given. Alternatively, the dynamic library information and the application data storage information in the present embodiment may be stored in the form of a target table.
In practical applications, the second dynamic library information and the second application data storage information of the plurality of authorized applications may be acquired and stored in advance. When detecting the application to be detected, selecting the authorized application which is the same as the application identification information of the application to be detected from the prestored authorized applications according to the application identification information of the application to be detected, namely the unique identification information of the application. It will be appreciated that there is a version update of the application during use, and that there may be a distinction between the second dynamic library information and the second application data store information corresponding to different versions of authorized applications. Therefore, the application version information is included in the application identification information in the present embodiment.
In the implementation process, if the dynamic library names in the first dynamic library information are inconsistent with the dynamic library names in the second dynamic library information and/or the number of the dynamic libraries in the first dynamic library information is inconsistent with the number of the dynamic libraries in the second dynamic library information, the first dynamic library information is not matched with the second dynamic library information, and the application to be detected is determined to be an unauthorized application.
Fig. 2 is a schematic diagram of dynamic library information provided in an embodiment of the present invention, where, as shown in fig. 2, application identification information of an application to be detected and application authorized are the same, and are both 1.1.1. It is assumed that the first dynamic library information of the application to be detected includes 3 dynamic libraries, the names of which are dynamic library a, dynamic library b and dynamic library c, respectively, and the second dynamic library information of the authorized application includes 3 dynamic libraries, the names of which are dynamic library a, dynamic library b and dynamic library c', respectively. When the first dynamic library information and the second dynamic library information shown in fig. 2 are matched, the first dynamic library information contains the dynamic library c but does not contain the dynamic library c ', namely, the names of the dynamic library c and the dynamic library c' are inconsistent, and the first dynamic library information and the second dynamic library information shown in fig. 2 are determined to be not matched, so that the application to be detected is an unauthorized application.
It can be understood that, assuming that the first dynamic library information of the application to be detected in fig. 2 includes 3 dynamic libraries, the names of which are respectively dynamic library a, dynamic library b and dynamic library c', since the number of dynamic libraries and the names of dynamic libraries in the first dynamic library information are the same as those of the second dynamic library information, the first dynamic library information is considered to be matched with the second dynamic library information. Further, it is necessary to determine whether the application to be detected is an unauthorized application according to the application data storage information.
In the implementation process, if names of a plurality of folders in the first application data storage information are inconsistent with names of a plurality of folders in the second application data storage information, and/or names of files contained in a first target folder in the first application data storage information are inconsistent with names of files contained in a second target folder in the second application data storage information, determining that the application to be detected is an unauthorized application; the first target folder is any one folder of a plurality of folders corresponding to the first application data storage information, and the second target folder is a folder matched with the first target folder in the plurality of folders corresponding to the second application data storage information.
For ease of understanding, fig. 3 is a schematic diagram of application data storage information provided in an embodiment of the present invention, where application identification information of an application to be detected and application authorized are the same, and are both 1.1.1. Suppose that the first application data storage information of the application to be detected contains 3 folders, the names of which are folder 1, folder 1-1 and folder 1-2 respectively, wherein the folder 1 contains a file 1-1, the folder 1-1 contains a file 1-1-1, and the folder 1-2 contains a file 1-2-1 and a file 1-2-2; the second application data storage information of the authorized application also comprises 3 folders, the names of which are folder 1, folder 1-1 and folder 1-2 respectively, wherein the folder 1 comprises a file 1-1, the folder 1-1 comprises a file 1-1-1, and the folder 1-2 comprises a file 1-2-1.
When matching the first application data storage information and the second application data storage information shown in fig. 3, since the names of the 3 folders respectively contained therein are identical, further matching of the file names contained in each folder is required. It should be noted that, the first target folder corresponds to the second target folder, and it may be understood that the name of the first target folder is the same as the name of the second target folder, for example: if the first target folder in the first application data storage information is the folder 1-2, the second target folder in the second application data storage information is the folder 1-2. In the case illustrated in fig. 3, since the names of the files included in the folder 1-2 in the first application data storage information are the files 1-2-1, the files 1-2-2, the names of the files included in the folder 1-2 in the second application data storage information are the files 1-2-1, and the names of the files in the two folders are inconsistent, it is determined that the first application data storage information and the second application data storage information shown in fig. 3 are not matched, and the application to be detected is an unauthorized application.
