KR20160025881A - Apparatus and method for detecting malicious shared library file - Google Patents

Apparatus and method for detecting malicious shared library file Download PDF

Info

Publication number
KR20160025881A
KR20160025881A KR1020140113331A KR20140113331A KR20160025881A KR 20160025881 A KR20160025881 A KR 20160025881A KR 1020140113331 A KR1020140113331 A KR 1020140113331A KR 20140113331 A KR20140113331 A KR 20140113331A KR 20160025881 A KR20160025881 A KR 20160025881A
Authority
KR
South Korea
Prior art keywords
file
function
hash value
malicious
reference value
Prior art date
Application number
KR1020140113331A
Other languages
Korean (ko)
Inventor
이상철
강동현
박시준
Original Assignee
주식회사 안랩
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 주식회사 안랩 filed Critical 주식회사 안랩
Priority to KR1020140113331A priority Critical patent/KR20160025881A/en
Publication of KR20160025881A publication Critical patent/KR20160025881A/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/565Static detection by checking file integrity

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

The present invention relates to an apparatus and a method for detecting a malicious so file. The apparatus includes: an input unit into which an Android package (APK) file that includes a classes.dex file and a shared library file is inputted; a hash value generating unit which extracts, from the classes.dex file, a list of at least one native function declared in the classes.dex file from at least one function included in the shared library file and generates, based on the list, a first hash value of the shared library file and a second hash value of the native function; a reference value storing unit which stores a first reference value of each of multiple malicious shared library files and a second reference value of at least one malicious function included in the malicious shared library file; and a maliciousness detecting unit which determines whether the first hash value matches any one among the first reference values and detects, when the first hash value matches any one among the first reference values, whether the shared library file is malicious based on a determination result according to whether the second hash value matches the second reference value.

Description

[0001] APPARATUS AND METHOD FOR DETECTING MALICIOUS SHARED LIBRARY FILE [0002]

The present invention relates to an apparatus and method for diagnosing maliciousness of a shared library file, and more particularly, to a method and system for diagnosing maliciousness of a shared library file (shared library file) by using a function name declared in a classes.dex file, To an apparatus and a method for diagnosing a malicious file.

Recently, as the number of mobile terminals such as smart phones equipped with Android platform is increasing, the Android application market is being activated.

Referring to FIG. 1, an Android package file (hereinafter referred to as an APK file) running on the Android platform will be described. The APK file includes a META-INF folder 20 in the root, lib folder 40 and the like, and may also include an AndroidManifest.xml file 10, a classes.dex file 30, a resources.arsc file 50, and the like.

Meanwhile, the number of malicious Android applications is rapidly increasing as the number of smartphone users using the Android platform increases. In addition to manipulating (modifying and producing) the AndroidManifest.xml file (10) or the classes.dex file (30), a method for creating such a malicious Android application is to use a shared library file file is manipulated.

Here, a shared library file is a file having an extension of .so. Such a shared library file may contain fewer than several tens to several hundreds or thousands of functions. Hereinafter, these shared library files are referred to as' so Quot; file ".

Whether an Android application contains a malicious (manipulated) so file can be determined by extracting the so file from the Android application and then diagnosing whether the so file is malicious. In addition, since the so file includes a number of functions, whether or not the so file is malicious can be determined by diagnosing whether a plurality of functions included in the so file are malicious.

Conventionally, among the methods for diagnosing maliciousness of a so-file, after creating a signature for a plurality of functions included in a so-file to be diagnosed, the signature is compared with a signature of a plurality of functions included in the so- Thereby diagnosing whether or not the malignant disease is diagnosed. To do this, a signature must be built into the database for the many functions included in the so-called malicious file.

However, in this conventional method, the signature is generated by a mechanical method. For example, if the so file contains multiple functions, it creates a signature based on all of the multiple functions. However, such a method has a problem in that it can cause waste of time and resources.

On the other hand, in order to minimize the waste of time and resources, for example, some functions among a plurality of functions included in a so file are mechanically selected to generate a signature, or some functions among a plurality of functions are selected, Signatures can be created by mechanically selecting specific areas. However, when the signature is generated mechanically by selecting some functions or selecting a specific area, the signature may be generated without including frequently manipulated portions among the functions included in the so file, so that it is effective for diagnosing malignancy It may not be.

Korean Registered Patent No. 1161493, published on June 25, 2012. Korean Registered Patent No. 1130088, published on March 19, 2012.

An embodiment of the present invention is a method of generating a hash value by selecting a function effective for malicious diagnosis from among a plurality of functions included in a so file and diagnosing whether or not the so file is malicious based on the generated hash value quickly and accurately And to provide the above objects.

It is to be understood that both the foregoing general description and the following detailed description of the present invention are exemplary and explanatory and are intended to provide further explanation of the invention as claimed. will be.

According to an embodiment of the present invention, the shared library diagnostic apparatus includes an input unit for receiving an APK (Android PacKage) file including a classes.dex file and a shared library file, Extracting a list of at least one native function declared in the classes.dex file from among at least one function included in the library file, and extracting a first hash value for the shared library file based on the list, A hash value generator for generating a second hash value for the native function, a first reference value for each of a plurality of malicious shared library files, and a second reference value for at least one malicious function included in the malicious shared library file The reference value storage unit, and whether the first hash value matches the first reference value Stage, and it can include if they match the second hash value is the first based on the result of the determination whether or not it matches the reference value 2, malignant diagnosis section for diagnosing a malignant whether the shared library files.

The hash value generation unit may generate the first hash value based on all or part of the function name of the native function, and the reference value storage unit may generate the hash value based on all or a part of the function name for the at least one malicious function The first reference value may be stored.

The hash value generation unit may generate the second hash value based on all or a part of the function codes included in each of the native functions, and the reference value storage unit stores all of the function codes included in each of the at least one malicious function Or the second reference value generated on the basis of the second reference value.

The hash value generation unit may generate the first hash value based on a CRC (Cyclic Redundancy Check) for the function name of the native function, and the reference value storage unit may store the hash value based on the CRC of the function name of the at least one malicious function And store the generated first reference value.

The hash value generation unit may generate the second hash value based on the CRC of all or a part of the OP (Opulation) code included in each of the native functions, and the reference value storage unit stores the hash value of each of the at least one malicious function And store the generated second reference value based on the CRC for all or part of the containing OP code.

According to another embodiment of the present invention, a hash value generation unit, a reference value storage unit including a first reference value for each of a plurality of malicious shared library files, and a second reference value for at least one malicious function included in the malicious shared library file (A) at least one function included in a shared library file constituting an APK file, the classes constituting the APK file are classified into classes (b) generating a first hash value based on the list, (c) comparing the first hash value with any one of the first reference value and the first reference value, (D) determining whether or not the second hash value of the native function matches the comparison result of step (c) Generating and (e) by whether or not the second hash value coincides with the second reference value may include the step of diagnosing a malignant whether the shared library files.

In addition, the first reference value may be a hash value generated based on all or a part of the function name of the at least one malicious function, and in the step (b), the first hash value may be the entire function name of the native function Can be generated on the basis of a part.

Also, the second reference value is a hash value generated based on all or a part of the function codes included in each of the at least one malicious function, and in the step (d), the second hash value includes Based on all or part of the function code.

In addition, the first reference value may be a hash value generated based on the CRC of all or part of the function name of the at least one malicious function. In the step (b), the first hash value may be a function name Or based on the CRC for the portion.

In addition, the second reference value may be a hash value generated based on all or a part of the OP code included in each of the at least one malicious function, and in step (d), the second hash value may be a value May be generated based on all or part of the OP code.

According to another embodiment of the present invention, a computer-readable recording medium having recorded thereon a program including instructions for performing respective steps according to a diagnostic method of a shared library file.

According to the embodiment of the present invention, a hash value can be generated by selecting a function effective for malicious diagnosis from among a plurality of functions included in a so file based on a function name list declared in a dex file. You can quickly and accurately diagnose the malicious nature of so files.

1 is a tree structure diagram showing an example of an Android package (APK) file running on an Android platform.
2 is a block diagram of a malicious file detection apparatus according to an embodiment of the present invention.
3 is a diagram illustrating a table of reference values stored in a reference value storage unit according to an embodiment of the present invention.
4 is a flowchart illustrating a malicious sof file diagnostic method according to an embodiment of the present invention.

BRIEF DESCRIPTION OF THE DRAWINGS The advantages and features of the present invention and the manner of achieving them will become apparent with reference to the embodiments described in detail below with reference to the accompanying drawings. The present invention may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art. To fully disclose the scope of the invention to those skilled in the art, and the invention is only defined by the scope of the claims. Like reference numerals refer to like elements throughout the specification.

In the following description of the present invention, a detailed description of known functions and configurations incorporated herein will be omitted when it may make the subject matter of the present invention rather unclear. The following terms are defined in consideration of the functions in the embodiments of the present invention, which may vary depending on the intention of the user, the intention or the custom of the operator. Therefore, the definition should be based on the contents throughout this specification.

Hereinafter, the classes.dex file and the so file included in the APK file will be described. However, in the following description, the classes.dex file will be referred to as a dex file do.

The APK file may or may not include the so file. If the APK file contains a so file, the so file can be specified in the System.loadLibrary () function included in the dex file. In the embodiment of the present invention, the so file diagnosed as malicious is the System.loadLibrary , But it does not preclude the specification of a so file to be diagnosed in a different way.

Next, the dex file can declare some functions among the many functions contained in the so file, so the function name declared in this way can be extracted from the dex file. As far as this is concerned, a so file can contain as few as dozens, as many as hundreds or thousands of functions, and a dex file can declare some of these functions. Functions declared by a dex file are usually It is often a function to be modified (manipulated). Therefore, by analyzing the function declared by the dex file without analyzing all the functions included in the so file, it is possible to more effectively diagnose whether the so file is malicious.

Hereinafter, the function declared by the dex file will be referred to as a native function, and the list of function names of such native functions will be referred to as a " function name list ".

2 is a block diagram of a malicious file detection apparatus according to an embodiment of the present invention.

2, the malicious file diagnosis apparatus 100 includes an input unit 110, a hash value generation unit 120, a malignancy diagnosis unit 130, a reference value storage unit 140, a result providing unit 150, Can include

First, the malicious file diagnosis apparatus 100 according to an embodiment of the present invention is a diagnostic apparatus for diagnosing maliciousness of a file that can be installed or executed in a mobile operating system. For example, It is possible to diagnose whether or not the so file (shared library file) included in the file is malicious. However, the present invention is not limited to this, and can be applied to diagnose maliciousness of a shared library file in another operating system corresponding to a so file in the Android operating system.

The input unit 110 may receive an APK file, and the input APK file may be a malicious file. Alternatively, the inputted APK file may be a file including a so-file that has already been diagnosed as malicious. In this case, a hash value (to be described in detail below) of a so file included in the input APK file is stored as a reference value Section 140 of FIG.

The hash value generation unit 120 can extract the dex file and the so file from the APK file input as the diagnosis target, extract the function name list for the native function from the extracted dex file, A first hash value and a second hash value for the so file can be generated.

More specifically, the hash value generation unit 120 may extract the dex file and the so file from the input APK file. The hash value generation unit 120 may be a well-known technique So that detailed description will be omitted.

If the APK file includes a so file, the hash value generation unit 120 does not proceed any further analysis or generation. However, if the APK file includes a so file, the hash value generation unit 120 may extract a so file, have. Specifically, the so file to be diagnosed may be a so file specified by, for example, the System.loadLibrary () function as described above.

If the so file name for the so file to be diagnosed is extracted, the hash value generator 120 can extract a function name list for the native function included in the so file to be diagnosed from the dex file. The hash value generator 120 may generate a first hash value for the so file to be diagnosed based on the extracted function name list.

The first hash value may be generated by calculating a CRC (Cyclic Redundancy Check) for a function name of at least one function described in the function name list, and the function name may include a plurality of characters When a number is included, a CRC can be calculated and generated based on all or a part of a plurality of characters or numbers.

For example, if a function name of 'openGL' and a function name of 'mainStandby' are listed in the function name list, the first hash value is 'open' and 'main' Lt; RTI ID = 0.0 > CRC. ≪ / RTI > However, the method of calculating the CRC corresponds to a technique well known to those skilled in the related art, so a detailed description will be omitted.

In the above description, the hash value generation unit 120 generates the first hash value by calculating the CRC of all or part of the function name of at least one function described in the function name list. However, the first hash value is generated It is not meant to be limiting in any way.

Meanwhile, the hash value generation unit 120 may generate a second hash value for the function described in the function name list among at least one function included in the so file, where the second hash value is, for example, (OPeration) code CRC calculated and generated for all or part of the function code of the function described in < RTI ID = 0.0 > Here, calculating the OP code CRC for the function code means calculating the CRC based on only the OP code corresponding to the instruction code when the function code is expressed in the assembly language. In calculating the CRC based on the OP code only, Malicious code can be identified as malicious code that only changes the value of the portion of the malicious code.

More specifically, for example, when a so file includes 100 functions and 10 functions among 100 functions are described in the function name list, the hash value generation unit 120 ) Can select the OP code among the function codes of 10 functions and then input the selected OP code into the buffer of predetermined size to generate the OP code CRC. At this time, the entire selected OP code may be input to the buffer, or only a part of the selected OP code may be input to the buffer. However, the method of generating the OP code CRC itself is well known to those skilled in the art, so a detailed description will be omitted.

In the above description, the hash value generation unit 120 generates the second hash value by calculating the OP code CRC for all or part of the function code of the function described in the function name list among at least one function included in the so file As an example. Here, the second hash value is generated for the function described in the function name list. When the so file includes a plurality of functions, the hash value is calculated only for some of the functions, In addition, since a native function (a function declared in a dex file) that frequently operates in the above-described manner can be selected when selecting some functions, it is possible to more effectively determine whether or not the file is malicious Can be diagnosed.

The reference value storage unit 140 may store a reference value for a so-file diagnosed maliciously. The reference value may provide a criterion for determining whether the so-file to be diagnosed is malicious.

More specifically, the reference value storage unit 140 may provide a first reference value. The first reference value is a value that provides a criterion for selecting a so file to be compared with a so file among the plurality of malicious so files stored in the reference value storage unit 140 and is a value compared with the first hash value, Will be described later.

In this case, the first reference value stored in the reference value storage unit 140 may be different for each so file, but may be the same, and therefore, there may be a plurality of sorted so files. In the case where a plurality of so files are selected, the so file as the diagnosis target is compared with each of the plurality of so files so that the so file can be diagnosed as malignant when the so file matches any one of the so files.

On the other hand, the principle of generating the first reference value is the same as the principle of generating the first hash value by the hash value generation unit 120. That is, after extracting the dex file and so file from the APK file diagnosed as malicious and extracting the function name list from the dex file, the CRC value calculated for all or part of the function name of at least one function listed in the function name list corresponds to so file may be a first reference value. However, an example in which the first reference value is generated in a different manner is not excluded.

If so files are selected based on the comparison result between the first reference value and the first hash value among the plurality of malicious so files stored in the reference value storage unit 140, the reference value storage unit 140 stores at least one Lt; RTI ID = 0.0 > a < / RTI > The second reference value may be used to diagnose maliciousness of the corresponding so file by comparing the second reference value with the second hash value of at least one function included in the so file to be diagnosed.

For example, if the so file to be diagnosed includes 100 functions and ten function out of 100 functions are described in the function name list, the second reference value stored in the reference value storage unit 140 and the second reference value stored in the second value If the hash value is the same, the corresponding soo file to be diagnosed can be diagnosed as malicious. Here, the principle of generating the second reference value is the same as the principle of generating the second hash value by the hash value generation unit 120, and thus a detailed description thereof will be omitted.

3 is a diagram illustrating a table for a first reference value and a second reference value for a malicious so file stored in the reference value storage unit 140. As shown in FIG. Referring to the table 141 shown in FIG. 3, the reference value storage unit 140 may include a first reference value 143 and a second reference value 144 for a plurality of malicious sof files 142.

In FIG. 3, the first reference value 143 and the second reference value 144 are represented by a 4-byte hexadecimal value, but this is merely an example, and it is excluded that the value is represented by a value having a different number of bytes no.

2, the malignancy diagnosis unit 130 may compare the first hash value and the second hash value generated by the hash value generation unit 120 with a first reference value stored in the reference value storage unit 140, By comparing the second reference value with the second reference value, it is possible to diagnose whether the so file is malicious or not.

Specifically, the malicious diagnostic unit 130 selects one (or two or more) so files among a plurality of so files stored in the reference value storage unit 140 through comparison between the first hash value and the first reference value can do. If the first hash value does not coincide with the first reference value, the malicious diagnostic unit 130 may diagnose that the corresponding file is not malicious.

However, if the first hash value matches the first reference value, the malignancy diagnosis unit 130 may set the second hash value for the so file to be diagnosed as the second hash value for the so file corresponding to the first reference value, When the second hash value is compared with the reference value and the second hash value matches any one of the second reference values, the corresponding so file can be diagnosed as malicious. However, if the second hash value does not match all the second reference values, It can be diagnosed as not.

When the malignant diagnosis unit 130 is diagnosed as malignant, the result providing unit 150 may provide a result that the corresponding so file is malignant. Otherwise, when the malignant diagnostic unit 130 is not malicious, so that the file is not malicious.

As described above, according to the malicious file diagnosis apparatus 100 according to the embodiment of the present invention, among the plurality of so files stored in the reference value storage unit 140 through comparison between the first hash value and the first reference value, So (or more) so files can be selected. By comparing the second hash value with the second reference value, it is possible to diagnose whether the so file is malicious or not.

4 is a flowchart illustrating a malicious application diagnostic method according to an embodiment of the present invention.

Referring to FIG. 4, the method for diagnosing a malicious sof file by the malicious file detection apparatus 100 according to an embodiment of the present invention includes analyzing an APK file to extract a dex file and a so file (S100) extracting a so-called file name for a so-called file to be diagnosed from the dex file (S200), extracting a function name list for a native function included in the so file to be diagnosed corresponding to the so file name extracted from the dex file (S300) (S500) of comparing the first hash value with the first reference value stored in the reference value storage unit (step S500), and comparing the first hash value with the first reference value A step S600 of generating a second hash value based on all or a part of the function code of the function described in the function name list, a step S700 of comparing the second hash value with the second reference value stored in the reference value storing unit 140 ), Rain Based on the results it may include a step (S800) for diagnosing whether or not the so malicious file.

Hereinafter, a method for diagnosing a malicious sof file by a malicious file diagnosis apparatus according to an embodiment of the present invention will be described in detail with reference to FIGS. 1 to 7.

First, the input unit 110 receives the APK file for diagnosing whether malicious or malicious, and then extracts the dex file and the so file from the APK file (S100).

If the APK file includes a so file, the hash value generation unit 120 may extract from the dex file which so file is a so-called file to be diagnosed. Specifically, the so file to be diagnosed may be a so file specified by, for example, the System.loadLibrary () function as described above (S200)

When the so file name to be diagnosed is extracted, the hash value generation unit 120 can extract a function name list for a native function from the dex file (S300). Here, the function name list includes a so file corresponding to a so file name to be diagnosed It can be a function name list for a native function.

The hash value generation unit 120 may generate a first hash value for the so file based on the extracted function name list (S400). Here, the first hash value may be generated by, for example, calculating a CRC for all or part of a function name of at least one function described in the function name list.

The malicious diagnostic unit 130 may determine whether the generated first hash value matches the first reference value stored in the reference value storage unit 140 at step S500. If the first hash value does not coincide with the first reference value, the malignancy diagnosis unit 130 may diagnose that the so file is not malicious.

However, if the first hash value matches the first reference value, the hash value generation unit 120 may generate a second hash value for the function described in the function name list (S600). Here, the second hash value may be generated, for example, by calculating an OP code CRC for all or part of the function code of the function described in the function name list. If the CRC is calculated based only on the OP code, Can be judged to be malicious even for the malicious code of another variant.

Thereafter, the malignant diagnosis unit 130 may compare the second hash value with a second reference value stored in the reference value storage unit 140 (S700). For example, when ten function names are described in the function name list of the corresponding so file, it is possible to determine whether or not the second hash value for the ten functions in which the function name is described is the same as the second reference value.

Finally, the malignant diagnosis unit 130 may diagnose whether the so file is malicious based on the comparison result in step S700 (S800).

In the above, we have examined how to diagnose whether a so file included in an APK file is malicious. When an APK file contains a plurality of so files, all or a portion of such plural files are designated by the System.loadLibrary () function , A method for diagnosing whether a so file is malicious can be applied to all or some of the so files specified by the System.loadLibrary () function.

4, a step (not shown) for searching whether or not the extracted so file name matches the so file name stored in the reference value storage unit 140 is additionally performed after the step of extracting the so file name in S200 In this case, steps from S300 and subsequent steps may be performed only when the extracted so file name is stored in the reference value storage unit 140.

As described above, according to the embodiment of the present invention, a hash value can be generated by selecting a function effective for malicious diagnosis from among a plurality of functions included in a so file based on a function name list declared in a dex file. Based on the generated hash value, it is possible to diagnose maliciousness of so file quickly and accurately.

Each block of the accompanying block diagrams and combinations of steps of the flowchart may be performed by computer program instructions. These computer program instructions may be loaded into a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus so that the instructions, which may be executed by a processor of a computer or other programmable data processing apparatus, And means for performing the functions described in each step are created. These computer program instructions may also be stored in a computer usable or computer readable memory capable of directing a computer or other programmable data processing apparatus to implement the functionality in a particular manner so that the computer usable or computer readable memory It is also possible for the instructions stored in the block diagram to produce a manufacturing item containing instruction means for performing the functions described in each block or flowchart of the block diagram. Computer program instructions may also be stored on a computer or other programmable data processing equipment so that a series of operating steps may be performed on a computer or other programmable data processing equipment to create a computer- It is also possible that the instructions that perform the processing equipment provide the steps for executing the functions described in each block of the block diagram and at each step of the flowchart.

Also, each block or each step may represent a module, segment, or portion of code that includes one or more executable instructions for executing the specified logical function (s). It should also be noted that in some alternative embodiments, the functions mentioned in the blocks or steps may occur out of order. For example, two blocks or steps shown in succession may in fact be performed substantially concurrently, or the blocks or steps may sometimes be performed in reverse order according to the corresponding function.

The foregoing description is merely illustrative of the technical idea of the present invention, and various changes and modifications may be made by those skilled in the art without departing from the essential characteristics of the present invention. Therefore, the embodiments disclosed in the present invention are intended to illustrate rather than limit the scope of the present invention, and the scope of the technical idea of the present invention is not limited by these embodiments. The scope of protection of the present invention should be construed according to the following claims, and all technical ideas within the scope of equivalents should be construed as falling within the scope of the present invention.

100: malicious so file diagnostic device
110: input unit 120: hash value generation unit
130: malignancy diagnosis unit 140: reference value storage unit
150: Results

Claims (11)

an input unit for receiving an APK (Android PacKage) file including a classes.dex file and a shared library file;
Extracting from the classes.dex file a list of at least one native function declared in the classes.dex file among at least one function included in the shared library file, A hash value generator for generating a first hash value for the library file and a second hash value for the native function;
A reference value storage unit for storing a first reference value for each of a plurality of malicious shared library files and a second reference value for at least one malicious function included in the malicious shared library file; And
Determining whether or not the first hash value coincides with any one of the first reference values, and if the second hash value matches the second reference value, determining whether or not the second hash value matches the second reference value, And a malignancy diagnosis unit for diagnosing malignancy
Diagnostic device for shared library files.
The method according to claim 1,
The hash value generation unit may include:
Generates the first hash value based on all or part of the function name for the native function,
The reference value storage unit stores,
Storing the first reference value generated based on all or a part of the function name for the at least one malicious function
Diagnostic device for shared library files.
The method according to claim 1,
The hash value generation unit may include:
Generates the second hash value based on all or a part of function codes included in each of the native functions,
The reference value storage unit stores,
Storing the second reference value generated based on all or a part of the function codes included in each of the at least one malicious function
Diagnostic device for shared library files.
The method according to claim 1,
The hash value generation unit may include:
Generates the first hash value based on a CRC (Cyclic Redundancy Check) for a function name of the native function,
The reference value storage unit stores,
Storing the first reference value generated based on the CRC of the function name of the at least one malicious function
Diagnostic device for shared library files.
The method according to claim 1,
The hash value generation unit may include:
Generating the second hash value based on a CRC for all or a portion of an OP (OPeration) code included in each of the native functions,
The reference value storage unit stores,
Storing a second reference value generated based on a CRC for all or a part of the OP code included in each of the at least one malicious function
Diagnostic device for shared library files.
A hash value generation unit, a reference value storage unit including a first reference value for each of a plurality of malicious shared library files, and a second reference value for at least one malicious function included in the malicious shared library file, and a malicious diagnostic unit As a method of diagnosing a shared library file using a diagnostic device of a file,
(a) extracting a list of native functions declared in a classes.dex file constituting the APK file among at least one function included in a shared library file constituting an APK file;
(b) generating a first hash value based on the list;
(c) determining whether the first hash value matches any one of the first reference values;
(d) generating a second hash value for the native function if the comparison results in step (c); And
(e) diagnosing whether the shared library file is malicious based on whether the second hash value coincides with the second reference value
How to diagnose shared library files.
The method according to claim 6,
The first reference value may be,
A hash value generated based on all or a part of a function name for the at least one malicious function,
In the step (b), the first hash value is
Is generated based on all or part of the function name for the native function
How to diagnose shared library files.
The method according to claim 6,
The second reference value is a value
A hash value generated based on all or a part of function codes included in each of the at least one malicious function,
In the step (d), the second hash value is
Is generated based on all or a part of the function codes included in each of the native functions
How to diagnose shared library files.
The method according to claim 6,
The first reference value may be,
A hash value generated based on a CRC for all or a part of a function name of the at least one malicious function,
In the step (b), the first hash value is
Is generated based on the CRC for all or part of the function name of the native function
How to diagnose shared library files.
The method according to claim 6,
The second reference value is a value
A hash value generated based on all or a part of the OP code included in each of the at least one malicious function,
In the step (d), the second hash value is
Is generated based on all or a part of the OP code included in the native function
How to diagnose shared library files.
11. A computer-readable recording medium having recorded thereon instructions for performing the respective steps according to a diagnostic method of the shared library file according to any one of claims 6 to 10.
KR1020140113331A 2014-08-28 2014-08-28 Apparatus and method for detecting malicious shared library file KR20160025881A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
KR1020140113331A KR20160025881A (en) 2014-08-28 2014-08-28 Apparatus and method for detecting malicious shared library file

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
KR1020140113331A KR20160025881A (en) 2014-08-28 2014-08-28 Apparatus and method for detecting malicious shared library file

Publications (1)

Publication Number Publication Date
KR20160025881A true KR20160025881A (en) 2016-03-09

Family

ID=55536382

Family Applications (1)

Application Number Title Priority Date Filing Date
KR1020140113331A KR20160025881A (en) 2014-08-28 2014-08-28 Apparatus and method for detecting malicious shared library file

Country Status (1)

Country Link
KR (1) KR20160025881A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107038045A (en) * 2017-03-30 2017-08-11 腾讯科技(深圳)有限公司 Load the method and device of library file
KR20200060180A (en) * 2018-11-21 2020-05-29 숭실대학교산학협력단 Method of call graph extraction in android apps, recording medium and apparatus for performing the method

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101130088B1 (en) 2010-03-05 2012-03-28 주식회사 안철수연구소 Malware detecting apparatus and its method, recording medium having computer program recorded
KR101161493B1 (en) 2010-01-18 2012-06-29 (주)쉬프트웍스 Method of Examining Malicious Codes and Dangerous Files in Android Terminal Platform

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101161493B1 (en) 2010-01-18 2012-06-29 (주)쉬프트웍스 Method of Examining Malicious Codes and Dangerous Files in Android Terminal Platform
KR101130088B1 (en) 2010-03-05 2012-03-28 주식회사 안철수연구소 Malware detecting apparatus and its method, recording medium having computer program recorded

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107038045A (en) * 2017-03-30 2017-08-11 腾讯科技(深圳)有限公司 Load the method and device of library file
CN107038045B (en) * 2017-03-30 2022-10-14 腾讯科技(深圳)有限公司 Method and device for loading library file
KR20200060180A (en) * 2018-11-21 2020-05-29 숭실대학교산학협력단 Method of call graph extraction in android apps, recording medium and apparatus for performing the method

Similar Documents

Publication Publication Date Title
KR101246623B1 (en) Apparatus and method for detecting malicious applications
KR102044046B1 (en) Telemetry file hash and conflict detection
EP1950663A1 (en) A method for identifying unknown virus and deleting it
KR101582601B1 (en) Method for detecting malignant code of android by activity string analysis
KR102006245B1 (en) Method and system for identifying an open source software package based on binary files
KR102317833B1 (en) method for machine LEARNING of MALWARE DETECTING MODEL AND METHOD FOR detecting Malware USING THE SAME
CN109766261B (en) Coverage test method, coverage test device, computer equipment and storage medium
CN104217165B (en) The processing method of file and device
KR20120071834A (en) Automatic management system for group and mutant information of malicious code
CN111222137A (en) Program classification model training method, program classification method and device
US20140298297A1 (en) Automatic feature-driven testing and quality checking of applications
CN108733557B (en) Test point generation method and device
JP2014021982A (en) Iterative generation of symbolic test drivers for object-oriented languages
CN111913878A (en) Program analysis result-based bytecode instrumentation method, device and storage medium
CN110135163B (en) Security detection method, device and system based on target application
KR101579175B1 (en) Apparatus and method for detection of repackaging
US8539598B2 (en) Detection of customizations of application elements
KR20160025881A (en) Apparatus and method for detecting malicious shared library file
CN109684205B (en) System testing method, device, electronic equipment and storage medium
KR102415494B1 (en) Emulation based security analysis method for embedded devices
CN113486359B (en) Method and device for detecting software loopholes, electronic device and storage medium
KR101824699B1 (en) Apparatus and method for analyzing android application, and computer-readable medium storing program for method thereof
CN108287788A (en) A kind of use-case step matching method based on test case, system
CN111538481B (en) Application program customization method and system
CN111143229A (en) Software testing method and device, computer equipment and computer readable storage medium

Legal Events

Date Code Title Description
WITN Withdrawal due to no request for examination