KR101557455B1 - Application Code Analysis Apparatus and Method For Code Analysis Using The Same - Google Patents

Application Code Analysis Apparatus and Method For Code Analysis Using The Same Download PDF

Info

Publication number
KR101557455B1
KR101557455B1 KR1020150055894A KR20150055894A KR101557455B1 KR 101557455 B1 KR101557455 B1 KR 101557455B1 KR 1020150055894 A KR1020150055894 A KR 1020150055894A KR 20150055894 A KR20150055894 A KR 20150055894A KR 101557455 B1 KR101557455 B1 KR 101557455B1
Authority
KR
South Korea
Prior art keywords
analysis
code
information
application program
file
Prior art date
Application number
KR1020150055894A
Other languages
Korean (ko)
Inventor
이정현
조해현
방지웅
지명주
Original Assignee
숭실대학교산학협력단
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 숭실대학교산학협력단 filed Critical 숭실대학교산학협력단
Priority to KR1020150055894A priority Critical patent/KR101557455B1/en
Application granted granted Critical
Publication of KR101557455B1 publication Critical patent/KR101557455B1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/12Protecting executable software
    • G06F21/121Restricting unauthorised execution of programs
    • G06F21/125Restricting unauthorised execution of programs by manipulating the program code, e.g. source code, compiled code, interpreted code, machine code
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/12Protecting executable software
    • G06F21/14Protecting executable software against software analysis or reverse engineering, e.g. by obfuscation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/563Static detection by source code analysis

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Technology Law (AREA)
  • Multimedia (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Stored Programmes (AREA)

Abstract

The present invention relates to an application program code analysis device and a code analysis method using the same. The device includes: an analysis setting unit which stores the predetermined analysis level and the analysis range for an analysis target application program; a control unit loading an execution file of an input application program; an operand analyzer unit which analyzes an operand of Dalvik bytecodes contained in the execution file at the analysis level in correspondence with the analysis range; a code generation unit which reconfigures the Dalvik bytecodes and the analyzed operand into intermediate codes in an intermediate language and extracts at least one of the text string information, field information, and method information of the Dalvik bytecodes to generate analysis information; and a file generation unit which generates an analysis file including the analysis information and the reconfigured intermediate code. The present invention uses the application program code analysis apparatus and the code analysis using the apparatus to extract the codes in a selective range of the application at a selective level while reducing the time and cost consumed for the application analysis.

Description

[0001] The present invention relates to an application code analyzing apparatus and a code analysis method using the same,

The present invention relates to an application program code analyzing apparatus and a code analyzing method using the same, and more particularly, to an application program code analyzing apparatus for analyzing an application program executable file in a range and analysis level selected by a user and providing analysis results. Code analysis method.

F-Secure's mobile threat report, released quarterly, shows that the number and types of newly discovered mobile malware are growing every year, and that most of the mobile malware is malicious code targeted at the Android platform.

Android malware is significantly more than malicious code in iOS and other mobile operating systems due to its high market share and ease of malicious code creation and distribution.

The Dalvik Bytecode in Android applications is similar to Java bytecode, so you can almost restore source code from executable files. It is easy to analyze the source code by using reverse engineering tools such as apktool, dedexer, Androguard, Dex2jar, and dexdump, and the attack technique that repackages after inserting malicious code into decompiled source code is mainly used.

This attack technique allows an attacker to steal all or part of an application or bypass an application's security mechanism, and forged applications can easily be spread over a variety of distribution channels, including third party markets and black markets.

An application with malicious code may steal personal information for the sake of monetary gain of an attacker, or may be infiltrated without permission. The smartphone screen may be sniffed or the content of the call may be eavesdropped. In addition, a user terminal equipped with an application with malicious code can send spam, paid characters, international calls, and the like, or can be used for a mobile DDoS attack.

Most malicious codes are not easily detected by anti-virus software, and obfuscation techniques are applied to prevent them from being easily analyzed. If obfuscation such as class encryption is applied to malicious code, information such as encrypted data, decryption method, algorithm and secret key must be found for reverse obfuscation.