It can be understood that, assuming that the first application data storage information of the application to be detected in fig. 3 includes 3 folders, the names of which are respectively folder 1, folder 1-1 and folder 1-2, where folder 1 includes folder 1-1, folder 1-1-1 and folder 1-2-1, and that the first application data storage information and the second application data storage information include folder 1-2-1, the names of the files included in each folder are identical, and the names of the first application data storage information and the second application data storage information are considered to be matched, and the application to be detected is determined to be an authorized application.
It is readily understood that there is a hierarchical relationship between folders, such as: and if the folder a contains the folder b and the folder c, the folder a is considered to be the folder of the upper level of the folder b and the folder c, and the folder b and the folder c are the same level of the folder.
Optionally, the application data storage information in this embodiment further includes a hierarchical relationship between a plurality of folders. Based on the hierarchical relationship between folders, it is possible to compare whether the folder names in the first application data storage information and the second application data storage information and the names of the files contained in the folders are identical in order of the level of the folders from high to low. In the comparison process, if the folder names are inconsistent or the file names are inconsistent, the application to be detected can be considered to be an unauthorized application, so that the application detection efficiency can be accelerated. The following is a description with reference to fig. 4.
Fig. 4 is a flowchart of a method for matching application data storage information according to an embodiment of the present invention, as shown in fig. 4, where the method includes the following steps:
401. determining storage paths corresponding to a plurality of folders corresponding to the first application data storage information respectively according to the hierarchical relationship among the plurality of folders corresponding to the first application data storage information and the names of the plurality of folders; and determining storage paths corresponding to the folders corresponding to the second application data storage information according to the hierarchical relationship among the folders corresponding to the second application data storage information and the names of the folders.
For ease of understanding, assuming that the first application data storage information includes 3 folders, the names of which are folder 1, folder 1-1, and folder 1-2, respectively, and that folder 1 includes folder 1-1 and folder 1-2, that is, folder 1 is the previous-level folder of folders 1-1 and 1-2, the storage path of folder 1-1 may be denoted as "folder 1> folder 1-1", and the storage path of folder 1-2 may be denoted as "folder 1> folder 1-2".
402. A first target folder is determined from the first application data store information.
The first target folder is the folder with the highest folder level in the folders which are not compared (i.e. matched) with the second application data storage information in the first application data storage information. Such as: if the folders in the first application data storage information are not compared with the folders in the second application data storage information, the first target folder is the highest-level folder in the plurality of folders contained in the first application data storage information, namely the root folder of the application data storage. If more than one folder is at the same level, one may be randomly selected as the first target folder.
403. And determining whether a second target folder which is the same as the storage path of the first target folder exists in the second application data storage information according to the storage paths corresponding to the first target folder and the storage paths corresponding to the plurality of folders corresponding to the second application data storage information.
The storage paths of the second target folder and the first target folder are the same, namely the second target folder and the first target folder correspond to the same folder level and the same folder name.
404. If the second target folder does not exist, determining that the application to be detected is an unauthorized application; and if the second target folder exists and the names of the files contained in the first target folder are inconsistent with the names of the files contained in the second target folder, determining that the application to be detected is an unauthorized application.
It can be understood that if the second application data storage information does not have the corresponding second target folder, it indicates that the second application data storage information does not include a folder with the same level and the same name as the first target folder, and the first application data storage information and the second application data storage information are not matched, and the application to be detected is an unauthorized application.
If the second application data storage information contains the corresponding second target folder, further judging whether the names of the files contained in the first target folder are consistent with the names of the files contained in the second target folder. If the first application data storage information and the second application data storage information are not consistent, determining that the first application data storage information and the second application data storage information are not matched, and the application to be detected is an unauthorized application.
405. If the names of the files contained in the first target folder are consistent with the names of the files contained in the second target folder, determining a third target folder from the first application data storage information, wherein the third target folder is the next-level folder or the same-level folder of the first target folder.
The third target file is determined in a similar manner to the first target file, and is the folder with the highest folder level in the folders which are not compared with the second application data storage information in the first application data storage information. For example, suppose that the first application data storage information includes 3 folders, which are named folder 1, folder 1-1, and folder 1-2, respectively, wherein folder 1 includes folder 1-1 and folder 1-2. If the first target folder is folder 1, the third target folder may be folder 1-1 or folder 1-2; if the first target folder is folder 1-1, the third target folder is folder 1-2.
406. Determining a fourth target folder which is the same as the storage path of the third target folder from the second application data storage information according to the storage path corresponding to the third target folder and the storage paths corresponding to the plurality of folders corresponding to the second application data storage information; and if the names of the files contained in the third target folder are inconsistent with the names of the files contained in the fourth target folder, determining that the application to be detected is an unauthorized application.
