KR20160025881A - Apparatus and method for detecting malicious shared library file - Google Patents
Apparatus and method for detecting malicious shared library file Download PDFInfo
- Publication number
- KR20160025881A KR20160025881A KR1020140113331A KR20140113331A KR20160025881A KR 20160025881 A KR20160025881 A KR 20160025881A KR 1020140113331 A KR1020140113331 A KR 1020140113331A KR 20140113331 A KR20140113331 A KR 20140113331A KR 20160025881 A KR20160025881 A KR 20160025881A
- Authority
- KR
- South Korea
- Prior art keywords
- file
- function
- hash value
- malicious
- reference value
- Prior art date
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/565—Static detection by checking file integrity
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
Description
The present invention relates to an apparatus and method for diagnosing maliciousness of a shared library file, and more particularly, to a method and system for diagnosing maliciousness of a shared library file (shared library file) by using a function name declared in a classes.dex file, To an apparatus and a method for diagnosing a malicious file.
Recently, as the number of mobile terminals such as smart phones equipped with Android platform is increasing, the Android application market is being activated.
Referring to FIG. 1, an Android package file (hereinafter referred to as an APK file) running on the Android platform will be described. The APK file includes a META-
Meanwhile, the number of malicious Android applications is rapidly increasing as the number of smartphone users using the Android platform increases. In addition to manipulating (modifying and producing) the AndroidManifest.xml file (10) or the classes.dex file (30), a method for creating such a malicious Android application is to use a shared library file file is manipulated.
Here, a shared library file is a file having an extension of .so. Such a shared library file may contain fewer than several tens to several hundreds or thousands of functions. Hereinafter, these shared library files are referred to as' so Quot; file ".
Whether an Android application contains a malicious (manipulated) so file can be determined by extracting the so file from the Android application and then diagnosing whether the so file is malicious. In addition, since the so file includes a number of functions, whether or not the so file is malicious can be determined by diagnosing whether a plurality of functions included in the so file are malicious.
Conventionally, among the methods for diagnosing maliciousness of a so-file, after creating a signature for a plurality of functions included in a so-file to be diagnosed, the signature is compared with a signature of a plurality of functions included in the so- Thereby diagnosing whether or not the malignant disease is diagnosed. To do this, a signature must be built into the database for the many functions included in the so-called malicious file.
However, in this conventional method, the signature is generated by a mechanical method. For example, if the so file contains multiple functions, it creates a signature based on all of the multiple functions. However, such a method has a problem in that it can cause waste of time and resources.
On the other hand, in order to minimize the waste of time and resources, for example, some functions among a plurality of functions included in a so file are mechanically selected to generate a signature, or some functions among a plurality of functions are selected, Signatures can be created by mechanically selecting specific areas. However, when the signature is generated mechanically by selecting some functions or selecting a specific area, the signature may be generated without including frequently manipulated portions among the functions included in the so file, so that it is effective for diagnosing malignancy It may not be.
An embodiment of the present invention is a method of generating a hash value by selecting a function effective for malicious diagnosis from among a plurality of functions included in a so file and diagnosing whether or not the so file is malicious based on the generated hash value quickly and accurately And to provide the above objects.
It is to be understood that both the foregoing general description and the following detailed description of the present invention are exemplary and explanatory and are intended to provide further explanation of the invention as claimed. will be.
According to an embodiment of the present invention, the shared library diagnostic apparatus includes an input unit for receiving an APK (Android PacKage) file including a classes.dex file and a shared library file, Extracting a list of at least one native function declared in the classes.dex file from among at least one function included in the library file, and extracting a first hash value for the shared library file based on the list, A hash value generator for generating a second hash value for the native function, a first reference value for each of a plurality of malicious shared library files, and a second reference value for at least one malicious function included in the malicious shared library file The reference value storage unit, and whether the first hash value matches the first reference value Stage, and it can include if they match the second hash value is the first based on the result of the determination whether or not it matches the reference value 2, malignant diagnosis section for diagnosing a malignant whether the shared library files.
The hash value generation unit may generate the first hash value based on all or part of the function name of the native function, and the reference value storage unit may generate the hash value based on all or a part of the function name for the at least one malicious function The first reference value may be stored.
The hash value generation unit may generate the second hash value based on all or a part of the function codes included in each of the native functions, and the reference value storage unit stores all of the function codes included in each of the at least one malicious function Or the second reference value generated on the basis of the second reference value.
The hash value generation unit may generate the first hash value based on a CRC (Cyclic Redundancy Check) for the function name of the native function, and the reference value storage unit may store the hash value based on the CRC of the function name of the at least one malicious function And store the generated first reference value.
The hash value generation unit may generate the second hash value based on the CRC of all or a part of the OP (Opulation) code included in each of the native functions, and the reference value storage unit stores the hash value of each of the at least one malicious function And store the generated second reference value based on the CRC for all or part of the containing OP code.
According to another embodiment of the present invention, a hash value generation unit, a reference value storage unit including a first reference value for each of a plurality of malicious shared library files, and a second reference value for at least one malicious function included in the malicious shared library file (A) at least one function included in a shared library file constituting an APK file, the classes constituting the APK file are classified into classes (b) generating a first hash value based on the list, (c) comparing the first hash value with any one of the first reference value and the first reference value, (D) determining whether or not the second hash value of the native function matches the comparison result of step (c) Generating and (e) by whether or not the second hash value coincides with the second reference value may include the step of diagnosing a malignant whether the shared library files.
In addition, the first reference value may be a hash value generated based on all or a part of the function name of the at least one malicious function, and in the step (b), the first hash value may be the entire function name of the native function Can be generated on the basis of a part.
Also, the second reference value is a hash value generated based on all or a part of the function codes included in each of the at least one malicious function, and in the step (d), the second hash value includes Based on all or part of the function code.
In addition, the first reference value may be a hash value generated based on the CRC of all or part of the function name of the at least one malicious function. In the step (b), the first hash value may be a function name Or based on the CRC for the portion.
In addition, the second reference value may be a hash value generated based on all or a part of the OP code included in each of the at least one malicious function, and in step (d), the second hash value may be a value May be generated based on all or part of the OP code.
According to another embodiment of the present invention, a computer-readable recording medium having recorded thereon a program including instructions for performing respective steps according to a diagnostic method of a shared library file.
According to the embodiment of the present invention, a hash value can be generated by selecting a function effective for malicious diagnosis from among a plurality of functions included in a so file based on a function name list declared in a dex file. You can quickly and accurately diagnose the malicious nature of so files.
1 is a tree structure diagram showing an example of an Android package (APK) file running on an Android platform.
2 is a block diagram of a malicious file detection apparatus according to an embodiment of the present invention.
3 is a diagram illustrating a table of reference values stored in a reference value storage unit according to an embodiment of the present invention.
4 is a flowchart illustrating a malicious sof file diagnostic method according to an embodiment of the present invention.
BRIEF DESCRIPTION OF THE DRAWINGS The advantages and features of the present invention and the manner of achieving them will become apparent with reference to the embodiments described in detail below with reference to the accompanying drawings. The present invention may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art. To fully disclose the scope of the invention to those skilled in the art, and the invention is only defined by the scope of the claims. Like reference numerals refer to like elements throughout the specification.
In the following description of the present invention, a detailed description of known functions and configurations incorporated herein will be omitted when it may make the subject matter of the present invention rather unclear. The following terms are defined in consideration of the functions in the embodiments of the present invention, which may vary depending on the intention of the user, the intention or the custom of the operator. Therefore, the definition should be based on the contents throughout this specification.
Hereinafter, the classes.dex file and the so file included in the APK file will be described. However, in the following description, the classes.dex file will be referred to as a dex file do.
The APK file may or may not include the so file. If the APK file contains a so file, the so file can be specified in the System.loadLibrary () function included in the dex file. In the embodiment of the present invention, the so file diagnosed as malicious is the System.loadLibrary , But it does not preclude the specification of a so file to be diagnosed in a different way.
Next, the dex file can declare some functions among the many functions contained in the so file, so the function name declared in this way can be extracted from the dex file. As far as this is concerned, a so file can contain as few as dozens, as many as hundreds or thousands of functions, and a dex file can declare some of these functions. Functions declared by a dex file are usually It is often a function to be modified (manipulated). Therefore, by analyzing the function declared by the dex file without analyzing all the functions included in the so file, it is possible to more effectively diagnose whether the so file is malicious.
Hereinafter, the function declared by the dex file will be referred to as a native function, and the list of function names of such native functions will be referred to as a " function name list ".
2 is a block diagram of a malicious file detection apparatus according to an embodiment of the present invention.
2, the malicious file diagnosis apparatus 100 includes an
First, the malicious file diagnosis apparatus 100 according to an embodiment of the present invention is a diagnostic apparatus for diagnosing maliciousness of a file that can be installed or executed in a mobile operating system. For example, It is possible to diagnose whether or not the so file (shared library file) included in the file is malicious. However, the present invention is not limited to this, and can be applied to diagnose maliciousness of a shared library file in another operating system corresponding to a so file in the Android operating system.
The
The hash
More specifically, the hash
If the APK file includes a so file, the hash
If the so file name for the so file to be diagnosed is extracted, the
The first hash value may be generated by calculating a CRC (Cyclic Redundancy Check) for a function name of at least one function described in the function name list, and the function name may include a plurality of characters When a number is included, a CRC can be calculated and generated based on all or a part of a plurality of characters or numbers.
For example, if a function name of 'openGL' and a function name of 'mainStandby' are listed in the function name list, the first hash value is 'open' and 'main' Lt; RTI ID = 0.0 > CRC. ≪ / RTI > However, the method of calculating the CRC corresponds to a technique well known to those skilled in the related art, so a detailed description will be omitted.
In the above description, the hash
Meanwhile, the hash
More specifically, for example, when a so file includes 100 functions and 10 functions among 100 functions are described in the function name list, the hash value generation unit 120 ) Can select the OP code among the function codes of 10 functions and then input the selected OP code into the buffer of predetermined size to generate the OP code CRC. At this time, the entire selected OP code may be input to the buffer, or only a part of the selected OP code may be input to the buffer. However, the method of generating the OP code CRC itself is well known to those skilled in the art, so a detailed description will be omitted.
In the above description, the hash
The reference
More specifically, the reference
In this case, the first reference value stored in the reference
On the other hand, the principle of generating the first reference value is the same as the principle of generating the first hash value by the hash
If so files are selected based on the comparison result between the first reference value and the first hash value among the plurality of malicious so files stored in the reference
For example, if the so file to be diagnosed includes 100 functions and ten function out of 100 functions are described in the function name list, the second reference value stored in the reference
3 is a diagram illustrating a table for a first reference value and a second reference value for a malicious so file stored in the reference
In FIG. 3, the
2, the
Specifically, the malicious
However, if the first hash value matches the first reference value, the
When the
As described above, according to the malicious file diagnosis apparatus 100 according to the embodiment of the present invention, among the plurality of so files stored in the reference
4 is a flowchart illustrating a malicious application diagnostic method according to an embodiment of the present invention.
Referring to FIG. 4, the method for diagnosing a malicious sof file by the malicious file detection apparatus 100 according to an embodiment of the present invention includes analyzing an APK file to extract a dex file and a so file (S100) extracting a so-called file name for a so-called file to be diagnosed from the dex file (S200), extracting a function name list for a native function included in the so file to be diagnosed corresponding to the so file name extracted from the dex file (S300) (S500) of comparing the first hash value with the first reference value stored in the reference value storage unit (step S500), and comparing the first hash value with the first reference value A step S600 of generating a second hash value based on all or a part of the function code of the function described in the function name list, a step S700 of comparing the second hash value with the second reference value stored in the reference value storing unit 140 ), Rain Based on the results it may include a step (S800) for diagnosing whether or not the so malicious file.
Hereinafter, a method for diagnosing a malicious sof file by a malicious file diagnosis apparatus according to an embodiment of the present invention will be described in detail with reference to FIGS. 1 to 7.
First, the
If the APK file includes a so file, the hash
When the so file name to be diagnosed is extracted, the hash
The hash
The malicious
However, if the first hash value matches the first reference value, the hash
Thereafter, the
Finally, the
In the above, we have examined how to diagnose whether a so file included in an APK file is malicious. When an APK file contains a plurality of so files, all or a portion of such plural files are designated by the System.loadLibrary () function , A method for diagnosing whether a so file is malicious can be applied to all or some of the so files specified by the System.loadLibrary () function.
4, a step (not shown) for searching whether or not the extracted so file name matches the so file name stored in the reference
As described above, according to the embodiment of the present invention, a hash value can be generated by selecting a function effective for malicious diagnosis from among a plurality of functions included in a so file based on a function name list declared in a dex file. Based on the generated hash value, it is possible to diagnose maliciousness of so file quickly and accurately.
Each block of the accompanying block diagrams and combinations of steps of the flowchart may be performed by computer program instructions. These computer program instructions may be loaded into a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus so that the instructions, which may be executed by a processor of a computer or other programmable data processing apparatus, And means for performing the functions described in each step are created. These computer program instructions may also be stored in a computer usable or computer readable memory capable of directing a computer or other programmable data processing apparatus to implement the functionality in a particular manner so that the computer usable or computer readable memory It is also possible for the instructions stored in the block diagram to produce a manufacturing item containing instruction means for performing the functions described in each block or flowchart of the block diagram. Computer program instructions may also be stored on a computer or other programmable data processing equipment so that a series of operating steps may be performed on a computer or other programmable data processing equipment to create a computer- It is also possible that the instructions that perform the processing equipment provide the steps for executing the functions described in each block of the block diagram and at each step of the flowchart.
Also, each block or each step may represent a module, segment, or portion of code that includes one or more executable instructions for executing the specified logical function (s). It should also be noted that in some alternative embodiments, the functions mentioned in the blocks or steps may occur out of order. For example, two blocks or steps shown in succession may in fact be performed substantially concurrently, or the blocks or steps may sometimes be performed in reverse order according to the corresponding function.
The foregoing description is merely illustrative of the technical idea of the present invention, and various changes and modifications may be made by those skilled in the art without departing from the essential characteristics of the present invention. Therefore, the embodiments disclosed in the present invention are intended to illustrate rather than limit the scope of the present invention, and the scope of the technical idea of the present invention is not limited by these embodiments. The scope of protection of the present invention should be construed according to the following claims, and all technical ideas within the scope of equivalents should be construed as falling within the scope of the present invention.
100: malicious so file diagnostic device
110: input unit 120: hash value generation unit
130: malignancy diagnosis unit 140: reference value storage unit
150: Results
Claims (11)
Extracting from the classes.dex file a list of at least one native function declared in the classes.dex file among at least one function included in the shared library file, A hash value generator for generating a first hash value for the library file and a second hash value for the native function;
A reference value storage unit for storing a first reference value for each of a plurality of malicious shared library files and a second reference value for at least one malicious function included in the malicious shared library file; And
Determining whether or not the first hash value coincides with any one of the first reference values, and if the second hash value matches the second reference value, determining whether or not the second hash value matches the second reference value, And a malignancy diagnosis unit for diagnosing malignancy
Diagnostic device for shared library files.
The hash value generation unit may include:
Generates the first hash value based on all or part of the function name for the native function,
The reference value storage unit stores,
Storing the first reference value generated based on all or a part of the function name for the at least one malicious function
Diagnostic device for shared library files.
The hash value generation unit may include:
Generates the second hash value based on all or a part of function codes included in each of the native functions,
The reference value storage unit stores,
Storing the second reference value generated based on all or a part of the function codes included in each of the at least one malicious function
Diagnostic device for shared library files.
The hash value generation unit may include:
Generates the first hash value based on a CRC (Cyclic Redundancy Check) for a function name of the native function,
The reference value storage unit stores,
Storing the first reference value generated based on the CRC of the function name of the at least one malicious function
Diagnostic device for shared library files.
The hash value generation unit may include:
Generating the second hash value based on a CRC for all or a portion of an OP (OPeration) code included in each of the native functions,
The reference value storage unit stores,
Storing a second reference value generated based on a CRC for all or a part of the OP code included in each of the at least one malicious function
Diagnostic device for shared library files.
(a) extracting a list of native functions declared in a classes.dex file constituting the APK file among at least one function included in a shared library file constituting an APK file;
(b) generating a first hash value based on the list;
(c) determining whether the first hash value matches any one of the first reference values;
(d) generating a second hash value for the native function if the comparison results in step (c); And
(e) diagnosing whether the shared library file is malicious based on whether the second hash value coincides with the second reference value
How to diagnose shared library files.
The first reference value may be,
A hash value generated based on all or a part of a function name for the at least one malicious function,
In the step (b), the first hash value is
Is generated based on all or part of the function name for the native function
How to diagnose shared library files.
The second reference value is a value
A hash value generated based on all or a part of function codes included in each of the at least one malicious function,
In the step (d), the second hash value is
Is generated based on all or a part of the function codes included in each of the native functions
How to diagnose shared library files.
The first reference value may be,
A hash value generated based on a CRC for all or a part of a function name of the at least one malicious function,
In the step (b), the first hash value is
Is generated based on the CRC for all or part of the function name of the native function
How to diagnose shared library files.
The second reference value is a value
A hash value generated based on all or a part of the OP code included in each of the at least one malicious function,
In the step (d), the second hash value is
Is generated based on all or a part of the OP code included in the native function
How to diagnose shared library files.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020140113331A KR20160025881A (en) | 2014-08-28 | 2014-08-28 | Apparatus and method for detecting malicious shared library file |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020140113331A KR20160025881A (en) | 2014-08-28 | 2014-08-28 | Apparatus and method for detecting malicious shared library file |
Publications (1)
Publication Number | Publication Date |
---|---|
KR20160025881A true KR20160025881A (en) | 2016-03-09 |
Family
ID=55536382
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
KR1020140113331A KR20160025881A (en) | 2014-08-28 | 2014-08-28 | Apparatus and method for detecting malicious shared library file |
Country Status (1)
Country | Link |
---|---|
KR (1) | KR20160025881A (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107038045A (en) * | 2017-03-30 | 2017-08-11 | 腾讯科技(深圳)有限公司 | Load the method and device of library file |
KR20200060180A (en) * | 2018-11-21 | 2020-05-29 | 숭실대학교산학협력단 | Method of call graph extraction in android apps, recording medium and apparatus for performing the method |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR101130088B1 (en) | 2010-03-05 | 2012-03-28 | 주식회사 안철수연구소 | Malware detecting apparatus and its method, recording medium having computer program recorded |
KR101161493B1 (en) | 2010-01-18 | 2012-06-29 | (주)쉬프트웍스 | Method of Examining Malicious Codes and Dangerous Files in Android Terminal Platform |
-
2014
- 2014-08-28 KR KR1020140113331A patent/KR20160025881A/en not_active Application Discontinuation
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR101161493B1 (en) | 2010-01-18 | 2012-06-29 | (주)쉬프트웍스 | Method of Examining Malicious Codes and Dangerous Files in Android Terminal Platform |
KR101130088B1 (en) | 2010-03-05 | 2012-03-28 | 주식회사 안철수연구소 | Malware detecting apparatus and its method, recording medium having computer program recorded |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107038045A (en) * | 2017-03-30 | 2017-08-11 | 腾讯科技(深圳)有限公司 | Load the method and device of library file |
CN107038045B (en) * | 2017-03-30 | 2022-10-14 | 腾讯科技(深圳)有限公司 | Method and device for loading library file |
KR20200060180A (en) * | 2018-11-21 | 2020-05-29 | 숭실대학교산학협력단 | Method of call graph extraction in android apps, recording medium and apparatus for performing the method |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
KR101246623B1 (en) | Apparatus and method for detecting malicious applications | |
KR102044046B1 (en) | Telemetry file hash and conflict detection | |
EP1950663A1 (en) | A method for identifying unknown virus and deleting it | |
KR101582601B1 (en) | Method for detecting malignant code of android by activity string analysis | |
KR102006245B1 (en) | Method and system for identifying an open source software package based on binary files | |
KR102317833B1 (en) | method for machine LEARNING of MALWARE DETECTING MODEL AND METHOD FOR detecting Malware USING THE SAME | |
CN109766261B (en) | Coverage test method, coverage test device, computer equipment and storage medium | |
CN104217165B (en) | The processing method of file and device | |
KR20120071834A (en) | Automatic management system for group and mutant information of malicious code | |
CN111222137A (en) | Program classification model training method, program classification method and device | |
US20140298297A1 (en) | Automatic feature-driven testing and quality checking of applications | |
CN108733557B (en) | Test point generation method and device | |
JP2014021982A (en) | Iterative generation of symbolic test drivers for object-oriented languages | |
CN111913878A (en) | Program analysis result-based bytecode instrumentation method, device and storage medium | |
CN110135163B (en) | Security detection method, device and system based on target application | |
KR101579175B1 (en) | Apparatus and method for detection of repackaging | |
US8539598B2 (en) | Detection of customizations of application elements | |
KR20160025881A (en) | Apparatus and method for detecting malicious shared library file | |
CN109684205B (en) | System testing method, device, electronic equipment and storage medium | |
KR102415494B1 (en) | Emulation based security analysis method for embedded devices | |
CN113486359B (en) | Method and device for detecting software loopholes, electronic device and storage medium | |
KR101824699B1 (en) | Apparatus and method for analyzing android application, and computer-readable medium storing program for method thereof | |
CN108287788A (en) | A kind of use-case step matching method based on test case, system | |
CN111538481B (en) | Application program customization method and system | |
CN111143229A (en) | Software testing method and device, computer equipment and computer readable storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
WITN | Withdrawal due to no request for examination |