KR101557455B1 - Application Code Analysis Apparatus and Method For Code Analysis Using The Same - Google Patents
Application Code Analysis Apparatus and Method For Code Analysis Using The Same Download PDFInfo
- Publication number
- KR101557455B1 KR101557455B1 KR1020150055894A KR20150055894A KR101557455B1 KR 101557455 B1 KR101557455 B1 KR 101557455B1 KR 1020150055894 A KR1020150055894 A KR 1020150055894A KR 20150055894 A KR20150055894 A KR 20150055894A KR 101557455 B1 KR101557455 B1 KR 101557455B1
- Authority
- KR
- South Korea
- Prior art keywords
- analysis
- code
- information
- application program
- file
- Prior art date
Links
- 238000004458 analytical method Methods 0.000 title claims abstract description 219
- 238000000034 method Methods 0.000 title claims abstract description 94
- 239000000284 extract Substances 0.000 claims abstract description 16
- 238000004891 communication Methods 0.000 claims description 5
- 238000010586 diagram Methods 0.000 description 9
- 230000006870 function Effects 0.000 description 4
- 230000003068 static effect Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 230000002708 enhancing effect Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
- G06F21/121—Restricting unauthorised execution of programs
- G06F21/125—Restricting unauthorised execution of programs by manipulating the program code, e.g. source code, compiled code, interpreted code, machine code
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
- G06F21/14—Protecting executable software against software analysis or reverse engineering, e.g. by obfuscation
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/563—Static detection by source code analysis
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Technology Law (AREA)
- Multimedia (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Stored Programmes (AREA)
Abstract
Description
The present invention relates to an application program code analyzing apparatus and a code analyzing method using the same, and more particularly, to an application program code analyzing apparatus for analyzing an application program executable file in a range and analysis level selected by a user and providing analysis results. Code analysis method.
F-Secure's mobile threat report, released quarterly, shows that the number and types of newly discovered mobile malware are growing every year, and that most of the mobile malware is malicious code targeted at the Android platform.
Android malware is significantly more than malicious code in iOS and other mobile operating systems due to its high market share and ease of malicious code creation and distribution.
The Dalvik Bytecode in Android applications is similar to Java bytecode, so you can almost restore source code from executable files. It is easy to analyze the source code by using reverse engineering tools such as apktool, dedexer, Androguard, Dex2jar, and dexdump, and the attack technique that repackages after inserting malicious code into decompiled source code is mainly used.
This attack technique allows an attacker to steal all or part of an application or bypass an application's security mechanism, and forged applications can easily be spread over a variety of distribution channels, including third party markets and black markets.
An application with malicious code may steal personal information for the sake of monetary gain of an attacker, or may be infiltrated without permission. The smartphone screen may be sniffed or the content of the call may be eavesdropped. In addition, a user terminal equipped with an application with malicious code can send spam, paid characters, international calls, and the like, or can be used for a mobile DDoS attack.
Most malicious codes are not easily detected by anti-virus software, and obfuscation techniques are applied to prevent them from being easily analyzed. If obfuscation such as class encryption is applied to malicious code, information such as encrypted data, decryption method, algorithm and secret key must be found for reverse obfuscation.
This analysis should primarily be based on the experience of the analyst and analyze the complex structure of the individual techniques. Also, in recent years, reverse obfuscation can not be achieved only by static analysis by applying an obfuscation technique that is hidden from a decryption routine or a secret key.
Therefore, there is a need for a technology that can analyze applications using obfuscation techniques such as class encryption techniques more quickly and accurately.
The background art of the present invention is disclosed in Korean Patent Publication No. 10-2014-0108445 (published on Sep. 11, 2014).
The present invention relates to an application program code analyzing apparatus and a code analyzing method using the same, and more particularly, to an application program code analyzing apparatus for analyzing an application program executable file in a range and analysis level selected by a user and providing analysis results. The purpose of the code analysis method is to provide.