By the application data storage information matching method shown in fig. 4, folder names in the first application data storage information and the second application data storage information and names of files contained in the folders can be compared one by one according to a sequence from high to low file interlayer level, and the application to be detected is determined to be an unauthorized application until the folder names or the folder names are inconsistent, or the application to be detected is determined to be an authorized application until the first application data storage information does not have the unmatched folder.
In the scheme, whether the application to be detected is an unauthorized application or not can be determined by the first dynamic library information and the first application data storage information of the application to be detected, and the second dynamic library information and the second application data storage information of the authorized application, so that a user can be timely reminded when the application to be detected is identified as the unauthorized application, and the information safety of the user is ensured.
The application detection apparatus of one or more embodiments of the present invention will be described in detail below. Those skilled in the art will appreciate that these means may be configured by the steps taught by the present solution using commercially available hardware components.
Fig. 5 is a schematic structural diagram of an application detection device according to an embodiment of the present invention, as shown in fig. 5, where the device includes: a first acquisition module 11, a first processing module 12, a second acquisition module 13, a second processing module 14.
The first obtaining module 11 is configured to obtain first dynamic library information of an application to be detected.
A first processing module 12, configured to determine that the application to be detected is an unauthorized application if the first dynamic library information does not match the second dynamic library information of the authorized application; the application to be detected is identical to the application identification information of the authorized application.
And the second obtaining module 13 is configured to obtain the first application data storage information of the application to be detected if the first dynamic library information is matched with the second dynamic library information.
And a second processing module 14, configured to determine that the application to be detected is an unauthorized application if the first application data storage information does not match the second application data storage information of the authorized application.
Optionally, the first dynamic library information and the second dynamic library information each include a dynamic library name and a dynamic library number. The first processing module 12 is specifically configured to determine that the application to be detected is an unauthorized application if the dynamic library name in the first dynamic library information is inconsistent with the dynamic library name in the second dynamic library information of the authorized application, and/or the number of dynamic libraries in the first dynamic library information is inconsistent with the number of dynamic libraries in the second dynamic library information.
Optionally, the application data storage information includes names of a plurality of folders for storing application data and names of files respectively contained in the plurality of folders. The second processing module 14 is specifically configured to determine that the application to be detected is an unauthorized application if names of a plurality of folders in the first application data storage information are inconsistent with names of a plurality of folders in the second application data storage information of the authorized application, and/or names of files included in a first target folder in the first application data storage information are inconsistent with names of files included in a second target folder in the second application data storage information of the authorized application; the first target folder is any one of a plurality of folders corresponding to the first application data storage information, and the second target folder is a folder matched with the first target folder in a plurality of folders corresponding to the second application data storage information.
Optionally, the first application data storage information and the second application data storage information each further include a hierarchical relationship between a corresponding plurality of folders. The second processing module 14 is further specifically configured to determine storage paths corresponding to a plurality of folders corresponding to the first application data storage information according to a hierarchical relationship between the plurality of folders corresponding to the first application data storage information and names of the plurality of folders; determining storage paths corresponding to a plurality of folders corresponding to the second application data storage information respectively according to the hierarchical relationship among the plurality of folders corresponding to the second application data storage information and the names of the plurality of folders; determining a first target folder from the first application data storage information; determining whether a second target folder which is the same as the storage path of the first target folder exists in second application data storage information according to the storage paths corresponding to the first target folder and the storage paths corresponding to the plurality of folders corresponding to the second application data storage information; if the second target folder does not exist, determining that the application to be detected is an unauthorized application; and if the second target folder exists and the names of the files contained in the first target folder are inconsistent with the names of the files contained in the second target folder, determining that the application to be detected is an unauthorized application.
Optionally, the second processing module 14 is further specifically configured to determine a third target folder from the first application data storage information if the name of the file included in the first target folder is consistent with the name of the file included in the second target folder, where the third target folder is a next-level folder or the same-level folder of the first target folder; determining a fourth target folder which is the same as the storage path of the third target folder from the second application data storage information according to the storage path corresponding to the third target folder and the storage paths corresponding to the plurality of folders corresponding to the second application data storage information; and if the names of the files contained in the third target folder are inconsistent with the names of the files contained in the fourth target folder, determining that the application to be detected is an unauthorized application.