This analysis should primarily be based on the experience of the analyst and analyze the complex structure of the individual techniques. Also, in recent years, reverse obfuscation can not be achieved only by static analysis by applying an obfuscation technique that is hidden from a decryption routine or a secret key.

Therefore, there is a need for a technology that can analyze applications using obfuscation techniques such as class encryption techniques more quickly and accurately.

The background art of the present invention is disclosed in Korean Patent Publication No. 10-2014-0108445 (published on Sep. 11, 2014).

The present invention relates to an application program code analyzing apparatus and a code analyzing method using the same, and more particularly, to an application program code analyzing apparatus for analyzing an application program executable file in a range and analysis level selected by a user and providing analysis results. The purpose of the code analysis method is to provide.

According to an aspect of the present invention, there is provided an apparatus for analyzing an application program code, the apparatus comprising: an analysis setting unit for storing a predetermined analysis level and an analysis range for an application program to be analyzed; An operand analyzing unit for analyzing the operand of the dumbbie byte code included in the executable file to the analysis level in accordance with the analysis range, and reconstructing the dumbbyte code and the analyzed operand into an intermediate language intermediate code, A code analyzing unit for extracting at least one of character information, field information, and method information of the dumbbyte code and generating analysis information, and a file generation unit for generating an analysis result file including the reconstructed intermediate code and the analysis information .

The analysis setting unit may further store a package name of the analysis target application program, and the control unit may determine whether the input application program is an analysis target using the package name.

If the return value of a method using a string as a parameter is a string object, the code analyzer may extract a string stored in the string object and a source code of a method including the string as the string information.

The code analyzing unit may extract at least one of a method name, a class descriptor of a method, and a method descriptor as the method information, and may include at least one of a number of parameters used in a method invocation and a number of a Dalvik register used as the parameter One field can be extracted as the field information.

The apparatus may further include a communication unit for transmitting the analysis result file to a code classifier, wherein the code classifier comprises: a thread classifier for classifying codes included in the analysis result file by threads; And a call stack analyzing unit for analyzing a calling relation of a method included in the call stack analyzing unit.

Also, the analysis range includes a class name or a method name of the application program to be analyzed, and the analysis level may include whether or not the code that is executed in the API called by the application program through the Android framework is outputted have.

According to another embodiment of the present invention, an application program code analysis method performed by an application program code analysis apparatus includes the steps of: storing a predetermined analysis level and an analysis scope for an analysis target application program; loading an execution file of the input application program Analyzing the operands of the dumbbyte byte codes included in the executable file to the analysis level corresponding to the analysis range; reconstructing the dumbbyte codes and the analyzed operands into intermediate codes in an intermediate language form; Extracting at least one of character information, field information, and method information of the dumbbyte code to generate analysis information, and generating an analysis result file including the reconstructed intermediate code and the analysis information.

Therefore, according to the present invention, by using the application program analyzing apparatus and the code analyzing method using the same, it is possible to extract a code of a selective range of the application and analyze it at a selective level, and it is possible to reduce the time and cost .

It can also automatically obtain reverse obfuscated code for applications that use obfuscation techniques.

In addition, the instruction of the application can be reconfigured as an intermediate language code and provided to the analyst, and analysis information such as string information, field information, and method information can be additionally provided.

In addition, it is not an emulator-based dynamic analysis tool, so it is safe from detecting emulators and preventing analysis.

1 is a diagram for explaining an application program code analysis system according to an embodiment of the present invention.
2 is a block diagram illustrating a configuration of an application program code analyzing apparatus according to an embodiment of the present invention.
3 is a diagram for explaining an application program code analyzing apparatus according to an embodiment of the present invention.
4 is a flow chart for explaining an application program code analysis method according to an embodiment of the present invention.
5 is a diagram illustrating a configuration of a code classifying apparatus according to an embodiment of the present invention.

Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings so that those skilled in the art can easily carry out the present invention. The present invention may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein. In order to clearly illustrate the present invention, parts not related to the description are omitted, and similar parts are denoted by like reference characters throughout the specification.

Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings.

1 is a diagram for explaining an application program code analysis system according to an embodiment of the present invention.

1, the application program analysis system includes an application providing server 100, a code analyzing apparatus 200 and a code classifying apparatus 300. The code analyzing apparatus 200 includes an application providing server 100 And the code classifying device 300 through a network.

Here, the network means a connection structure in which information can be exchanged between each node such as a server and a device. An example of such a network is an Internet, a LAN (Local Area Network), a Wireless LAN Network, Wide Area Network (WAN), Personal Area Network (PAN), 3G, 4G, LTE, Wi-Fi and the like.

First, the application providing server 100 stores an application program file, and transmits the application program file to the code analyzing apparatus 200. At this time, the application providing server 100 may request the transmission of the application program file from the code analyzing apparatus 200, and may transmit the application program file to the code analyzing apparatus 200.

In addition, the application program providing server 100 according to the embodiment of the present invention can store various kinds of application program files such as finance, news, shopping, and games, and the code analysis device 200 can store the application program files The application program providing server 100 stores the application program file so that it can be downloaded from the server 100 and installed in the code analysis device 200. For example, various mobile application markets such as Google Play and Apple's App Store, a third party market, and a black market correspond to the application providing server 100.

Next, the code analysis apparatus 200 can download and install an application program file stored in the application program providing server 100 and execute the application program.

The code analyzing apparatus 200 can process and output the dalvik instruction word of an application program executed in real time in a form necessary for analysis, and can output string information, field information of a class, parameter information at the time of method invocation, It can be extracted and provided to the user. At this time, the code analyzing apparatus 200 may store the outputted information as a file, and may transmit the stored file to the code classifying apparatus 300.

The code analyzing apparatus 200 may be a terminal capable of downloading an application program file and analyzing the code, and may be a terminal that performs code analysis only or a smart phone, a smart pad, , A notebook computer, a tablet PC, a PDA (Personal Digital Assistant), and the like. In particular, in the case of a smart phone or a smart pad, the application can be provided as an application on the device.

Here, the application refers to an application program on the terminal, for example, an app (app) running on a mobile terminal (smart phone). A user can download an application (app) from a mobile application market, which is a virtual marketplace where mobile contents are bought and sold freely, and install the application in a code analysis device 200 such as a smart phone. .

Finally, the code classifier 300 may include a thread classifier and a call stack analyzer, and is responsible for enhancing the readability of the analysis result file received from the code analyzer 200. That is, since the Dalbig virtual machine is used in a plurality of threads, the code classifier 300 performs an operation of separating the analyzed analysis result file by threads.

The code classifying apparatus 300 corresponds to a personal computer (PC), a notebook computer, a computer, etc., which can read analysis result files received from the code analyzing apparatus 200, classify them according to threads, .

Hereinafter, an application program analyzing apparatus according to an embodiment of the present invention will be described in more detail with reference to FIG. 2 and FIG.

FIG. 2 is a block diagram showing a configuration of an application program code analyzing apparatus according to an embodiment of the present invention, and FIG. 3 is a diagram for explaining an application program code analyzing apparatus according to an embodiment of the present invention.

2, the code analyzing apparatus 200 includes an analysis setting unit 210, a control unit 220, an operand analyzing unit 230, a code analyzing unit 240, a file generating unit Personal Computer 250, and a communication unit 260 ).

First, the analysis setting unit 210 stores a predetermined analysis level and analysis range for the application program to be analyzed. The analysis setting unit 210 may set and store the analysis level and the analysis scope in designing the code analyzer 200 or may store the analysis level and the analysis scope included in the configuration file input from the user as shown in FIG. The analysis setting unit 210 may further store the package name of the analysis target application program.

Next, the control unit 220 loads the execution file of the input application program.

Also, when the analysis setting unit 210 further stores the package name of the analysis target application program, the control unit 220 can determine whether the input application program is an analysis target using the stored package name. As a result of the determination, the application program is analyzed only when the input application program is determined as the analysis target, and the analysis can be terminated if it is determined that the input application program is not the analysis target.