According to an aspect of the present invention, there is provided an apparatus for analyzing an application program code, the apparatus comprising: an analysis setting unit for storing a predetermined analysis level and an analysis range for an application program to be analyzed; An operand analyzing unit for analyzing the operand of the dumbbie byte code included in the executable file to the analysis level in accordance with the analysis range, and reconstructing the dumbbyte code and the analyzed operand into an intermediate language intermediate code, A code analyzing unit for extracting at least one of character information, field information, and method information of the dumbbyte code and generating analysis information, and a file generation unit for generating an analysis result file including the reconstructed intermediate code and the analysis information .
The analysis setting unit may further store a package name of the analysis target application program, and the control unit may determine whether the input application program is an analysis target using the package name.
If the return value of a method using a string as a parameter is a string object, the code analyzer may extract a string stored in the string object and a source code of a method including the string as the string information.
The code analyzing unit may extract at least one of a method name, a class descriptor of a method, and a method descriptor as the method information, and may include at least one of a number of parameters used in a method invocation and a number of a Dalvik register used as the parameter One field can be extracted as the field information.
The apparatus may further include a communication unit for transmitting the analysis result file to a code classifier, wherein the code classifier comprises: a thread classifier for classifying codes included in the analysis result file by threads; And a call stack analyzing unit for analyzing a calling relation of a method included in the call stack analyzing unit.
Also, the analysis range includes a class name or a method name of the application program to be analyzed, and the analysis level may include whether or not the code that is executed in the API called by the application program through the Android framework is outputted have.
According to another embodiment of the present invention, an application program code analysis method performed by an application program code analysis apparatus includes the steps of: storing a predetermined analysis level and an analysis scope for an analysis target application program; loading an execution file of the input application program Analyzing the operands of the dumbbyte byte codes included in the executable file to the analysis level corresponding to the analysis range; reconstructing the dumbbyte codes and the analyzed operands into intermediate codes in an intermediate language form; Extracting at least one of character information, field information, and method information of the dumbbyte code to generate analysis information, and generating an analysis result file including the reconstructed intermediate code and the analysis information.
Therefore, according to the present invention, by using the application program analyzing apparatus and the code analyzing method using the same, it is possible to extract a code of a selective range of the application and analyze it at a selective level, and it is possible to reduce the time and cost .
It can also automatically obtain reverse obfuscated code for applications that use obfuscation techniques.
In addition, the instruction of the application can be reconfigured as an intermediate language code and provided to the analyst, and analysis information such as string information, field information, and method information can be additionally provided.
In addition, it is not an emulator-based dynamic analysis tool, so it is safe from detecting emulators and preventing analysis.
1 is a diagram for explaining an application program code analysis system according to an embodiment of the present invention.
2 is a block diagram illustrating a configuration of an application program code analyzing apparatus according to an embodiment of the present invention.
3 is a diagram for explaining an application program code analyzing apparatus according to an embodiment of the present invention.
4 is a flow chart for explaining an application program code analysis method according to an embodiment of the present invention.
5 is a diagram illustrating a configuration of a code classifying apparatus according to an embodiment of the present invention.
Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings so that those skilled in the art can easily carry out the present invention. The present invention may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein. In order to clearly illustrate the present invention, parts not related to the description are omitted, and similar parts are denoted by like reference characters throughout the specification.
Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings.
1 is a diagram for explaining an application program code analysis system according to an embodiment of the present invention.
1, the application program analysis system includes an
Here, the network means a connection structure in which information can be exchanged between each node such as a server and a device. An example of such a network is an Internet, a LAN (Local Area Network), a Wireless LAN Network, Wide Area Network (WAN), Personal Area Network (PAN), 3G, 4G, LTE, Wi-Fi and the like.
First, the
In addition, the application
Next, the
The
The
Here, the application refers to an application program on the terminal, for example, an app (app) running on a mobile terminal (smart phone). A user can download an application (app) from a mobile application market, which is a virtual marketplace where mobile contents are bought and sold freely, and install the application in a
Finally, the
The
Hereinafter, an application program analyzing apparatus according to an embodiment of the present invention will be described in more detail with reference to FIG. 2 and FIG.
FIG. 2 is a block diagram showing a configuration of an application program code analyzing apparatus according to an embodiment of the present invention, and FIG. 3 is a diagram for explaining an application program code analyzing apparatus according to an embodiment of the present invention.
2, the
First, the analysis setting
Next, the
Also, when the
The
Next, the
Also, the
In addition, the
Next, the
Finally, the
As shown in FIG. 3, the
Particularly, the
Hereinafter, a code analysis method of an application program according to an embodiment of the present invention will be described in more detail with reference to FIG. 4 and FIG.
FIG. 4 is a flow chart for explaining an application program code analysis method according to an embodiment of the present invention, and FIG. 5 is a diagram illustrating a configuration of a code classifying apparatus according to an embodiment of the present invention.
First, the
Here, the analysis level refers to whether or not the code that is executed in the API called by the application through the Android framework is output when the code of the application is analyzed, and the scope of analysis refers to the class name or method name of the application program to be analyzed . The
The
In addition, the
Next, the
If the application is an Android application, the executable file can be a DEX file, and the DEX file can be extracted by decompressing the APK file. The DEX file is a file in which the class file is converted to bytecode so that it can be recognized by the Android virtual machine Dalvik, and it is composed of a dubic command.
If you extract the class file by decompiling the DEX file into DVM bytecode, you can extract the smali code and java code of the Android application. Here, the DVVM (Dalvik Virtual Machine) is the entity that can execute the dumbbyte code.
When the
Next, the
If the
The
If the package name of the loaded executable file and the stored package name are inconsistent and it is determined that the application program corresponding to the executable file is not an analysis target, the
For convenience of explanation, the
If it is determined that the analysis target is the analysis target, the
The
Also, the
The
The smali code refers to the assembly code of the dex file, and the file structure and method information can be checked through smali file analysis. The smali code can then be extracted by decoding the apk file using apktool.
Then, the
Important information such as application license information, secret key, and user personal information are mostly treated as strings, so it is important to extract and analyze the string information when analyzing the application.
The Dalvik virtual machine uses the index information of the string stored in the DEX file when the Dalvik command uses a string as a parameter. For example, an intermediate language intermediate code such as const-string v1, test is executed in the form of const-string v1 string @ 0x0001 when executed in the Dalvik virtual machine.
When the return value of a method using a string as a parameter is a string object, the
The
The
In addition, an analysis result file including the reconstructed intermediate code and analysis information is generated (S460).
The
When the analysis level is set to output the code executed in the API called through the Android framework, the
If the analysis level is not set in step S410, the
On the other hand, if the analysis level is set not to output the code to be executed in the API, the
If you simply monitor the commands that run in the Dalvik virtual machine, the output is huge. This makes it difficult for the analyst who analyzes the application program to identify the method or class corresponding to the analysis result among the extracted result. In addition, analyzing the application program using the extracted result is entirely dependent on the analyst's experience.
However, the
The
Even when the obfuscation technique including the encryption function is applied to the source code or the executable file of the application program, when loading the source code or the executable file on the Dalvik virtual machine for execution of the corresponding application program, Lt; / RTI > Since the
Therefore, the
Finally, the
The analysis result file generated by the
The
The
5 is a diagram illustrating a configuration of a code classifying apparatus according to an embodiment of the present invention.
As shown in FIG. 5, the
First, the
The Dalbig virtual machine is used in a plurality of threads, and the
Next, the
The
As described above, according to the embodiment of the present invention, by using the application program analyzing apparatus and the code analyzing method using it, it is possible to extract a code of a selective range of the application and analyze it at a selective level, The cost can be reduced. And it can automatically acquire the reverse obfuscated code of an application that uses an obfuscation technique.
In addition, the instruction of the application can be reconfigured as an intermediate language code and provided to the analyst. Further, analysis information such as string information, field information, and method information can be additionally provided. The application code analyzing apparatus and the code analyzing method according to the embodiment of the present invention are safe from the technique of detecting the emulator and preventing the analysis.
While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it is to be understood that the invention is not limited to the disclosed exemplary embodiments, Of the right.
100: Application providing server 200: Code analysis device
210: Analysis setting unit 220:
230: operand analyzing unit 240: code analyzing unit
250: file generating unit 260:
300: code classifier 310: thread classifier
320: Call Stack Analysis Unit
Claims (12)
A control unit for loading an executable file of the input application program,
An operand analyzing unit for analyzing operands of dabby byte codes executed in real time included in the execution file in accordance with the analysis range,
A code analysis unit for reconstructing the dumbbyte code and the analyzed operand into an intermediate language intermediate code, extracting at least one of character information, field information, and method information of the dumbbyte code, and generating analysis information; and
And a file generation unit for generating an analysis result file including the reconstructed intermediate code and the analysis information,
Wherein the analysis range includes a class name or a method name of the application program to be analyzed,
The analysis level includes whether or not the code that is executed in the API called by the application program through the Android framework is output,
The code analyzing unit,
Extracts at least one of a method name, a class descriptor of a method, and a method descriptor as the method information,
The number of parameters used in a method call, and the number of a dumbbick register used as the parameter, as the field information.
Wherein the analysis setting unit further stores a package name of the analysis target application program,
Wherein,
And determines whether the input application program is an analysis target using the package name.
The code analyzing unit,
Extracts a string stored in the string object and a source code of a method including the string as the string information if the return value of the method using the string as a parameter is a string object.
And a communication unit for transmitting the analysis result file to a code classifier,
The code classifying device comprises:
A thread classifier for classifying the codes included in the analysis result file by threads,
And a call stack analyzing unit for analyzing a calling relation of a method included in the analysis result file.
Storing the predetermined analysis level and analysis range for the application program to be analyzed,
Loading an executable file of the input application program,
Analyzing an operand of a dumbbyte byte code executed in real time included in the execution file in accordance with the analysis range into the analysis level;
Reconstructing the dumbbyte code and the analyzed operand into an intermediate language intermediate code, extracting at least one of the string information, the field information, and the method information of the dumbbyte code to generate analysis information, and
Generating an analysis result file including the reconstructed intermediate code and the analysis information,
Wherein the analysis range includes a class name or a method name of the application program to be analyzed,
The analysis level includes whether or not the code that is executed in the API called by the application program through the Android framework is output,
The step of extracting at least one of the string information, the field information, and the method information of the dumbbie byte code to generate analysis information,
Extracts at least one of a method name, a class descriptor of a method, and a method descriptor as the method information,
A number of parameters used in a method call, and a number of a dumbbick register used as the parameter.
Wherein the step of storing the predetermined analysis level and the analysis range for the application program to be analyzed comprises:
Further storing a package name of the application program to be analyzed,
The step of loading an executable file of the input application program,
And determining whether the input application program is an analysis target using the package name.
The step of extracting at least one of the string information, the field information, and the method information of the dumbbyte code as analysis information,
And extracting a character string stored in the character string object and a source code of a method including the character string as the character string information when the return value of the method using the character string as a parameter is a character string object.
And transmitting the analysis result file to a code classifier,
The code classifying device comprises:
A thread classifier for classifying the codes included in the analysis result file by threads,
And a call stack analyzing unit for analyzing a call relation of a method included in the analysis result file.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020150055894A KR101557455B1 (en) | 2015-04-21 | 2015-04-21 | Application Code Analysis Apparatus and Method For Code Analysis Using The Same |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020150055894A KR101557455B1 (en) | 2015-04-21 | 2015-04-21 | Application Code Analysis Apparatus and Method For Code Analysis Using The Same |
Publications (1)
Publication Number | Publication Date |
---|---|
KR101557455B1 true KR101557455B1 (en) | 2015-10-07 |
Family
ID=54344046
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
KR1020150055894A KR101557455B1 (en) | 2015-04-21 | 2015-04-21 | Application Code Analysis Apparatus and Method For Code Analysis Using The Same |
Country Status (1)
Country | Link |
---|---|
KR (1) | KR101557455B1 (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR101861341B1 (en) | 2017-05-30 | 2018-05-28 | 올댓소프트 코. | Deobfuscation apparatus of application code and method of deobfuscating application code using the same |
KR101976993B1 (en) * | 2017-11-16 | 2019-05-10 | 숭실대학교산학협력단 | Interactive Dynamic Binary Instrumentation Code Extraction Apparatus for Automatic Analysis of Mobile Code and method thereof |
KR20220016592A (en) * | 2020-08-03 | 2022-02-10 | 신승민 | Security system for detecting data breach and method thereof |
WO2022139063A1 (en) * | 2020-12-24 | 2022-06-30 | 숭실대학교 산학협력단 | Code sequence-based smart core code identification method, and recording medium and device for performing same |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2012022536A (en) | 2010-07-15 | 2012-02-02 | Hitachi Ltd | Source code inspection method and source code inspection apparatus |
-
2015
- 2015-04-21 KR KR1020150055894A patent/KR101557455B1/en active IP Right Grant
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2012022536A (en) | 2010-07-15 | 2012-02-02 | Hitachi Ltd | Source code inspection method and source code inspection apparatus |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR101861341B1 (en) | 2017-05-30 | 2018-05-28 | 올댓소프트 코. | Deobfuscation apparatus of application code and method of deobfuscating application code using the same |
KR101976993B1 (en) * | 2017-11-16 | 2019-05-10 | 숭실대학교산학협력단 | Interactive Dynamic Binary Instrumentation Code Extraction Apparatus for Automatic Analysis of Mobile Code and method thereof |
KR20220016592A (en) * | 2020-08-03 | 2022-02-10 | 신승민 | Security system for detecting data breach and method thereof |
KR102366846B1 (en) * | 2020-08-03 | 2022-02-23 | 신승민 | Security system for detecting data breach and method thereof |
WO2022139063A1 (en) * | 2020-12-24 | 2022-06-30 | 숭실대학교 산학협력단 | Code sequence-based smart core code identification method, and recording medium and device for performing same |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
Feng et al. | A performance-sensitive malware detection system using deep learning on mobile devices | |
Bläsing et al. | An android application sandbox system for suspicious software detection | |
Zhauniarovich et al. | Stadyna: Addressing the problem of dynamic code updates in the security analysis of android applications | |
Spreitzenbarth et al. | Mobile-sandbox: having a deeper look into android applications | |
KR101471589B1 (en) | Method for Providing Security for Common Intermediate Language Program | |
EP3262557A1 (en) | A method to identify known compilers functions, libraries and objects inside files and data items containing an executable code | |
CN109255235B (en) | Mobile application third-party library isolation method based on user state sandbox | |
CN111163094B (en) | Network attack detection method, network attack detection device, electronic device, and medium | |
KR101557455B1 (en) | Application Code Analysis Apparatus and Method For Code Analysis Using The Same | |
US20170242986A1 (en) | Method and system for providing cloud-based application security service | |
CN111163095A (en) | Network attack analysis method, network attack analysis device, computing device, and medium | |
Faruki et al. | Droidanalyst: Synergic app framework for static and dynamic app analysis | |
Lim et al. | Structural analysis of packing schemes for extracting hidden codes in mobile malware | |
Soliman et al. | Taxonomy of malware analysis in the IoT | |
Alfalqi et al. | Android platform malware analysis | |
Cho et al. | DexMonitor: dynamically analyzing and monitoring obfuscated Android applications | |
CN110597496B (en) | Method and device for acquiring bytecode file of application program | |
Qiu et al. | Libcapsule: Complete confinement of third-party libraries in android applications | |
Borja et al. | Risk analysis and Android application penetration testing based on OWASP 2016 | |
Niu et al. | Clone analysis and detection in android applications | |
Baset et al. | Identifying android library dependencies in the presence of code obfuscation and minimization | |
Bokolo et al. | Hybrid analysis based cross inspection framework for android malware detection | |
Khanmohammadi et al. | Hydroid: A hybrid approach for generating API Call traces from obfuscated android applications for mobile security | |
Shen et al. | Toward efficient dynamic analysis and testing for Android malware | |
A. Mawgoud et al. | A malware obfuscation AI technique to evade antivirus detection in counter forensic domain |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
E701 | Decision to grant or registration of patent right | ||
GRNT | Written decision to grant | ||
FPAY | Annual fee payment |
Payment date: 20190624 Year of fee payment: 5 |