Optionally, the first obtaining module 11 is specifically configured to obtain, in response to the start of the application to be detected, first dynamic library information of the application to be detected.
Optionally, the second obtaining module 13 is specifically configured to obtain, in response to monitoring that the application to be detected is in an idle state, first application data storage information of the application to be detected.
Optionally, the application identification information includes: version information is applied.
The apparatus shown in fig. 5 may perform the steps described in the foregoing embodiments, and detailed execution and technical effects are referred to in the foregoing embodiments and are not described herein.
In one possible design, the structure of the application detection apparatus shown in fig. 5 may be implemented as an electronic device, as shown in fig. 6, where the electronic device may include: memory 21, processor 22, communication interface 23. Wherein the memory 21 has stored thereon executable code which, when executed by the processor 22, causes the processor 22 to at least implement the application detection method as provided in the previous embodiments.
Additionally, embodiments of the present invention provide a non-transitory machine-readable storage medium having stored thereon executable code that, when executed by a processor of an electronic device, causes the processor to at least implement an application detection method as provided in the previous embodiments.
The apparatus embodiments described above are merely illustrative, wherein the units described as separate components may or may not be physically separate. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
From the above description of the embodiments, it will be apparent to those skilled in the art that the embodiments may be implemented by adding necessary general purpose hardware platforms, or may be implemented by a combination of hardware and software. Based on such understanding, the foregoing aspects, in essence and portions contributing to the art, may be embodied in the form of a computer program product, which may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention, and are not limiting; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.
Claims (10)
1. An application detection method, comprising:
acquiring first dynamic library information of an application to be detected;
if the first dynamic library information is not matched with the second dynamic library information of the authorized application, determining that the application to be detected is an unauthorized application; the application to be detected is identical to the application identification information of the authorized application;
if the first dynamic library information is matched with the second dynamic library information, acquiring first application data storage information of the application to be detected;
and if the first application data storage information is not matched with the second application data storage information of the authorized application, determining that the application to be detected is an unauthorized application.
2. The method of claim 1, wherein the first dynamic library information and the second dynamic library information each comprise a dynamic library name and a dynamic library number; and if the first dynamic library information is not matched with the second dynamic library information of the authorized application, determining that the application to be detected is an unauthorized application comprises the following steps:
and if the dynamic library names in the first dynamic library information are inconsistent with the dynamic library names in the second dynamic library information of the authorized application, and/or the number of the dynamic libraries in the first dynamic library information is inconsistent with the number of the dynamic libraries in the second dynamic library information, determining that the application to be detected is an unauthorized application.
3. The method according to claim 1, wherein the first application data storage information and the second application data storage information each include names of a plurality of folders for storing application data and names of files contained in the plurality of folders, respectively; and if the first application data storage information is not matched with the second application data storage information of the authorized application, determining that the application to be detected is an unauthorized application comprises:
if the names of the folders in the first application data storage information are inconsistent with the names of the folders in the second application data storage information of the authorized application, and/or the names of the files contained in the first target folder in the first application data storage information are inconsistent with the names of the files contained in the second target folder in the second application data storage information of the authorized application, determining that the application to be detected is an unauthorized application; the first target folder is any one of a plurality of folders corresponding to the first application data storage information, and the second target folder is a folder matched with the first target folder in a plurality of folders corresponding to the second application data storage information.
4. The method of claim 3, wherein the first application data store and the second application data store each further comprise a hierarchical relationship between a corresponding plurality of folders; and if the first application data storage information is not matched with the second application data storage information of the authorized application, determining that the application to be detected is an unauthorized application comprises:
determining storage paths respectively corresponding to a plurality of folders corresponding to the first application data storage information according to the hierarchical relationship among the plurality of folders corresponding to the first application data storage information and the names of the plurality of folders;
determining storage paths corresponding to a plurality of folders corresponding to the second application data storage information respectively according to the hierarchical relationship among the plurality of folders corresponding to the second application data storage information and the names of the plurality of folders;
determining a first target folder from the first application data storage information;
determining whether a second target folder which is the same as the storage path of the first target folder exists in second application data storage information according to the storage paths corresponding to the first target folder and the storage paths corresponding to the plurality of folders corresponding to the second application data storage information;
if the second target folder does not exist, determining that the application to be detected is an unauthorized application;
and if the second target folder exists and the names of the files contained in the first target folder are inconsistent with the names of the files contained in the second target folder, determining that the application to be detected is an unauthorized application.