The operand analyzing unit 230 analyzes the operand of the dumbbyte byte code included in the executable file at the analysis level corresponding to the analysis range stored by the analysis setting unit 210.

Next, the code analyzing unit 240 reconstructs the dumbbyte code and the analyzed operand into an intermediate code in an intermediate language form.

Also, the code analyzer 240 extracts at least one of the string information, the field information, and the method information of the dumbbie byte code to generate analysis information. When the return value of a method using a string as a parameter is a string object, the code analyzer 240 can extract the string stored in the string object and the source code of the method including the string as string information.

In addition, the code analyzing unit 240 extracts at least one of a method name, a class descriptor of a method, and a method descriptor as method information, extracts at least one of the number of parameters used in a method call, Can be extracted as field information.

Next, the file generating unit 250 generates an analysis result file including the reconstructed intermediate code and analysis information. The file generating unit 250 may output the generated analysis result file to the user.

Finally, the communication unit 260 transmits the generated analysis result file to the code classifier 300. At this time, the communication unit 260 can transmit the generated analysis result file to the code classifier 300 through a wired or wireless network.

As shown in FIG. 3, the code analyzing apparatus 200 can be implemented by modifying the Dalvik virtual machine. The code analyzing apparatus 200 is a software module for monitoring a dabbic command executed in real time and can be used for malicious code analysis because it can check encrypted code, character string information, and important parameter values by monitoring in real time.

Particularly, the code analyzing apparatus 200 according to the embodiment of the present invention can analyze an application program without secret key information when a code hiding-based obfuscation technique such as class encryption, which was impossible with conventional static analysis, is applied This makes it possible to analyze malicious code with obfuscation more quickly and accurately.

Hereinafter, a code analysis method of an application program according to an embodiment of the present invention will be described in more detail with reference to FIG. 4 and FIG.

FIG. 4 is a flow chart for explaining an application program code analysis method according to an embodiment of the present invention, and FIG. 5 is a diagram illustrating a configuration of a code classifying apparatus according to an embodiment of the present invention.

First, the code analyzing apparatus 200 stores a predetermined analysis level and an analysis range (S410).

Here, the analysis level refers to whether or not the code that is executed in the API called by the application through the Android framework is output when the code of the application is analyzed, and the scope of analysis refers to the class name or method name of the application program to be analyzed . The code analyzing apparatus 200 according to the embodiment of the present invention can further store the package name of the analysis target application program.

The code analyzing apparatus 200 may receive and store the analysis level and the analysis range from the user before analyzing the code of the application program, or may load and use a file storing the predetermined analysis level and analysis range.

In addition, the code analysis device 200 may store the analysis level and the analysis range each time before analyzing the code of the application program, or may analyze the codes of a plurality of application programs with a single analysis level and an analysis range storage.

Next, the code analysis apparatus 200 loads the executable file into the memory (S420).

If the application is an Android application, the executable file can be a DEX file, and the DEX file can be extracted by decompressing the APK file. The DEX file is a file in which the class file is converted to bytecode so that it can be recognized by the Android virtual machine Dalvik, and it is composed of a dubic command.

If you extract the class file by decompiling the DEX file into DVM bytecode, you can extract the smali code and java code of the Android application. Here, the DVVM (Dalvik Virtual Machine) is the entity that can execute the dumbbyte code.

When the code analyzing apparatus 200 is implemented on a user terminal such as a smart phone, a smart pad, etc., the user's terminal's Dalvik virtual machine transmits the executable file loaded by the code analyzing apparatus 200 to the central processing unit CPU) can be translated into a machine language that can be executed. When the code analysis of the code analysis apparatus 200 according to the embodiment of the present invention is completed, the central processing unit of the user terminal can execute the corresponding application program translated into the machine language.

Next, the code analyzing apparatus 200 determines whether the application program corresponding to the loaded executable file is an analysis target (S430).

If the code analyzing apparatus 200 stores the package name of the analysis target application program in step S410, it can determine whether the application program corresponding to the loaded executable file is analyzed using the stored package name.

The code analysis device 200 analyzes the contents of the AndroidManifest.xml file including application package information such as a package name, a version, a component component, a function execution right, and a reference library to determine whether the application is an analysis target application program It can be judged.

If the package name of the loaded executable file and the stored package name are inconsistent and it is determined that the application program corresponding to the executable file is not an analysis target, the code analysis device 200 can terminate the code analysis.

For convenience of explanation, the code analysis apparatus 200 stores the package name of the analysis target application program and determines whether to analyze the loaded execution file using the stored package name. However, the present invention is not limited to this, and the code analysis apparatus 200 may directly perform step S440 after performing step S420 without determining whether the application program is analyzed.

If it is determined that the analysis target is the analysis target, the code analysis device 200 analyzes the operand (S440).

The code analyzing apparatus 200 analyzes the operands of the dumbby byte codes included in the executable file in accordance with the analysis range at the analysis level. At this time, the code analyzing apparatus 200 can perform the function of analyzing the operand by modifying the function implemented in the existing Dalvik virtual machine.

Also, the code analyzing apparatus 200 reconstructs the analyzed Dalvik command and the operand into an intermediate code, and generates analysis information (S450).

The code analyzing apparatus 200 reconstructs the analyzed dalikic command and the operand in an intermediate code, which is an intermediate language code, in step S440. At this time, the intermediate code may be smali code.

The smali code refers to the assembly code of the dex file, and the file structure and method information can be checked through smali file analysis. The smali code can then be extracted by decoding the apk file using apktool.

Then, the code analyzing apparatus 200 extracts at least one of the string information, the field information, and the method information of the dumbbie byte code to generate analysis information.

Important information such as application license information, secret key, and user personal information are mostly treated as strings, so it is important to extract and analyze the string information when analyzing the application.

The Dalvik virtual machine uses the index information of the string stored in the DEX file when the Dalvik command uses a string as a parameter. For example, an intermediate language intermediate code such as const-string v1, test is executed in the form of const-string v1 string @ 0x0001 when executed in the Dalvik virtual machine.

When the return value of a method using a string as a parameter is a string object, the code analyzing apparatus 200 extracts the string stored in the string object and the source code of the method including the string as string information to generate analysis information .

The code analysis apparatus 200 can extract at least one of a method name, a class descriptor of a method, and a method descriptor as method information. The number of parameters used at the time of method invocation, the number of a dubic register used as a parameter Can be extracted as field information.

The code analyzing apparatus 200 may generate analysis information by extracting a return value from a method return statement or may generate information of a calling method as analysis information to facilitate call stack analysis of a plurality of methods.

In addition, an analysis result file including the reconstructed intermediate code and analysis information is generated (S460).

The code analysis apparatus 200 generates an analysis result file including the reconstructed intermediate code and the extracted analysis information in step S450. At this time, the generated analysis result file is output at a predetermined analysis level in step S410, and the analysis result file is output as an intermediate code of intermediate language type.

When the analysis level is set to output the code executed in the API called through the Android framework, the code analysis device 200 determines that when the application calls the API through the Android framework, The code is also extracted and an analysis result file is generated.

If the analysis level is not set in step S410, the code analysis device 200 can generate an analysis result file that outputs all the codes to be executed from the moment the application program is started.

On the other hand, if the analysis level is set not to output the code to be executed in the API, the code analyzing apparatus 200 outputs only the intermediate code of the executable file loaded in step S420, and generates the analysis result file. At this time, the generated analysis result file may contain only the intermediate code corresponding to the executable file generated from the Java code created by the developer of the application program.

If you simply monitor the commands that run in the Dalvik virtual machine, the output is huge. This makes it difficult for the analyst who analyzes the application program to identify the method or class corresponding to the analysis result among the extracted result. In addition, analyzing the application program using the extracted result is entirely dependent on the analyst's experience.

However, the code analysis apparatus 200 according to the embodiment of the present invention can set the analysis level and the analysis scope through the class descriptor and the method name in step S410. This allows the analyst who analyzes the application program to adjust the analysis level and the scope of analysis according to the analysis environment. Accordingly, the analyst can analyze the application program conveniently and efficiently using the analysis result file generated in step S460.

The code analyzing apparatus 200 according to the embodiment of the present invention extracts instructions, operands, and analysis information necessary for analysis immediately before an application program is executed on the Dalvik virtual machine, which is a component of the Android platform, .

Even when the obfuscation technique including the encryption function is applied to the source code or the executable file of the application program, when loading the source code or the executable file on the Dalvik virtual machine for execution of the corresponding application program, Lt; / RTI > Since the code analyzing apparatus 200 according to the embodiment of the present invention is a modified version of the Dalbig virtual machine, it is possible to extract commands, operands, analysis information, and the like necessary for analysis without searching a secret key for decryption through static analysis.

Therefore, the code analysis apparatus 200 according to the embodiment of the present invention can analyze an application program to which a complicated obfuscation technology such as a class encryption scheme, an API concealment scheme, and a string encryption scheme is applied without secret key information, You can analyze applications more quickly and accurately.

Finally, the code analysis apparatus 200 transmits the analysis result file to the code classification apparatus 300 (S470).

The analysis result file generated by the code analysis apparatus 200 is an intermediate code of an intermediate language type for each class analysis result. The code analysis apparatus 200 analyzes the classification result of the code classification apparatus 300 to improve the readability of the analysis result file, And transmits the analysis result file.

The code analyzing apparatus 200 transmits the analysis result file generated in step S460 to the code classifying apparatus 300. However, the code analyzing apparatus 200 may store the analysis result file generated after step S460 Or output it to the user.

The code classifying apparatus 300 classifies the received analysis result file and generates an output file having higher readability so that the analyst can efficiently analyze it.

5 is a diagram illustrating a configuration of a code classifying apparatus according to an embodiment of the present invention.

As shown in FIG. 5, the code classifying apparatus 300 includes a thread classifying unit 310 and a call stack analyzing unit 320.

First, the thread classifier 310 includes a thread number recognizer, a code redistributor, and a file creator. The thread classifying unit 310 classifies the codes included in the analysis result file received from the code analyzing apparatus 200 into thread numbers, and creates a file for each thread number.

The Dalbig virtual machine is used in a plurality of threads, and the thread classifier 310 classifies the code of the application program by thread to facilitate analysis of the application program.

Next, the call stack analyzer 320 includes a call and return statement recognizer, a call stack calculator, and a method classifier. The call stack analyzer 320 analyzes the calling relationship of methods included in the analysis result file.

The call stack analyzer 320 identifies the relationship between the called method and the called method, and analyzes the analyzed relation so that the analyst can confirm the calling relationship of the method at a glance, and provides the analysis to the user. At this time, the call stack analyzing unit 320 can indent a file to be called or output it to a user after a method to call a called method.

As described above, according to the embodiment of the present invention, by using the application program analyzing apparatus and the code analyzing method using it, it is possible to extract a code of a selective range of the application and analyze it at a selective level, The cost can be reduced. And it can automatically acquire the reverse obfuscated code of an application that uses an obfuscation technique.

In addition, the instruction of the application can be reconfigured as an intermediate language code and provided to the analyst. Further, analysis information such as string information, field information, and method information can be additionally provided. The application code analyzing apparatus and the code analyzing method according to the embodiment of the present invention are safe from the technique of detecting the emulator and preventing the analysis.

While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it is to be understood that the invention is not limited to the disclosed exemplary embodiments, Of the right.

100: Application providing server 200: Code analysis device
210: Analysis setting unit 220:
230: operand analyzing unit 240: code analyzing unit
250: file generating unit 260:
300: code classifier 310: thread classifier
320: Call Stack Analysis Unit

Claims (12)

An analysis setting unit for storing a predetermined analysis level and an analysis range for the application program to be analyzed,
A control unit for loading an executable file of the input application program,
An operand analyzing unit for analyzing operands of dabby byte codes executed in real time included in the execution file in accordance with the analysis range,
A code analysis unit for reconstructing the dumbbyte code and the analyzed operand into an intermediate language intermediate code, extracting at least one of character information, field information, and method information of the dumbbyte code, and generating analysis information; and
And a file generation unit for generating an analysis result file including the reconstructed intermediate code and the analysis information,
Wherein the analysis range includes a class name or a method name of the application program to be analyzed,
The analysis level includes whether or not the code that is executed in the API called by the application program through the Android framework is output,
The code analyzing unit,
Extracts at least one of a method name, a class descriptor of a method, and a method descriptor as the method information,
The number of parameters used in a method call, and the number of a dumbbick register used as the parameter, as the field information. The method according to claim 1,
Wherein the analysis setting unit further stores a package name of the analysis target application program,
Wherein,
And determines whether the input application program is an analysis target using the package name. The method according to claim 1,
The code analyzing unit,
Extracts a string stored in the string object and a source code of a method including the string as the string information if the return value of the method using the string as a parameter is a string object. delete The method according to claim 1,
And a communication unit for transmitting the analysis result file to a code classifier,
The code classifying device comprises:
A thread classifier for classifying the codes included in the analysis result file by threads,
And a call stack analyzing unit for analyzing a calling relation of a method included in the analysis result file. delete A method for analyzing a code using an application program analyzing apparatus,
Storing the predetermined analysis level and analysis range for the application program to be analyzed,
Loading an executable file of the input application program,
Analyzing an operand of a dumbbyte byte code executed in real time included in the execution file in accordance with the analysis range into the analysis level;
Reconstructing the dumbbyte code and the analyzed operand into an intermediate language intermediate code, extracting at least one of the string information, the field information, and the method information of the dumbbyte code to generate analysis information, and
Generating an analysis result file including the reconstructed intermediate code and the analysis information,
Wherein the analysis range includes a class name or a method name of the application program to be analyzed,
The analysis level includes whether or not the code that is executed in the API called by the application program through the Android framework is output,
The step of extracting at least one of the string information, the field information, and the method information of the dumbbie byte code to generate analysis information,
Extracts at least one of a method name, a class descriptor of a method, and a method descriptor as the method information,
A number of parameters used in a method call, and a number of a dumbbick register used as the parameter. 8. The method of claim 7,
Wherein the step of storing the predetermined analysis level and the analysis range for the application program to be analyzed comprises:
Further storing a package name of the application program to be analyzed,
The step of loading an executable file of the input application program,
And determining whether the input application program is an analysis target using the package name. 8. The method of claim 7,
The step of extracting at least one of the string information, the field information, and the method information of the dumbbyte code as analysis information,
And extracting a character string stored in the character string object and a source code of a method including the character string as the character string information when the return value of the method using the character string as a parameter is a character string object. delete 8. The method of claim 7,
And transmitting the analysis result file to a code classifier,
The code classifying device comprises:
A thread classifier for classifying the codes included in the analysis result file by threads,
And a call stack analyzing unit for analyzing a call relation of a method included in the analysis result file. delete
KR1020150055894A 2015-04-21 2015-04-21 Application Code Analysis Apparatus and Method For Code Analysis Using The Same KR101557455B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020150055894A KR101557455B1 (en) 2015-04-21 2015-04-21 Application Code Analysis Apparatus and Method For Code Analysis Using The Same

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020150055894A KR101557455B1 (en) 2015-04-21 2015-04-21 Application Code Analysis Apparatus and Method For Code Analysis Using The Same

Publications (1)

Publication Number Publication Date
KR101557455B1 true KR101557455B1 (en) 2015-10-07

Family

ID=54344046

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020150055894A KR101557455B1 (en) 2015-04-21 2015-04-21 Application Code Analysis Apparatus and Method For Code Analysis Using The Same

Country Status (1)

Country Link
KR (1) KR101557455B1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101861341B1 (en) 2017-05-30 2018-05-28 올댓소프트 코. Deobfuscation apparatus of application code and method of deobfuscating application code using the same
KR101976993B1 (en) * 2017-11-16 2019-05-10 숭실대학교산학협력단 Interactive Dynamic Binary Instrumentation Code Extraction Apparatus for Automatic Analysis of Mobile Code and method thereof
KR20220016592A (en) * 2020-08-03 2022-02-10 신승민 Security system for detecting data breach and method thereof
WO2022139063A1 (en) * 2020-12-24 2022-06-30 숭실대학교 산학협력단 Code sequence-based smart core code identification method, and recording medium and device for performing same

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2012022536A (en) 2010-07-15 2012-02-02 Hitachi Ltd Source code inspection method and source code inspection apparatus

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2012022536A (en) 2010-07-15 2012-02-02 Hitachi Ltd Source code inspection method and source code inspection apparatus

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101861341B1 (en) 2017-05-30 2018-05-28 올댓소프트 코. Deobfuscation apparatus of application code and method of deobfuscating application code using the same
KR101976993B1 (en) * 2017-11-16 2019-05-10 숭실대학교산학협력단 Interactive Dynamic Binary Instrumentation Code Extraction Apparatus for Automatic Analysis of Mobile Code and method thereof
KR20220016592A (en) * 2020-08-03 2022-02-10 신승민 Security system for detecting data breach and method thereof
KR102366846B1 (en) * 2020-08-03 2022-02-23 신승민 Security system for detecting data breach and method thereof
WO2022139063A1 (en) * 2020-12-24 2022-06-30 숭실대학교 산학협력단 Code sequence-based smart core code identification method, and recording medium and device for performing same

Similar Documents

Publication Publication Date Title
Feng et al. A performance-sensitive malware detection system using deep learning on mobile devices
Bläsing et al. An android application sandbox system for suspicious software detection
Zhauniarovich et al. Stadyna: Addressing the problem of dynamic code updates in the security analysis of android applications
Spreitzenbarth et al. Mobile-sandbox: having a deeper look into android applications
KR101471589B1 (en) Method for Providing Security for Common Intermediate Language Program
EP3262557A1 (en) A method to identify known compilers functions, libraries and objects inside files and data items containing an executable code
CN109255235B (en) Mobile application third-party library isolation method based on user state sandbox
CN111163094B (en) Network attack detection method, network attack detection device, electronic device, and medium
KR101557455B1 (en) Application Code Analysis Apparatus and Method For Code Analysis Using The Same
US20170242986A1 (en) Method and system for providing cloud-based application security service
CN111163095A (en) Network attack analysis method, network attack analysis device, computing device, and medium
Faruki et al. Droidanalyst: Synergic app framework for static and dynamic app analysis
Lim et al. Structural analysis of packing schemes for extracting hidden codes in mobile malware
Soliman et al. Taxonomy of malware analysis in the IoT
Alfalqi et al. Android platform malware analysis
Cho et al. DexMonitor: dynamically analyzing and monitoring obfuscated Android applications
CN110597496B (en) Method and device for acquiring bytecode file of application program
Qiu et al. Libcapsule: Complete confinement of third-party libraries in android applications
Borja et al. Risk analysis and Android application penetration testing based on OWASP 2016
Niu et al. Clone analysis and detection in android applications
Baset et al. Identifying android library dependencies in the presence of code obfuscation and minimization
Bokolo et al. Hybrid analysis based cross inspection framework for android malware detection
Khanmohammadi et al. Hydroid: A hybrid approach for generating API Call traces from obfuscated android applications for mobile security
Shen et al. Toward efficient dynamic analysis and testing for Android malware
A. Mawgoud et al. A malware obfuscation AI technique to evade antivirus detection in counter forensic domain

Legal Events

Date Code Title Description
E701 Decision to grant or registration of patent right
GRNT Written decision to grant
FPAY Annual fee payment

Payment date: 20190624

Year of fee payment: 5