5. The method according to claim 4, wherein the method further comprises:
if the names of the files contained in the first target folder are consistent with the names of the files contained in the second target folder, determining a third target folder from the first application data storage information, wherein the third target folder is the next-level folder or the same-level folder of the first target folder;
determining a fourth target folder which is the same as the storage path of the third target folder from the second application data storage information according to the storage path corresponding to the third target folder and the storage paths corresponding to the plurality of folders corresponding to the second application data storage information;
and if the names of the files contained in the third target folder are inconsistent with the names of the files contained in the fourth target folder, determining that the application to be detected is an unauthorized application.
6. The method according to any one of claims 1 to 5, wherein the obtaining the first dynamic library information of the application to be detected comprises:
responding to the starting of the application to be detected, and acquiring first dynamic library information of the application to be detected;
the obtaining the first application data storage information of the application to be detected includes:
and responding to the detection that the application to be detected is in an idle state, and acquiring first application data storage information of the application to be detected.
7. The method according to any one of claims 1 to 5, wherein the application identification information comprises: version information is applied.
8. An application detection apparatus, comprising:
the first acquisition module is used for acquiring first dynamic library information of an application to be detected;
the first processing module is used for determining that the application to be detected is an unauthorized application if the first dynamic library information is not matched with the second dynamic library information of the authorized application; the application to be detected is identical to the application identification information of the authorized application;
the second acquisition module is used for acquiring the first application data storage information of the application to be detected if the first dynamic library information is matched with the second dynamic library information;
and the second processing module is used for determining the application to be detected as an unauthorized application if the first application data storage information is not matched with the second application data storage information of the authorized application.
9. An electronic device, comprising: a memory, a processor, a communication interface; wherein the memory has stored thereon executable code which, when executed by the processor, causes the processor to perform the application detection method of any of claims 1 to 7.
10. A non-transitory machine-readable storage medium having stored thereon executable code which, when executed by a processor of an electronic device, causes the processor to perform the application detection method of any of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310715817.6A CN116702120A (en) | 2023-06-15 | 2023-06-15 | Application detection method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310715817.6A CN116702120A (en) | 2023-06-15 | 2023-06-15 | Application detection method, device, equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116702120A true CN116702120A (en) | 2023-09-05 |
Family
ID=87830823
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310715817.6A Pending CN116702120A (en) | 2023-06-15 | 2023-06-15 | Application detection method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116702120A (en) |
-
2023
- 2023-06-15 CN CN202310715817.6A patent/CN116702120A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101310472B (en) | Automatic update of computer-readable components to support a trusted environment | |
| US8997253B2 (en) | Method and system for preventing browser-based abuse | |
| JP4757873B2 (en) | Computer device having multiple process architecture for executing plug-in code modules | |
| JP2008502066A6 (en) | Computer device having multiple process architecture for executing plug-in code modules | |
| US20070136728A1 (en) | Computer readable medium in which program is stored, computer data signal embodied in carrier wave, information processing apparatus that executes program, and program control method for executing program | |
| CN109271789B (en) | Malicious process detection method and device, electronic equipment and storage medium | |
| CN112434286A (en) | Dynamic library calling method and device, electronic device and storage medium | |
| US20110138460A1 (en) | System and method for loading application classes | |
| CN112231702A (en) | Application protection method, device, equipment and medium | |
| CN115248919A (en) | Method and device for calling function interface, electronic equipment and storage medium | |
| US9842018B2 (en) | Method of verifying integrity of program using hash | |
| KR20050039528A (en) | Securely identifying an executable to a trust-determining entity | |
| CN112069499A (en) | Detection method, detection device, storage medium and electronic equipment | |
| CN116702120A (en) | Application detection method, device, equipment and storage medium | |
| US11409878B2 (en) | Trusted sequence for computing devices via hashes | |
| EP3182313B1 (en) | Content-based authentication | |
| CN104731665B (en) | A kind of information processing method and electronic equipment | |
| CN117009003B (en) | Safe starting method and related device | |
| CN113918235B (en) | Application loading method and device and storage medium | |
| CN112787994B (en) | Method, device and equipment for processing equipment ID of electronic equipment and storage medium | |
| US20220366035A1 (en) | Execution control system, execution control method, and program | |
| CN117633789A (en) | Security detection method, device, equipment and storage medium for application program | |
| CN115114590A (en) | Android platform so file registration protection method and system | |
| CN116049814A (en) | Method and device for establishing information security protection, storage medium and electronic equipment | |
| CN117331838A (en) | Penetration test method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |