WO2020019484A1 - Simulator recognition method, recognition device, and computer readable medium - Google Patents

Simulator recognition method, recognition device, and computer readable medium Download PDF

Info

Publication number
WO2020019484A1
WO2020019484A1 PCT/CN2018/107747 CN2018107747W WO2020019484A1 WO 2020019484 A1 WO2020019484 A1 WO 2020019484A1 CN 2018107747 W CN2018107747 W CN 2018107747W WO 2020019484 A1 WO2020019484 A1 WO 2020019484A1
Authority
WO
WIPO (PCT)
Prior art keywords
preset
terminal
simulator
target
device information
Prior art date
Application number
PCT/CN2018/107747
Other languages
French (fr)
Chinese (zh)
Inventor
李骁
董晓琼
胡定耀
王智浩
Original Assignee
平安科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 平安科技(深圳)有限公司 filed Critical 平安科技(深圳)有限公司
Publication of WO2020019484A1 publication Critical patent/WO2020019484A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45504Abstract machines for programme code execution, e.g. Java virtual machine [JVM], interpreters, emulators
    • G06F9/45508Runtime interpretation or emulation, e g. emulator loops, bytecode interpretation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]

Definitions

  • the present application relates to the field of communication technologies, and in particular, to a simulator identification method, an identification device, and a computer-readable medium.
  • the Android emulator is an application that can simulate the operating environment of the Android system on various platforms such as Windows and Linux. Users can run the Android system application on the Android emulator in a terminal such as a personal computer. When using the application of the Android system, for certain services, such as those requiring risk monitoring, it is not desired to be run on the simulator, so it is necessary to identify whether the terminal is running in the Android simulator environment. At present, the risk recognition device has limited recognition ability of the Android simulator, and cannot effectively identify whether the terminal is running in the simulator environment.
  • the application provides a simulator recognition method, a recognition device and a computer-readable medium, which are helpful to improve the accuracy of the simulator recognition.
  • the present application provides a simulator identification method, including:
  • the device information includes information about a model of the target terminal, a manufacturer ID of a central processing unit CPU, a memory space value, a first number of installed applications, and a second number of stored files Any one or more of the network system used, operating status, and router information of the connected Wi-Fi hotspot;
  • the identification rule is determined based on the device information of the terminal running in the simulator environment in the historical record;
  • a preset weight and a weight threshold of the target recognition rule identify whether the target terminal is running in a simulator environment.
  • the present application provides an identification device including a unit for performing the method of the first aspect.
  • the present application provides another identification device, including a processor, a user interface, a communication interface, and a memory, and the processor, the user interface, the communication interface, and the memory are connected to each other, where the memory is used for storing support
  • a computer program that identifies the device to execute the method the computer program includes program instructions, and the processor is configured to call the program instructions to execute the method of the first aspect.
  • the present application provides a computer-readable storage medium, where the computer storage medium stores a computer program, the computer program includes program instructions, and the program instructions, when executed by a processor, cause the processor to execute The method of the first aspect described above.
  • the device identification information of the terminal can be used to determine the simulator identification rule of the target terminal device information hit among preset multiple simulator identification rules, and then according to the preset weight of the simulator identification rule that is hit And preset weight thresholds to identify whether the target terminal is running in the simulator environment, so that it can implement simulator recognition by combining multiple simulator recognition rules, which helps to improve the accuracy of simulator recognition.
  • FIG. 1 is a schematic flowchart of a simulator recognition method according to an embodiment of the present application
  • FIG. 2 is a schematic flowchart of another simulator recognition method according to an embodiment of the present application.
  • FIG. 3 is a schematic flowchart of another simulator identification method according to an embodiment of the present application.
  • FIG. 4 is a schematic structural diagram of an identification device according to an embodiment of the present application.
  • FIG. 5 is a schematic structural diagram of another identification device according to an embodiment of the present application.
  • the technical solution of the present application can be applied to an identification device, which can include various terminals, servers, or risk identification products (devices) connected to the terminal, etc., for identifying the behavior of the simulator in the terminal (referred to as " Simulator recognition ") to identify whether the terminal (or an application in the terminal, such as an application embedded in the SDK) is running in the simulator environment, or is called identifying whether the terminal is logged in using the simulator.
  • the simulator may refer to an Android simulator or another simulator.
  • the terminals involved in this application may be mobile phones, computers, tablets, personal computers, smart watches, etc., and this application is not limited.
  • multiple emulator recognition rules can be set and various device information of the terminal can be obtained, such as connected Wi-Fi hotspot information, model information, CPU manufacturer information, module configuration information, and memory space. Information, the number of installed applications, the number of stored files, the network system used, system file abnormal information, running status and other information, and based on the simulator identification rules of various device information hits, combine Multiple simulator recognition rules are used for simulator recognition, which can improve the accuracy of simulator recognition. The details are described below.
  • FIG. 1 is a schematic flowchart of a simulator recognition method provided by an embodiment of the present application. Specifically, as shown in FIG. 1, the simulator recognition method may include the following steps:
  • the target terminal may be any terminal that needs to be identified by the simulator, such as a terminal connected to a risk identification product, or a terminal in a specific risk control scenario, or triggered (such as by a preset button or gesture or preset Other triggering methods) are terminals identified by the simulator, etc., which are not limited in this application.
  • the risk control scenario may include a login scenario, a transaction scenario, an APP discount domain scenario, and so on.
  • the acquired device information may include information about the model of the target terminal, the manufacturer's identification of the CPU, the value of the memory space, the first number of installed applications, the second number of stored files, and the network standard used. Any one or more of the module configuration information, operating status, and router information of the connected wireless fidelity Wi-Fi hotspot.
  • the model information may include the model and / or brand of the target terminal.
  • the module configuration information includes whether a preset module such as a Bluetooth module, temperature sensor, light sensor, etc. is configured.
  • the router information may include the name and / Or MAC address and so on.
  • the plurality of simulator recognition rules may be determined according to device information of a terminal running in the simulator environment in a historical record, so as to improve the efficiency and reliability of simulator recognition.
  • the plurality of simulator recognition rules may include at least two of the following:
  • Rule 1 The name of the router of the Wi-Fi hotspot to which the terminal to be identified is the same as the name of the router in the preset first blacklist;
  • Rule 2 The MAC address of the router of the Wi-Fi hotspot to which the terminal to be identified belongs is a set of MAC addresses in a preset second blacklist;
  • detecting whether a MAC address is in a preset MAC address set can also be referred to as detecting whether the MAC address is the same as the MAC address in the MAC address set; accordingly, a MAC address in the MAC address set can refer to the MAC address and the MAC Any MAC address in the address set is the same.
  • Rule 3 The model of the terminal to be identified is the same as any terminal model in the preset third blacklist
  • Rule 4 The brand of the terminal to be identified is the same as any terminal brand in the preset fourth blacklist
  • the device information included in the above blacklists may be the terminals identified as simulators in the historical data (that is, identified as running on Device information corresponding to the terminal in the simulator environment, such as the first L with the most statistics (L is an integer greater than 0, such as taking 8) device information (router name, MAC address, model or brand, etc.), or statistics
  • L is an integer greater than 0, such as taking 8
  • device information router name, MAC address, model or brand, etc.
  • the first blacklist includes the names that are counted more frequently among the names of routers connected to the terminals identified as simulators in the historical data, such as the top M with the most counts (M is an integer greater than 0, such as 10) Names, or names whose number of counts is greater than a preset number threshold (first threshold);
  • the second blacklist includes historical data that has more counts in the MAC address of the router connected to the terminal identified as the simulator MAC address or a set of MAC addresses composed of the MAC address, such as the first N (N is an integer greater than 0, such as 50) MAC addresses with the highest number of statistics, or the number of statistics greater than a preset number threshold (second threshold) MAC addresses, or a set of MAC addresses determined by these MAC addresses, etc., are not limited in this application.
  • the first threshold and the second threshold can be preset.
  • the white list may include the identifications of one or more legal CPU manufacturers.
  • the preset module includes one or more of a Bluetooth module, a temperature sensor, and a light sensor;
  • the preset module may be a module that is not configured in the terminal identified as the simulator according to historical data statistics, such as a Bluetooth module, a temperature sensor, and a light sensor. Therefore, if it is recognized that the terminal is not configured with the preset module, it may be an emulator.
  • Rule 7 The memory space value of the terminal to be identified is less than a preset memory threshold
  • Rule 8 The first number of applications installed on the terminal to be identified is less than a preset first number threshold
  • Rule 9 The second number of files stored by the terminal to be identified is less than a preset second number threshold
  • the first number threshold and the second number threshold can be preset.
  • Rule 10 The network standard used by the terminal to be identified is different from all the network standards in the preset network standard list;
  • the identification device may determine which network standards are normal in combination with the target area where the terminal to be identified is located, such as a target terminal, for example, by pre-configuring different areas and their corresponding network standard lists to determine the network standard corresponding to the target area List, the network standard in the network standard list is the normal network standard of the target area. If it is detected that the network standard used by the target terminal is not the network standard in its corresponding network standard list, the target terminal may run in the simulator environment because the simulator may tamper with the network standard information.
  • Rule 11 a system file with a preset path and name exists in the system of the terminal to be identified;
  • the abnormal system file can include system files with the following paths and names: / dev / qemu_pipe, / dev / socket / qemud, /system/lib/libc_malloc_debug_qemu.so, / sys / qemu_trace, / proc / tty / drivers / goldfish and more.
  • Rule 12 The running state of the terminal to be identified is the root state. If it is detected that the target terminal is in the Android root state, it may be an emulator.
  • the device information hitting the simulator recognition rule may also be called that the device information meets the simulator recognition rule or conforms to the simulator recognition rule, etc.
  • the terminal to be identified is a terminal that needs to perform simulator identification by determining simulator identification rules that its device information hits, such as the target terminal described above.
  • the weights of the recognition rules of the multiple simulators can be set in advance, for example, by the wind control personnel based on experience, or according to the frequency or number of times that the terminal identified as the simulator hits the recognition rules of each simulator in the historical record. and many more.
  • the method for setting or determining the weight of the simulator recognition rule is not limited in this application.
  • the present application can preset multiple simulator recognition rules.
  • it can obtain device information of the terminal and detect whether the device information matches the multiple simulator recognition rules.
  • the weight of the hit simulator recognition rule and a preset weight threshold are used for simulator recognition. For example, when the weight of the hit simulator recognition rule is greater than the weight threshold, it is determined that the terminal is running in the simulator environment. Further, if the device information of the target terminal does not hit any simulator recognition rule, it can be determined that the target terminal is not running in the simulator environment.
  • the preset multiple simulator recognition rules are the above-mentioned rules 1, 2, and 3, the preset rule 1 has a weight of 0.7, the rule 2 has a weight of 0.7, and the rule 3 has a weight of
  • the weighted threshold is 0.5
  • the obtained device information includes the name and MAC address of the router of the Wi-Fi hotspot connected to the target terminal, and the model of the target terminal.
  • the identification device can detect whether the router name in the device information is the same as the router name in the first blacklist, and whether the MAC address in the device information is in the MAC address set in the second blacklist, and the Whether the model in the device information is the same as any terminal model in the third blacklist.
  • the identification device detects that the name of the router is the same as the name of any router in the first blacklist, it determines to hit rule 1. If the identification device detects that the MAC address is in any MAC address set in the second blacklist , Determine rule 2; if the identification device detects that the model is the same as any terminal model in the third blacklist, determine rule 3. Assuming that the identification device determines that the device information of the target terminal matches rule 2, rules 1 and 3 are missed, and the weight 0.7 corresponding to rule 2 is greater than the weight threshold 0.6, it can be determined that the target terminal is running in the simulator environment.
  • the recognition device can determine the simulator recognition rule for the device information hit of the target terminal in the preset multiple simulator recognition rules by acquiring the device information of the terminal, and then according to the preset simulation of the hit
  • the weight of the recognition rule and the preset weight threshold are used to identify whether the target terminal is running in the simulator environment, which enables the realization of simulator recognition by combining multiple simulator recognition rules, which helps to improve the accuracy of simulator recognition. Sex.
  • FIG. 2 is a schematic flowchart of another simulator recognition method provided by an embodiment of the present application. Specifically, as shown in FIG. 2, the simulator recognition method may include the following steps:
  • the device information of the terminal running in the simulator environment in the historical record is respectively matched with the hit information of the plurality of simulator recognition rules, and the hit information includes a hit frequency and / or a hit number.
  • the weight corresponding to each simulator recognition rule may be directly proportional to the hit frequency corresponding to the simulator recognition rule, and / or, the weight corresponding to each simulator recognition rule may be equal to the number of hits corresponding to the simulator recognition rule. Directly proportional.
  • this application can perform big data analysis on historical data of the terminal identified as running in the simulator environment, including hit simulator rules, and flexibly set the simulation according to the frequency and / or number of times that the historical data hits the above rules. Recognize the weight of the rule. For example, the higher the frequency of hitting a rule, the greater the corresponding weight of the rule is set; the higher the number of hits of a rule, the greater the corresponding weight of the rule, and so on.
  • a mapping relationship between the hit frequency (and / or the number of hits) and the weight may be established in advance, or a mapping relationship between the hit frequency (and / or the number of hits) and the importance level and the importance level may be established in advance And weights, and so on.
  • the identification device may determine the corresponding weight according to the hit frequency and / or the number of hits of each simulator recognition rule. Further optionally, a new hit frequency and / or hit number of each simulator recognition rule in a recent preset time period may be counted according to a preset time interval, and then updated according to the new hit frequency and / or hit number The weight of each rule to further improve the accuracy of the simulator recognition.
  • the recognition device may also set or select multiple simulator recognition rules (that is, the above multiple simulator recognition rules) for simulator recognition according to the hit frequency and / or the number of hits, such as the hit frequency or number of hits.
  • the highest first L (L is an integer greater than 0, such as 6) are used as the rules recognized by the multiple simulators, or the rules whose hit frequency within a preset time period is higher than a preset frequency threshold are used as the multiple
  • the simulator recognition rules, or the rules that the number of hits within a preset time period is higher than the preset number of times as the multiple simulator recognition rules, etc., are not listed here one by one. Therefore, the flexibility and reliability of the simulator setting rules are improved, and the recognition efficiency can be improved.
  • the identifying device may obtain multiple device information of the target terminal ’s device, for example, the device information may include one or more of the following: router information of the connected Wi-Fi hotspot (including Router name (or Wi-Fi name) such as Wi-Fi Service Set Identifier (SSID), router MAC address (or Wi-Fi MAC address) such as Wi-Fi Basic Service Set Identifier (BSSID) ), Etc.), model (model and / or brand), CPU manufacturer information, Bluetooth information, sensor information, user trace information such as memory space value, network system used, Android status (or called operating status, such as whether In the root state), system file exception information (such as whether there are system files with a preset path and name), the number of installed applications, the number of stored files, the package name of the connected app, the version number of the connected app, and the SDK Version number, operating system type, operating system version, device unique identification code (UDID), whether it has been jailbroken (such as 1 for jailbroken, 0 for jailbroken
  • SSID Wi-
  • the recognition device may perform simulator recognition by acquiring multiple pieces of device information to improve the reliability of recognition.
  • the recognition device may use part of the obtained device information item corresponding to the plurality of simulator recognition rules for simulator recognition according to a preset plurality of simulator recognition rules, that is, the acquired device information items are more than
  • the item of equipment information that needs to be used makes it impossible for illegal elements to determine what information to use for simulator identification. This helps prevent illegal elements from tampering with related equipment information after learning a certain identification rule, which makes it impossible to identify the simulator in time.
  • the occurrence of the situation that is, preventing the identification rules from being cracked, improves the reliability of the simulator identification.
  • the plurality of simulator identification rules may be determined according to device information of a terminal running in the simulator environment in a historical record, and details are not described herein.
  • the recognition device may determine whether the obtained device information hits a plurality of simulator recognition rules set in advance, determine the weight of each rule according to the result of the hit, and identify whether it is a simulator according to the weight of each rule.
  • the weight of the hit rule is set as a preset weight; if a rule is missed, the weight of the miss rule is taken as 0. That is, the weight of the simulator recognition rule that is the statistical hit, that is, the target recognition rule.
  • a threshold may be set in advance, and if the sum of the weights of the target recognition rules that are cumulatively hit exceeds the threshold, it may be identified as a simulator, that is, the target terminal is determined to be running in a simulator environment.
  • the preset multiple simulator recognition rules are the aforementioned rules 1-12, the preset rules 1 and 2 have a weight of 0.4, the rules 3 and 4 have a weight of 0.35, and the rule The weight of 5 is 0.3, the weights of rules 6, 7, 8, 9, 10 are 0.25, the weight of rule 11 is 0.2, the weight of rule 12 is 0.1, and the preset weight threshold is 1.
  • the obtained device information includes the name and MAC address of the Wi-Fi hotspot router connected to the target terminal, the model, brand, CPU manufacturer's identification of the target terminal, module configuration information, memory space value, and the first number of installed applications. , The second number of stored files, the network system used, operating status, and other information.
  • the identification device can detect whether the router name in the device information is the same as the router name in the first blacklist, and whether the MAC address in the device information is in the MAC address set in the second blacklist, and the Whether the model in the device information is the same as any terminal model in the third blacklist, and whether the brand in the device information is the same as any terminal brand in the fourth blacklist, and the production of the CPU in the device information Whether the vendor identification is different from all the manufacturer identifications in the whitelist, and whether the module configuration information in the device information indicates that the target terminal is configured with a preset module, and whether the memory space value in the device information is less than the preset A memory threshold, and whether the first number of installed applications in the device information is less than the first number threshold, and whether the second number of files stored in the device information is less than a preset second number threshold, and the device Whether the network standard used in the information is different from all the network standards in the preset network standard list.
  • the system file information in the device information indicates whether a system file with a preset path and name exists, and whether the running status in the device information is root. If the identification device detects that the name of the router is the same as the name of any router in the first blacklist, it determines to hit rule 1. If the identification device detects that the MAC address is in any MAC address set in the second blacklist , Then determine the hit rule 2, if the identification device detects that the model is the same as any terminal model in the third blacklist, then determine the hit rule 3, and so on, which will not be repeated here.
  • the recognition device can generate various simulator recognition rules according to the common characteristics of various types of simulators, and can hit the multiple simulator recognitions based on the device information of the terminal running in the simulator environment in the historical record.
  • the rule's hit frequency and / or number of hits set weights for each simulator recognition rule.
  • the simulator can determine the simulator recognition rule for the device information hit by collecting multiple device information of the target terminal.
  • the sum of the weights of the recognition rules of each simulator and the preset weight threshold to determine whether the target terminal is running in the simulator environment, which improves the flexibility and reliability of the weight setting of the simulator rules, and achieves a combination of multiple Simulator recognition rules to perform simulator recognition, which improves the accuracy of simulator recognition.
  • FIG. 3 is a schematic flowchart of another simulator identification method according to an embodiment of the present application. Specifically, as shown in FIG. 3, the simulator recognition method may include the following steps:
  • the recognition device can also detect whether the device information used for simulator recognition has been tampered with to ensure that the simulator recognition is based on the real device information.
  • the device information for detecting whether the tampering has been performed may be only the device information corresponding to the plurality of simulator recognition rules, so as to reduce the device overhead.
  • the identification device can identify the tampering behavior by detecting whether a function corresponding to the device information is hooked.
  • the flag value can be used to mark the state of the objective function.
  • the state can refer to a state that has been tampered with, or can refer to a read-write state, a blocking and non-blocking state, an exit process or program state, and / or a change.
  • the status of the content of the file, etc., so that whether the objective function is hooked can be determined according to the flag value.
  • Each function has a corresponding flag.
  • the flag is a variable. When a function is hooked, the flag corresponding to the function will change. Therefore, the identification device can determine whether the function is hooked by detecting whether the flag of the function has changed, that is, whether the device information corresponding to the function has been tampered with.
  • the value of the flag may be stored in a memory corresponding to the objective function.
  • the recognition device may compare a character at a preset position in the flag value with a preset fixed character; when the comparison obtains the preset position When the character of is different from the fixed character, it is determined that the objective function is hooked.
  • the number of characters of the character at the preset position is the same as the number of characters of the fixed character, so as to facilitate matching and comparison. That is, the change in the flag may refer to a change in one or more bits of the flag value, and the one or more bits may refer to one or more bits in a preset position of the flag. Therefore, the recognition device can compare one or more bits at the preset position of the obtained flag value with the fixed character when it has not been tampered with. If the one or more bits of the flag value change, that is, one bit of the flag value If one or more bits are different from the fixed character, it indicates that the objective function is hooked, that is, the device information corresponding to the objective function has been tampered with.
  • some Xposed plugins set a bit at a fixed position of the function's flag value to 1 when a function is hooked; For tampered functions, this bit of the flag value is 0 (the fixed character described above). Therefore, by detecting whether the fixed bit of the flag value of the function is 0, it can be known whether the function is hooked by the Xposed plugin. That is, if the fixed bit of the flag value of the measurement function is not 0, it can indicate that the function is hooked and the function is tampered with.
  • the recognition device may also perform a logical operation on the flag value according to a preset logic algorithm to obtain an operation result value; when the operation result value is a positive integer
  • the objective function is hooked.
  • the logic algorithm may be determined according to a preset character string and a jump address when a native function in the system is executed. That is to say, the value processed by the flag can also be compared with a fixed character such as 0 when it has not been tampered with according to a preset logic algorithm. If the value after processing changes, it is not 0, such as a positive value. An integer indicates that the function is hooked.
  • the function can be tampered with; if the result of the logical calculation is equal to 0 (that is, a fixed character), Indicates that the function has not been tampered with.
  • the EntryPointFromJni may refer to a jump address when a native function such as a native function is executed, and AccessFlags is the above-mentioned flag.
  • the identification device may determine a system version used by the target terminal target, and then select the target terminal to determine the target based on the flag value according to the system version of the target terminal. Whether the function is hooked to improve the efficiency of hook detection.
  • the correspondence between the system version and the way of hook detection can be set in advance.
  • the function pointer and the hooked function are stored in different fields in the same block of memory, and there is a mapping relationship between different function pointers and the original function, or a mapping relationship between different function pointers and the storage address of the original function.
  • the hooked target function may also be restored, so as to determine the real device information corresponding to the target function.
  • a function pointer corresponding to the objective function can be quickly obtained from its memory, that is, the objective function pointer described above, so as to determine the objective function according to the objective function pointer.
  • Corresponding primitive functions, such as native APIs, are real functions that have not been hooked.
  • the identification device can determine the real device information corresponding to the target terminal through the original function, and perform simulator identification based on the real device information. That is, the embodiment of the present application can obtain the real time information when the device information is detected to be tampered with. Device identification based on real device information, thereby improving the accuracy and reliability of simulator identification.
  • the device information includes the name and MAC address of the router
  • the function corresponding to the name of the router is detected to be hooked
  • the real original router name can be restored
  • the function corresponding to the MAC address is detected to be hooked
  • the real original MAC address can be restored, and the simulator can be identified based on the name and MAC address of the real original router.
  • the original function pointer stored in the memory will not be tampered with.
  • the original information of the function will be backed up and stored at a specific address in memory, that is, The address to which the objective function pointer points. Once these backup information has also been tampered with, the Xposed plugin will not work properly. Therefore, the original function obtained at the specific address pointed by the target function pointer must be the correct function, and it cannot be tampered with.
  • the real original device information After the real original device information is determined, it can be determined whether the original device information hits the corresponding simulator recognition rule, and then the simulator recognition is performed according to the hit result.
  • the recognition method is the same as the above based on the device information and preset multiple simulations.
  • the simulator rules are similar to the simulator identification method. For details, please refer to the descriptions of steps 102-103 in the embodiment shown in FIG. 1 and steps 205-207 in the embodiment shown in FIG. 2, and details are not described herein.
  • the identification device may generate alarm information for risk control.
  • the alarm information may include one or more of a risk level, user information, and malicious behavior of the device.
  • the risk level can be determined according to the target risk control scenario of the terminal, and the corresponding relationship between different risk control scenarios and risk levels can be specifically set in advance; or the risk level can be determined according to the application that the terminal target runs, and can be specifically determined in advance.
  • the risk level can also be determined according to the number of hooked functions of the terminal, and specific correspondences between different numbers of hooks and risk levels can be set in advance; or, It can be determined according to the priority of the tampered device information of the terminal. Specifically, the priority of different device information can be set in advance, and the corresponding relationship between each priority and risk level, etc., is not limited in this application.
  • the risk level can be classified as high-risk, medium-risk, low-risk, or first-, second-, third-, and so on.
  • the user information may include a user identification (UID), a mobile phone number, an ID number (if collected during registration of an application), and the like.
  • the malicious behavior may include tampering with the MAC address, tampering with the CPU manufacturer, tampering with the model and brand of the mobile phone, tampering with the mobile phone number, etc., which can be specifically determined through the aforementioned hook detection.
  • the identification device may also issue an instruction to the target terminal according to the alarm information to control operations on the target terminal (such as an APP client running on the terminal). For example, if the identification device determines that the risk level is low-risk, the identification device may issue an instruction to instruct the client to output a prompt to require the user to enter verification information.
  • the verification method includes, but is not limited to, a short message verification code, a picture verification code, and the like. If the verification fails, no further operation is possible.
  • the identification device may issue an instruction instructing the client to prohibit the user from requesting access in the target risk control scenario (such as logging in, receiving red envelopes, redeeming coupons, spending, transferring money, etc.) operating.
  • the identification device may issue an instruction to instruct the client to prohibit the user from requesting all access operations, etc., which are not listed here one by one.
  • using the simulator can obtain stronger performance than a mobile phone (actually a game cheating).
  • This application can identify whether the game application is running in the simulator environment through the above identification method, and can timely Discover the behavior of the game running in the simulator, which can stop the behavior and prevent the loss of cheating to the user.
  • the risk control strategy of a small loan launched by a financial institution is to allow only users in specific areas, such as the user of Beishangguang. Illegal users may use simulators to modify GPS positioning to bypass the risk control strategy and deceive them. loan. Therefore, the present application can identify whether the device is running in the simulator environment through the above identification method, and reject the user's loan request after determining that the device is running in the simulator environment. Further, this application can also restore the GPS positioning by using the above-mentioned hook detection method to obtain the user's true positioning information.
  • illegal persons set up information such as the phone model, brand, and manufacturer in the simulator to achieve the purpose of one simulator software to simulate multiple different Android phones, thereby creating fake identity to cheat preferential activities, registration rewards, and so on.
  • the real mobile phone model, brand, and manufacturer and other information can be restored and the simulator can be identified, so as to identify whether the device operation is timely.
  • the simulator environment When running in the simulator environment, and when it is recognized that it is running in the simulator environment, it can stop the behavior in time and avoid causing losses to legitimate users.
  • the identification device can identify whether the terminal is running in the simulator environment according to a plurality of simulator identification rules that are set and collected terminal device information, and according to the simulator identification rules that the terminal device information hits, so as to implement It combines simulator recognition rules to perform simulator recognition, which improves the accuracy of simulator recognition.
  • it is possible to identify the device information by tampering and restore the real device information in time to detect the tampering, so as to identify the simulator based on the real device information. The accuracy of the simulator recognition is further improved.
  • FIG. 4 is a schematic structural diagram of an identification device according to an embodiment of the present application.
  • the recognition device in the embodiment of the present application includes a unit for executing the above-mentioned simulator recognition method.
  • the identification device 400 in this embodiment may include: an obtaining unit 401 and a processing unit 402. among them,
  • the obtaining unit 401 is configured to obtain device information of a target terminal, where the device information includes information about a model of the target terminal, a manufacturer identifier of a central processing unit CPU, a memory space value, a first number of installed applications, storage Any one or more of the second number of files, the network system used, the operating status, and the router information of the connected Wi-Fi hotspot;
  • the processing unit 402 is configured to determine a target recognition rule that the device information of the target terminal hits in the multiple simulator recognition rules according to a preset plurality of simulator recognition rules and the device information of the target terminal.
  • the plurality of simulator identification rules are determined according to device information of a terminal running in the simulator environment in a historical record;
  • the processing unit 402 is further configured to identify whether the target terminal is running in a simulator environment according to a preset weight and a weight threshold of the target recognition rule.
  • the processing unit 402 is specifically configured to calculate the sum of the weights of the target recognition rules according to the preset weights of the simulator recognition rules when there are multiple target recognition rules that are hit; Determining whether the sum of the weights is greater than a preset weight threshold; when the sum of the weights is greater than the weight threshold, determining that the target terminal is running in a simulator environment.
  • the identification device further includes: a weight setting unit 403;
  • the weight setting unit 403 is configured to separately count the device information of the terminal running in the simulator environment in the historical record and hit the hit information of the plurality of simulator recognition rules; determine each simulation according to the hit information corresponding to each simulator recognition rule.
  • the device identifies the weights corresponding to the rules.
  • the hit information includes a hit frequency and / or the number of hits
  • a weight corresponding to each simulator recognition rule is proportional to a hit frequency corresponding to the simulator recognition rule
  • the model information includes a model and / or brand of the target terminal
  • the router information includes a router name and / or a media access control MAC address
  • the plurality of simulator identification rules includes at least two of the following item:
  • the name of the router of the Wi-Fi hotspot to which the terminal to be identified is the same as the name of the router in the preset first blacklist
  • the MAC address of the router of the Wi-Fi hotspot connected to the terminal to be identified is a set of MAC addresses in a preset second blacklist
  • the type of the terminal to be identified is the same as any terminal type in the preset third blacklist
  • the brand of the terminal to be identified is the same as any terminal brand in the preset fourth blacklist;
  • the manufacturer identification of the central processing unit CPU of the terminal to be identified is different from all the manufacturer identifications in the preset white list;
  • the terminal to be identified is not configured with a preset module, and the preset module includes one or more of a Bluetooth module, a temperature sensor, and a light sensor;
  • a memory space value of the terminal to be identified is less than a preset memory threshold
  • the first number of applications installed by the terminal to be identified is less than a preset first number threshold
  • the second number of files stored by the terminal to be identified is less than a preset second number threshold
  • the network standard used by the terminal to be identified is different from all the network standards in the preset network standard list;
  • a system file of a preset path and name exists in the system of the terminal to be identified;
  • the running state of the terminal to be identified is the root state.
  • the identification device further includes: a hook detection unit 404 and a reduction unit 405;
  • the obtaining unit 401 is further configured to obtain a flag value of an objective function corresponding to the device information of the target terminal;
  • a hook detection unit 404 configured to determine whether the objective function is hooked according to the flag value
  • the obtaining unit 401 is further configured to obtain an objective function pointer corresponding to the objective function from the memory of the objective function when it is determined that the objective function is hooked;
  • a restoration unit 405 configured to determine an original function corresponding to the target function pointer according to a corresponding relationship between function pointers and functions stored in advance, and determine original device information according to the original function;
  • the processing unit 402 is specifically configured to determine a target recognition rule that the original device information hits in the plurality of simulator recognition rules according to a preset plurality of simulator recognition rules and the original device information.
  • the hook detection unit 404 is specifically configured to compare a character at a preset position in the flag value with a preset fixed character, and the number of characters of the character at the preset position is the same as that of the character at the preset position.
  • the number of characters of the fixed character is the same; when the character at the preset position is different from the fixed character, it is determined that the objective function is hooked.
  • the hook detection unit 404 is specifically configured to perform a logical operation on the flag value according to a preset logical algorithm to obtain an operation result value, wherein the logical algorithm is based on a preset character string and the system.
  • the jump address when the native function is executed is determined; when the value of the operation result is a positive integer, it is determined that the target function is hooked.
  • the recognition device may implement some or all steps in the simulator recognition method in the embodiments shown in FIG. 1 to FIG. 3 by using the foregoing units. It should be understood that the embodiments of the present application are device embodiments corresponding to the method embodiments, and the description of the method embodiments is also applicable to the embodiments of the present application.
  • FIG. 5 is a schematic structural diagram of another identification device according to an embodiment of the present application.
  • the identification device is used to perform the method described above.
  • the identification device 500 in this embodiment may include: one or more processors 501 and a memory 502.
  • the identification device may further include one or more user interfaces 503, and / or, one or more communication interfaces 504.
  • the processor 501, the user interface 503, the communication interface 504, and the memory 502 may be connected through a bus 505, or may be connected through other methods.
  • FIG. 5 illustrates the examples by using a bus method.
  • the memory 502 is configured to store a computer program, where the computer program includes program instructions, and the processor 501 is configured to execute the program instructions stored in the memory 502.
  • the processor 501 may be used to call the program instructions to perform the following steps: obtaining device information of the target terminal, where the device information includes information about a model of the target terminal, a manufacturer identifier of the central processing unit CPU, and a memory space value Any one or more of the first number of installed applications, the second number of stored files, the network system used, the operating status, and the router information of the connected Wi-Fi hotspot; according to the preset A plurality of simulator recognition rules and device information of the target terminal, and determine a target recognition rule that the device information of the target terminal hits in the plurality of simulator recognition rules, wherein the plurality of simulator recognition rules are based on It is determined from the device information of the terminal running in the simulator environment in the historical record; according to the preset weight and weight threshold of the target recognition rule, identifying whether the target terminal is running in the simulator environment.
  • the processor 501 invokes the program instruction to execute the weight and weight threshold of the target recognition rule according to a preset setting to identify whether the target terminal is running in a simulator environment, and specifically performs the following steps: When there are multiple target recognition rules, the sum of the weights of each of the target recognition rules is calculated according to the preset weights of each simulator recognition rule; determining whether the sum of the weights is greater than a preset weight threshold; when When the sum of the weights is greater than the weight threshold, it is determined that the target terminal is running in a simulator environment.
  • the processor 501 is further configured to call the program instructions to perform the following steps: respectively counting device information of a terminal running in the simulator environment in the history record to hit the hit information of the plurality of simulator recognition rules, and the hit
  • the information includes the hit frequency and / or the number of hits; the weight corresponding to each simulator recognition rule is determined according to the hit information corresponding to each simulator recognition rule; wherein the weight corresponding to each simulator recognition rule and the hit corresponding to the simulator recognition rule
  • the frequency is directly proportional, and / or, the weight corresponding to each simulator recognition rule is directly proportional to the number of hits corresponding to the simulator recognition rule.
  • the model information includes a model and / or brand of the target terminal
  • the router information includes a router name and / or a media access control MAC address
  • the plurality of simulator identification rules includes at least two of the following Item:
  • the name of the router of the Wi-Fi hotspot connected to the terminal to be identified is the same as the router name in the preset first blacklist;
  • the MAC address of the router of the Wi-Fi hotspot connected to the terminal to be identified is in the preset first
  • the model of the terminal to be identified is the same as any terminal model in the preset third blacklist;
  • the brand of the terminal to be identified is the same as any of the terminals in the preset blacklist A terminal brand is the same;
  • the manufacturer identification of the central processing unit CPU of the terminal to be identified is different from all the manufacturer identifications in the preset whitelist;
  • the preset module is not configured in the terminal to be identified, and
  • the preset module includes one or more of
  • the processor 501 invokes the program instruction to execute the device identification information of the target terminal in the multiple simulators according to a preset preset simulator identification rule and device information of the target terminal.
  • the following steps are further performed: obtaining a flag value of the target function corresponding to the device information of the target terminal, and determining whether the target function is hooked according to the flag value; when determining the target When the function is hooked, obtain an objective function pointer corresponding to the objective function from the memory of the objective function; determine the original function corresponding to the objective function pointer according to the corresponding relationship between the function pointers and functions stored in advance, and Determining original device information according to the original function;
  • the processor 501 invokes the program instruction to execute the target of the device information of the target terminal that is hit by the plurality of simulator recognition rules according to a preset plurality of simulator recognition rules and the device information of the target terminal.
  • the following steps are specifically performed: according to a plurality of simulator recognition rules set in advance and the original device information, a target recognition rule that the original device information hits in the plurality of simulator recognition rules is determined.
  • the processor 501 when the processor 501 calls the program instruction to execute the determination of whether the objective function is hooked according to the flag value, the processor 501 specifically executes the following steps: the character at a preset position in the flag value and The preset fixed characters are compared, and the number of characters of the character at the preset position is the same as the number of characters of the fixed character; when the comparison obtains that the character at the preset position is different from the fixed character, the determined The objective function is hooked.
  • the processor 501 when the processor 501 invokes the program instruction to execute the determining whether the objective function is hooked according to the flag value, the processor 501 specifically performs the following steps: performing a logical operation on the flag value according to a preset logic algorithm To obtain an operation result value, wherein the logical algorithm is determined according to a preset character string and a jump address when a native function in the system is executed; when the operation result value is a positive integer, the objective function is determined Was hooked.
  • the processor 501 may be a central processing unit (CPU), and the processor may also be another general-purpose processor, digital signal processor (DSP), or application specific integrated circuit (Application Specific Integrated). Circuit (ASIC), ready-made programmable gate array (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc.
  • DSP digital signal processor
  • ASIC application specific integrated circuit
  • ASIC Application Specific Integrated
  • FPGA ready-made programmable gate array
  • a general-purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
  • the user interface 503 may include an input device and an output device, the input device may include a touch panel, a microphone, and the like, and the output device may include a display (LCD, etc.), a speaker, and the like.
  • the input device may include a touch panel, a microphone, and the like
  • the output device may include a display (LCD, etc.), a speaker, and the like.
  • the communication interface 504 may include a receiver and a transmitter for communicating with other devices.
  • the memory 502 may include a read-only memory and a random access memory, and provide instructions and data to the processor 501.
  • a part of the memory 502 may further include a non-volatile random access memory.
  • the memory 502 may further store the corresponding relationship between the function pointer and the function, and so on.
  • the processor 501 and the like described in the embodiment of the present application may execute the implementation manners described in the method embodiments shown in FIG. 1 to FIG. 3 described above, and may also execute each of the methods described in FIG. 4 of the embodiment of the present application. The implementation of the unit is not repeated here.
  • An embodiment of the present application further provides a computer-readable storage medium, where the computer-readable storage medium stores a computer program, and when the computer program is executed by a processor, the computer program described in the embodiments corresponding to FIG. 1 to FIG. 3 can be implemented. Some or all of the steps in the simulator recognition method may also implement the function of the recognition device in the embodiment shown in FIG. 4 or FIG. 5 of the application, which is not described herein.
  • An embodiment of the present application further provides a computer program product containing instructions, which when executed on a computer, causes the computer to execute part or all of the steps in the above method.
  • the computer-readable storage medium may be an internal storage unit of the identification device according to any one of the foregoing embodiments, such as a hard disk or a memory of the identification device.
  • the computer-readable storage medium may also be an external storage device of the identification device, such as a plug-in hard disk, a Smart Media Card (SMC), and a secure digital (SD) device. ) Cards, flash cards, etc.
  • the size of the sequence numbers of the above processes does not mean the order of execution.
  • the execution order of each process should be determined by its function and internal logic, and should not deal with the implementation process of the embodiments of the present application. Constitute any limitation.

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Disclosed in the present application are a simulator recognition method, a recognition device, and a computer readable medium. Said method comprises: acquiring device information concerning a target terminal; determining, according to a plurality of preset simulator recognition rules and the device information concerning the target terminal, a target recognition rule to which the device information concerning the target terminal is directed among the plurality of simulator recognition rules, the plurality of simulator recognition rules being determined according to device information concerning terminals running in a simulator environment in history records; and according to a preset weight and weight threshold of the target recognition rule, recognizing whether the target terminal runs in the simulator environment. The present application facilitates the improvement of simulator recognition accuracy.

Description

一种模拟器识别方法、识别设备及计算机可读介质Simulator recognition method, recognition equipment and computer-readable medium
本申请要求于2018年07月27日提交中国专利局、申请号为201810855587.2、申请名称为“一种模拟器识别方法、识别设备及计算机可读介质”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of a Chinese patent application filed on July 27, 2018 with the Chinese Patent Office under the application number 201810855587.2. Incorporated by reference in this application.
技术领域Technical field
本申请涉及通信技术领域,尤其涉及一种模拟器识别方法、识别设备及计算机可读介质。The present application relates to the field of communication technologies, and in particular, to a simulator identification method, an identification device, and a computer-readable medium.
背景技术Background technique
Android模拟器是一个能在Windows、Linux等各种平台模拟出Android系统的运行环境的应用,用户可以在个人计算机等终端中的Android模拟器上运行Android系统的应用。在使用Android系统的应用时,对于某些业务,如需要进行风险监测的业务,并不希望它被运行在模拟器上,因此需要对终端是否运行于Android模拟器环境进行识别。而目前风险识别设备对Android模拟器的识别能力有限,无法有效识别出终端是否运行于模拟器环境。The Android emulator is an application that can simulate the operating environment of the Android system on various platforms such as Windows and Linux. Users can run the Android system application on the Android emulator in a terminal such as a personal computer. When using the application of the Android system, for certain services, such as those requiring risk monitoring, it is not desired to be run on the simulator, so it is necessary to identify whether the terminal is running in the Android simulator environment. At present, the risk recognition device has limited recognition ability of the Android simulator, and cannot effectively identify whether the terminal is running in the simulator environment.
发明内容Summary of the Invention
本申请提供一种模拟器识别方法、识别设备及计算机可读介质,有助于提升模拟器识别的准确性。The application provides a simulator recognition method, a recognition device and a computer-readable medium, which are helpful to improve the accuracy of the simulator recognition.
第一方面,本申请提供了一种模拟器识别方法,包括:In a first aspect, the present application provides a simulator identification method, including:
获取目标终端的设备信息,所述设备信息包括与所述目标终端的机型信息、中央处理器CPU的生产商标识、内存空间值、安装的应用的第一数目、存储的文件的第二数目、使用的网络制式、运行状态、连接的无线保真Wi-Fi热点的路由器信息中的任一项或多项;Obtain device information of a target terminal, where the device information includes information about a model of the target terminal, a manufacturer ID of a central processing unit CPU, a memory space value, a first number of installed applications, and a second number of stored files Any one or more of the network system used, operating status, and router information of the connected Wi-Fi hotspot;
根据预先设置的多个模拟器识别规则和所述目标终端的设备信息,确定所述目标终端的设备信息在所述多个模拟器识别规则命中的目标识别规则,其中,所述多个模拟器识别规则是根据历史记录中运行于模拟器环境的终端的设备信息确定出的;Determining a target recognition rule that the device information of the target terminal hits in the plurality of simulator recognition rules according to a preset plurality of simulator recognition rules and the device information of the target terminal, wherein the plurality of simulators The identification rule is determined based on the device information of the terminal running in the simulator environment in the historical record;
根据预先设置的所述目标识别规则的权重和权重阈值,识别所述目标终端是否运行于模拟器环境。According to a preset weight and a weight threshold of the target recognition rule, identify whether the target terminal is running in a simulator environment.
第二方面,本申请提供了一种识别设备,该识别设备包括用于执行上述第一方面的方法的单元。In a second aspect, the present application provides an identification device including a unit for performing the method of the first aspect.
第三方面,本申请提供了另一种识别设备,包括处理器、用户接口、通信接口和存储器,所述处理器、用户接口、通信接口和存储器相互连接,其中,所述存储器用于存储支持识别设备执行上述方法的计算机程序,所述计算机程序包括程序指令,所述处理器被配置用于调用所述程序指令,执行上述第一方面的方法。In a third aspect, the present application provides another identification device, including a processor, a user interface, a communication interface, and a memory, and the processor, the user interface, the communication interface, and the memory are connected to each other, where the memory is used for storing support A computer program that identifies the device to execute the method, the computer program includes program instructions, and the processor is configured to call the program instructions to execute the method of the first aspect.
第四方面,本申请提供了一种计算机可读存储介质,所述计算机存储介质存储有计算机程序,所述计算机程序包括程序指令,所述程序指令当被处理器执行时使所述处理器执行上述第一方面的方法。In a fourth aspect, the present application provides a computer-readable storage medium, where the computer storage medium stores a computer program, the computer program includes program instructions, and the program instructions, when executed by a processor, cause the processor to execute The method of the first aspect described above.
本申请实施例能够通过获取终端的设备信息,确定预设的多个模拟器识别规则中该目标终端的设备信息命中的模拟器识别规则,进而根据预设的该命中的模拟器识别规则的权重和预设权重阈值,来识别该目标终端是否运行于模拟器环境,使得实现了结合多个模拟器识别规则来进行模拟器识别,这就有助于提升模拟器识别的准确性。In the embodiment of the present application, the device identification information of the terminal can be used to determine the simulator identification rule of the target terminal device information hit among preset multiple simulator identification rules, and then according to the preset weight of the simulator identification rule that is hit And preset weight thresholds to identify whether the target terminal is running in the simulator environment, so that it can implement simulator recognition by combining multiple simulator recognition rules, which helps to improve the accuracy of simulator recognition.
附图说明BRIEF DESCRIPTION OF THE DRAWINGS
为了更清楚地说明本申请实施例技术方案,下面将对实施例描述中所需要使用的附图进行说明。In order to explain the technical solution of the embodiment of the present application more clearly, the accompanying drawings used in the description of the embodiment will be described below.
图1是本申请实施例提供的一种模拟器识别方法的流程示意图;FIG. 1 is a schematic flowchart of a simulator recognition method according to an embodiment of the present application; FIG.
图2是本申请实施例提供的另一种模拟器识别方法的流程示意图;FIG. 2 is a schematic flowchart of another simulator recognition method according to an embodiment of the present application; FIG.
图3是本申请实施例提供的又一种模拟器识别方法的流程示意图;3 is a schematic flowchart of another simulator identification method according to an embodiment of the present application;
图4是本申请实施例提供的一种识别设备的结构示意图;4 is a schematic structural diagram of an identification device according to an embodiment of the present application;
图5是本申请实施例提供的另一种识别设备的结构示意图。FIG. 5 is a schematic structural diagram of another identification device according to an embodiment of the present application.
具体实施方式detailed description
下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行描述。The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
本申请的技术方案可应用于识别设备中,该识别设备可包括各种终端、服务器或与终端连接的风险识别产品(设备)等等,用于对终端中的模拟器行为进行识别(简称“模拟器识别”),以识别终端(或终端中的应用,如识别植入SDK的应用)是否运行于模拟器环境,或者称为识别终端是否使用模拟器登录。在本申请中,模拟器可以是指Android模拟器或其他模拟器。本申请涉及的终端可以是手机、电脑、平板、个人计算机、智能手表等,本申请不做限定。The technical solution of the present application can be applied to an identification device, which can include various terminals, servers, or risk identification products (devices) connected to the terminal, etc., for identifying the behavior of the simulator in the terminal (referred to as " Simulator recognition ") to identify whether the terminal (or an application in the terminal, such as an application embedded in the SDK) is running in the simulator environment, or is called identifying whether the terminal is logged in using the simulator. In this application, the simulator may refer to an Android simulator or another simulator. The terminals involved in this application may be mobile phones, computers, tablets, personal computers, smart watches, etc., and this application is not limited.
具体的,本申请可通过设置多个模拟器识别规则,并通过获取终端的各种设备信息,比如连接的Wi-Fi热点信息、机型信息、CPU的生产商信息、模块配置信息、内存空间信息、安装的应用的数目、存储的文件的数目、使用的网络制式、系统文件异常信息、运行状态等信息中的一项或多项,并根据各种设备信息命中的模拟器识别规则,结合多个模拟器识别规则来进行模拟器识别,从而能够提升模拟器识别的准确性。以下分别详细说明。Specifically, in this application, multiple emulator recognition rules can be set and various device information of the terminal can be obtained, such as connected Wi-Fi hotspot information, model information, CPU manufacturer information, module configuration information, and memory space. Information, the number of installed applications, the number of stored files, the network system used, system file abnormal information, running status and other information, and based on the simulator identification rules of various device information hits, combine Multiple simulator recognition rules are used for simulator recognition, which can improve the accuracy of simulator recognition. The details are described below.
请参见图1,图1是本申请实施例提供的一种模拟器识别方法的流程示意图。具体的,如图1所示,该模拟器识别方法可以包括以下步骤:Please refer to FIG. 1, which is a schematic flowchart of a simulator recognition method provided by an embodiment of the present application. Specifically, as shown in FIG. 1, the simulator recognition method may include the following steps:
101、获取目标终端的设备信息。101. Obtain device information of a target terminal.
其中,该目标终端可以是指需要进行模拟器识别的任一终端,比如与风险识别产品连接的终端,或者处于特定风控场景下的终端,或者触发(比如通过预设按键或手势或预设的其他触发方式)了模拟器识别的终端,等等,本申请不做限定。该风控场景可以包括登录场景、交易场景、APP优惠领域场景等等。The target terminal may be any terminal that needs to be identified by the simulator, such as a terminal connected to a risk identification product, or a terminal in a specific risk control scenario, or triggered (such as by a preset button or gesture or preset Other triggering methods) are terminals identified by the simulator, etc., which are not limited in this application. The risk control scenario may include a login scenario, a transaction scenario, an APP discount domain scenario, and so on.
可选的,该获取的设备信息可包括与该目标终端的机型信息、CPU的生产商标识、内存空间值、安装的应用的第一数目、存储的文件的第二数目、使用的网络制式、模块配置信息、运行状态、连接的无线保真Wi-Fi热点的路由器信息中的任一项或多项。其中,该机型信息可包括该目标终端的型号和/或品牌,该模块配置信息包括是否配置有预设模块如 蓝牙模块、温度传感器、光线传感器等等,该路由器信息可包括路由器的名称和/或媒体访问控制MAC地址等等。Optionally, the acquired device information may include information about the model of the target terminal, the manufacturer's identification of the CPU, the value of the memory space, the first number of installed applications, the second number of stored files, and the network standard used. Any one or more of the module configuration information, operating status, and router information of the connected wireless fidelity Wi-Fi hotspot. The model information may include the model and / or brand of the target terminal. The module configuration information includes whether a preset module such as a Bluetooth module, temperature sensor, light sensor, etc. is configured. The router information may include the name and / Or MAC address and so on.
102、根据预先设置的多个模拟器识别规则和该目标终端的设备信息,确定该目标终端的设备信息在该多个模拟器识别规则命中的目标识别规则。102. Determine, according to a preset plurality of simulator recognition rules and device information of the target terminal, a target recognition rule that the device information of the target terminal hits in the plurality of simulator recognition rules.
其中,该多个模拟器识别规则可以是根据历史记录中运行于模拟器环境的终端的设备信息确定出的,以提升模拟器识别的效率和可靠性。例如,该多个模拟器识别规则可以包括以下至少两项:The plurality of simulator recognition rules may be determined according to device information of a terminal running in the simulator environment in a historical record, so as to improve the efficiency and reliability of simulator recognition. For example, the plurality of simulator recognition rules may include at least two of the following:
规则1:待识别终端连接的Wi-Fi热点的路由器的名称与预置的第一黑名单内的路由器名称相同;Rule 1: The name of the router of the Wi-Fi hotspot to which the terminal to be identified is the same as the name of the router in the preset first blacklist;
规则2:待识别终端连接的Wi-Fi热点的路由器的MAC地址处于预置的第二黑名单内的MAC地址集合;Rule 2: The MAC address of the router of the Wi-Fi hotspot to which the terminal to be identified belongs is a set of MAC addresses in a preset second blacklist;
其中,检测MAC地址是否处于预置的MAC地址集合还可以称为检测MAC地址是否与该MAC地址集合中的MAC地址相同;相应的,MAC地址处于MAC地址集合可以是指该MAC地址与该MAC地址集合中的任一MAC地址相同。Among them, detecting whether a MAC address is in a preset MAC address set can also be referred to as detecting whether the MAC address is the same as the MAC address in the MAC address set; accordingly, a MAC address in the MAC address set can refer to the MAC address and the MAC Any MAC address in the address set is the same.
规则3:待识别终端的型号与预置的第三黑名单内的任一终端型号相同;Rule 3: The model of the terminal to be identified is the same as any terminal model in the preset third blacklist;
规则4:待识别终端的品牌与预置的第四黑名单内的任一终端品牌相同;Rule 4: The brand of the terminal to be identified is the same as any terminal brand in the preset fourth blacklist;
可选的,上述的黑名单如第一黑名单、第二黑名单、第三黑名单、第四黑名单等包括的设备信息可以是历史数据中识别为模拟器的终端(即识别为运行在模拟器环境的终端)对应的设备信息,比如统计次数最多的前L(L为大于0的整数,如取8)个设备信息(路由器名称、MAC地址、型号或品牌等等),或者统计次数大于预设阈值的设备信息等等,此处不赘述。Optionally, the device information included in the above blacklists, such as the first blacklist, the second blacklist, the third blacklist, and the fourth blacklist, may be the terminals identified as simulators in the historical data (that is, identified as running on Device information corresponding to the terminal in the simulator environment, such as the first L with the most statistics (L is an integer greater than 0, such as taking 8) device information (router name, MAC address, model or brand, etc.), or statistics The device information and the like that are larger than the preset threshold are not repeated here.
例如,该第一黑名单包括历史数据中识别为模拟器的终端所连接的路由器的名称中统计次数较多的名称,比如统计次数最多的前M(M为大于0的整数,如取10)个名称,或者统计次数大于预设数目阈值(第一阈值)的名称;又如,该第二黑名单包括历史数据中识别为模拟器的终端所连接的路由器的MAC地址中统计次数较多的MAC地址或者由该MAC地址组成的MAC地址集合,比如统计次数最多的前N(N为大于0的整数,如取50)个MAC地址,或者统计次数大于预设数目阈值(第二阈值)的MAC地址,或者由这些MAC地址确定的MAC地址集合,等等,本申请不做限定。其中,该第一阈值和第二阈值可以预先设置得到。For example, the first blacklist includes the names that are counted more frequently among the names of routers connected to the terminals identified as simulators in the historical data, such as the top M with the most counts (M is an integer greater than 0, such as 10) Names, or names whose number of counts is greater than a preset number threshold (first threshold); for another example, the second blacklist includes historical data that has more counts in the MAC address of the router connected to the terminal identified as the simulator MAC address or a set of MAC addresses composed of the MAC address, such as the first N (N is an integer greater than 0, such as 50) MAC addresses with the highest number of statistics, or the number of statistics greater than a preset number threshold (second threshold) MAC addresses, or a set of MAC addresses determined by these MAC addresses, etc., are not limited in this application. The first threshold and the second threshold can be preset.
规则5:待识别终端的中央处理器CPU的生产商标识与预置的白名单中的所有生产商标识均不相同;Rule 5: The manufacturer identification of the central processing unit CPU of the terminal to be identified is different from all the manufacturer identifications in the preset white list;
其中,该白名单中可包括一个或多个合法的CPU生产商的标识。The white list may include the identifications of one or more legal CPU manufacturers.
规则6:待识别终端中未配置有预设模块,该预设模块包括蓝牙模块、温度传感器、光线传感器中的一个或多个;Rule 6: There is no preset module configured in the terminal to be identified, and the preset module includes one or more of a Bluetooth module, a temperature sensor, and a light sensor;
其中,该预设模块可以为根据历史数据统计的识别为模拟器的终端中没有配置的模块,如蓝牙模块、温度传感器、光线传感器。因此如果识别到终端没有配置该预设模块,则可能为模拟器。The preset module may be a module that is not configured in the terminal identified as the simulator according to historical data statistics, such as a Bluetooth module, a temperature sensor, and a light sensor. Therefore, if it is recognized that the terminal is not configured with the preset module, it may be an emulator.
规则7:待识别终端的内存空间值小于预设内存阈值;Rule 7: The memory space value of the terminal to be identified is less than a preset memory threshold;
规则8:待识别终端安装的应用的第一数目小于预设的第一数目阈值;Rule 8: The first number of applications installed on the terminal to be identified is less than a preset first number threshold;
规则9:待识别终端存储的文件的第二数目小于预设的第二数目阈值;Rule 9: The second number of files stored by the terminal to be identified is less than a preset second number threshold;
其中,该第一数目阈值和第二数目阈值可以预先设置得到。The first number threshold and the second number threshold can be preset.
规则10:待识别终端使用的网络制式与预设的网络制式列表中的所有网络制式均不相同;Rule 10: The network standard used by the terminal to be identified is different from all the network standards in the preset network standard list;
可选的,识别设备可以结合待识别终端如目标终端所在的目标区域确定哪些是正常的网络制式,比如通过预先配置不同区域及其对应的网络制式列表,来确定与该目标区域对应的网络制式列表,该网络制式列表中的网络制式即为该目标区域的正常网络制式。如果检测到该目标终端使用的网络制式不为其对应的网络制式列表中的网络制式,则该目标终端可能运行于模拟器环境,因为模拟器可能篡改网络制式信息。Optionally, the identification device may determine which network standards are normal in combination with the target area where the terminal to be identified is located, such as a target terminal, for example, by pre-configuring different areas and their corresponding network standard lists to determine the network standard corresponding to the target area List, the network standard in the network standard list is the normal network standard of the target area. If it is detected that the network standard used by the target terminal is not the network standard in its corresponding network standard list, the target terminal may run in the simulator environment because the simulator may tamper with the network standard information.
规则11:待识别终端的系统中存在预设路径和名称的系统文件;Rule 11: a system file with a preset path and name exists in the system of the terminal to be identified;
如果目标终端中存在异常的系统文件,则可能为模拟器。例如,该异常的系统文件可包括以下路径和名称的系统文件:/dev/qemu_pipe、/dev/socket/qemud、/system/lib/libc_malloc_debug_qemu.so、/sys/qemu_trace、/proc/tty/drivers/goldfish等等。If there is an abnormal system file in the target terminal, it may be an emulator. For example, the abnormal system file can include system files with the following paths and names: / dev / qemu_pipe, / dev / socket / qemud, /system/lib/libc_malloc_debug_qemu.so, / sys / qemu_trace, / proc / tty / drivers / goldfish and more.
规则12:待识别终端的运行状态为root状态。如果检测到目标终端处于Android root状态,则可能为模拟器。Rule 12: The running state of the terminal to be identified is the root state. If it is detected that the target terminal is in the Android root state, it may be an emulator.
其中,设备信息命中模拟器识别规则也可以称为设备信息满足模拟器识别规则或符合模拟器识别规则等等。该待识别终端即为需要通过确定其设备信息命中的模拟器识别规则以进行模拟器识别的终端,如上述的目标终端。Among them, the device information hitting the simulator recognition rule may also be called that the device information meets the simulator recognition rule or conforms to the simulator recognition rule, etc. The terminal to be identified is a terminal that needs to perform simulator identification by determining simulator identification rules that its device information hits, such as the target terminal described above.
103、根据预先设置的该目标识别规则的权重和权重阈值,识别该目标终端是否运行于模拟器环境。103. Identify whether the target terminal is running in a simulator environment according to a preset weight and a weight threshold of the target recognition rule.
其中,该多个模拟器识别规则的权重可以预先设置得到,比如由风控人员根据经验进行设置,或者根据历史记录中识别为模拟器的终端命中各模拟器识别规则的频率或次数进行设置,等等。例如,设置的权重由大到小依次为:规则1=规则2>规则3=规则4>规则5>规则6=规则7=规则8=规则9=规则10>规则11>规则12。对于模拟器识别规则的权重的设置或者确定方式,本申请不做限定。The weights of the recognition rules of the multiple simulators can be set in advance, for example, by the wind control personnel based on experience, or according to the frequency or number of times that the terminal identified as the simulator hits the recognition rules of each simulator in the historical record. and many more. For example, the set weights are as follows: rule 1 = rule 2> rule 3 = rule 4> rule 5> rule 6 = rule 7 = rule 8 = rule 9 = rule 10> rule 11> rule 12. The method for setting or determining the weight of the simulator recognition rule is not limited in this application.
也就是说,本申请能够通过预置多个模拟器识别规则,进行在进行模拟器识别时,能够通过获取终端的设备信息,并检测该设备信息是否命中该多个模拟器识别规则,进而根据命中的模拟器识别规则的权重和预设权重阈值,来进行模拟器识别,比如在命中的模拟器识别规则的权重大于该权重阈值时,确定该终端运行于模拟器环境。进一步的,如果该目标终端的设备信息并未命中任何模拟器识别规则,则可确定该目标终端未运行于模拟器环境。That is, the present application can preset multiple simulator recognition rules. When performing simulator recognition, it can obtain device information of the terminal and detect whether the device information matches the multiple simulator recognition rules. The weight of the hit simulator recognition rule and a preset weight threshold are used for simulator recognition. For example, when the weight of the hit simulator recognition rule is greater than the weight threshold, it is determined that the terminal is running in the simulator environment. Further, if the device information of the target terminal does not hit any simulator recognition rule, it can be determined that the target terminal is not running in the simulator environment.
例如,在一些实施例中,该预设的多个模拟器识别规则为上述的规则1、2、3,预设的规则1的权重为0.7,规则2的权重为0.7,规则3的权重为0.5,权重阈值为0.6,该获取的设备信息包括目标终端连接的Wi-Fi热点的路由器的名称和MAC地址,以及该目标终端的型号。则识别设备可通过检测该设备信息中的路由器的名称是否与该第一黑名单内的路由器名称相同,以及该设备信息中的MAC地址是否处于该第二黑名单内的MAC地址集合,以及该设备信息中的型号是否与该第三黑名单内的任一终端型号相同。如果识别设备 检测到该路由器的名称与该第一黑名单内的任一路由器名称相同,则确定命中规则1,如果识别设备检测到该MAC地址处于该第二黑名单内的任一MAC地址集合,则确定命中规则2,如果识别设备检测到该型号与该第三黑名单内的任一终端型号相同,则确定命中规则3。假设识别设备确定该目标终端的设备信息命中规则2,未命中规则1和3,规则2对应的权重0.7大于权重阈值0.6,则可确定该目标终端运行于模拟器环境。For example, in some embodiments, the preset multiple simulator recognition rules are the above-mentioned rules 1, 2, and 3, the preset rule 1 has a weight of 0.7, the rule 2 has a weight of 0.7, and the rule 3 has a weight of The weighted threshold is 0.5, and the obtained device information includes the name and MAC address of the router of the Wi-Fi hotspot connected to the target terminal, and the model of the target terminal. Then the identification device can detect whether the router name in the device information is the same as the router name in the first blacklist, and whether the MAC address in the device information is in the MAC address set in the second blacklist, and the Whether the model in the device information is the same as any terminal model in the third blacklist. If the identification device detects that the name of the router is the same as the name of any router in the first blacklist, it determines to hit rule 1. If the identification device detects that the MAC address is in any MAC address set in the second blacklist , Determine rule 2; if the identification device detects that the model is the same as any terminal model in the third blacklist, determine rule 3. Assuming that the identification device determines that the device information of the target terminal matches rule 2, rules 1 and 3 are missed, and the weight 0.7 corresponding to rule 2 is greater than the weight threshold 0.6, it can be determined that the target terminal is running in the simulator environment.
在本申请实施例中,识别设备能够通过获取终端的设备信息,确定预设的多个模拟器识别规则中该目标终端的设备信息命中的模拟器识别规则,进而根据预设的该命中的模拟器识别规则的权重和预设权重阈值,来识别该目标终端是否运行于模拟器环境,使得实现了结合多个模拟器识别规则来进行模拟器识别,这就有助于提升模拟器识别的准确性。In the embodiment of the present application, the recognition device can determine the simulator recognition rule for the device information hit of the target terminal in the preset multiple simulator recognition rules by acquiring the device information of the terminal, and then according to the preset simulation of the hit The weight of the recognition rule and the preset weight threshold are used to identify whether the target terminal is running in the simulator environment, which enables the realization of simulator recognition by combining multiple simulator recognition rules, which helps to improve the accuracy of simulator recognition. Sex.
请参见图2,图2是本申请实施例提供的另一种模拟器识别方法的流程示意图。具体的,如图2所示,该模拟器识别方法可以包括以下步骤:Please refer to FIG. 2, which is a schematic flowchart of another simulator recognition method provided by an embodiment of the present application. Specifically, as shown in FIG. 2, the simulator recognition method may include the following steps:
201、分别统计历史记录中运行于模拟器环境的终端的设备信息命中该多个模拟器识别规则的命中信息,该命中信息包括命中频率和/或命中次数。201. The device information of the terminal running in the simulator environment in the historical record is respectively matched with the hit information of the plurality of simulator recognition rules, and the hit information includes a hit frequency and / or a hit number.
202、根据各模拟器识别规则对应的命中信息确定各模拟器识别规则对应的权重。202. Determine the weight corresponding to each simulator recognition rule according to the hit information corresponding to each simulator recognition rule.
其中,每个模拟器识别规则对应的权重可以和该模拟器识别规则对应的命中频率成正比,和/或,每个模拟器识别规则对应的权重可以和该模拟器识别规则对应的命中次数成正比。Wherein, the weight corresponding to each simulator recognition rule may be directly proportional to the hit frequency corresponding to the simulator recognition rule, and / or, the weight corresponding to each simulator recognition rule may be equal to the number of hits corresponding to the simulator recognition rule. Directly proportional.
也就是说,本申请可通过对识别为运行于模拟器环境的终端的历史数据,包括命中的模拟器规则进行大数据分析,根据该历史数据命中上述规则的频率和/或次数来灵活设置模拟器识别规则的权重。例如,命中某一规则的命中频率的频率越高,该规则对应的权重设置为越大;命中某一规则的命中次数越高,该规则对应的权重设置为越大,等等。可选的,可预先建立该命中频率(和/或命中次数)与权重之间的映射关系,或者,预先建立该命中频率(和/或命中次数)和重要等级之间的映射关系以及重要等级和权重之间的映射关系等等。进而识别设备可根据每一模拟器识别规则的命中频率和/或命中次数,确定其对应的权重。进一步可选的,还可按照预设时间间隔去统计最近的预设时间段内各模拟器识别规则的新的命中频率和/或命中次数,进而根据该新的命中频率和/或命中次数更新各规则的权重,以进一步提升模拟器识别的准确性。That is, this application can perform big data analysis on historical data of the terminal identified as running in the simulator environment, including hit simulator rules, and flexibly set the simulation according to the frequency and / or number of times that the historical data hits the above rules. Recognize the weight of the rule. For example, the higher the frequency of hitting a rule, the greater the corresponding weight of the rule is set; the higher the number of hits of a rule, the greater the corresponding weight of the rule, and so on. Optionally, a mapping relationship between the hit frequency (and / or the number of hits) and the weight may be established in advance, or a mapping relationship between the hit frequency (and / or the number of hits) and the importance level and the importance level may be established in advance And weights, and so on. Furthermore, the identification device may determine the corresponding weight according to the hit frequency and / or the number of hits of each simulator recognition rule. Further optionally, a new hit frequency and / or hit number of each simulator recognition rule in a recent preset time period may be counted according to a preset time interval, and then updated according to the new hit frequency and / or hit number The weight of each rule to further improve the accuracy of the simulator recognition.
可选的,识别设备还可根据该命中频率和/或命中次数设置或选取该进行模拟器识别的多个模拟器识别规则(即上述的多个模拟器识别规则),如将命中频率或次数最高的前L(L为大于0的整数,如取6)个规则作为该多个模拟器识别的规则,或者将预设时间段内的命中频率高于预设频率阈值的规则作为该多个模拟器识别规则,或者将预设时间段内的命中次数高于预设次数阈值的规则作为该多个模拟器识别规则,等等,此处不一一列举。从而提升了模拟器设置规则的灵活性和可靠性,并能够提升识别效率。Optionally, the recognition device may also set or select multiple simulator recognition rules (that is, the above multiple simulator recognition rules) for simulator recognition according to the hit frequency and / or the number of hits, such as the hit frequency or number of hits. The highest first L (L is an integer greater than 0, such as 6) are used as the rules recognized by the multiple simulators, or the rules whose hit frequency within a preset time period is higher than a preset frequency threshold are used as the multiple The simulator recognition rules, or the rules that the number of hits within a preset time period is higher than the preset number of times as the multiple simulator recognition rules, etc., are not listed here one by one. Therefore, the flexibility and reliability of the simulator setting rules are improved, and the recognition efficiency can be improved.
203、获取目标终端的设备信息。203: Obtain device information of the target terminal.
可选的,在进行模拟器识别时,识别设备可通过获取目标终端的设备底层多项设备信息,比如该设备信息可包括以下一项或多项:连接的Wi-Fi热点的路由器信息(包括路由器名称(或Wi-Fi名称)如Wi-Fi服务集标识(Service Set Identifier,SSID),路由器MAC地址(或Wi-Fi MAC地址)如Wi-Fi基本服务集标识(Basic Service Set Identifier,BSSID) 等)、机型(型号和/或品牌)、CPU生产商信息、蓝牙信息、传感器信息、用户使用痕迹信息如内存空间值、使用的网络制式、Android状态(或称为运行状态,如是否处于root状态)、系统文件异常信息(如是否存在预设路径和名称的系统文件)、安装的应用的数目、存储的文件的数目、接入App的包名、接入App的版本号、SDK的版本号、操作系统类型、操作系统版本、设备唯一标识码(UDID)、是否已经越狱(比如1代表已越狱,0代表未越狱)、经纬度信息、网络类型、指定App是否安装(比如1代表已安装,0代表未安装)、是否安装了阿里小号、是否安装了v8插件、当前时间戳(比如精度为毫秒)、广告标示符、Vendor标识符、设备型号、主机名、CPU核心数、CPU类型、CPU子类型、屏幕分辨率、存储总空间、存储剩余空间、时区、语言、电量、电池状态、运营商名称、国家ISO、启动时间、键盘列表、did被抹掉或篡改、localfile中存储的did、是否打开GPS开关(比如0代表关闭,1代表开启)、GPS授权状态、APP加载的动态链接库列表等等,来进行模拟器识别。可选的,本申请可采用Android底层源生API采集设备信息,使得设备信息不容易被篡改。Optionally, when performing simulator recognition, the identifying device may obtain multiple device information of the target terminal ’s device, for example, the device information may include one or more of the following: router information of the connected Wi-Fi hotspot (including Router name (or Wi-Fi name) such as Wi-Fi Service Set Identifier (SSID), router MAC address (or Wi-Fi MAC address) such as Wi-Fi Basic Service Set Identifier (BSSID) ), Etc.), model (model and / or brand), CPU manufacturer information, Bluetooth information, sensor information, user trace information such as memory space value, network system used, Android status (or called operating status, such as whether In the root state), system file exception information (such as whether there are system files with a preset path and name), the number of installed applications, the number of stored files, the package name of the connected app, the version number of the connected app, and the SDK Version number, operating system type, operating system version, device unique identification code (UDID), whether it has been jailbroken (such as 1 for jailbroken, 0 for jailbroken), latitude and longitude information, network Type, specify whether the app is installed (such as 1 for installed, 0 for not installed), whether Ali trumpet is installed, whether v8 plugin is installed, current timestamp (such as millisecond precision), advertising identifier, Vendor identifier, Device model, host name, number of CPU cores, CPU type, CPU subtype, screen resolution, total storage space, remaining storage space, time zone, language, power, battery status, operator name, country ISO, boot time, keyboard list , Did is erased or tampered with, did is stored in the localfile, whether the GPS switch is turned on (for example, 0 means off, 1 means on), GPS authorization status, dynamic link library list loaded by the APP, etc., for simulator recognition. Optionally, the application can use Android underlying source API to collect device information, so that the device information cannot be easily tampered with.
具体的,识别设备可通过获取多项设备信息来进行模拟器识别,以提升识别的可靠性。而且,该识别设备可根据预设的多个模拟器识别规则使用该获取的设备信息项中与该多个模拟器识别规则对应的部分信息用于模拟器识别,即获取的设备信息项多于需要使用到的设备信息项,使得非法分子无法确定具体使用哪些信息来进行模拟器识别的,这就有助于防止非法分子了解到某一识别规则后篡改相关设备信息导致无法及时识别模拟器的情况的发生,即防止识别规则被破解,使得提升了模拟器识别的可靠性。Specifically, the recognition device may perform simulator recognition by acquiring multiple pieces of device information to improve the reliability of recognition. Moreover, the recognition device may use part of the obtained device information item corresponding to the plurality of simulator recognition rules for simulator recognition according to a preset plurality of simulator recognition rules, that is, the acquired device information items are more than The item of equipment information that needs to be used makes it impossible for illegal elements to determine what information to use for simulator identification. This helps prevent illegal elements from tampering with related equipment information after learning a certain identification rule, which makes it impossible to identify the simulator in time. The occurrence of the situation, that is, preventing the identification rules from being cracked, improves the reliability of the simulator identification.
204、根据预先设置的多个模拟器识别规则和该目标终端的设备信息,确定该目标终端的设备信息在该多个模拟器识别规则命中的目标识别规则。204. Determine, according to a preset plurality of simulator recognition rules and device information of the target terminal, a target recognition rule that the device information of the target terminal hits in the plurality of simulator recognition rules.
其中,该多个模拟器识别规则可以是根据历史记录中运行于模拟器环境的终端的设备信息确定出的,此处不赘述。The plurality of simulator identification rules may be determined according to device information of a terminal running in the simulator environment in a historical record, and details are not described herein.
205、当命中的该目标识别规则为多个时,根据预先设置的各模拟器识别规则的权重,计算各个该目标识别规则的权重的和。205. When there are multiple target recognition rules, calculate the sum of the weights of the target recognition rules according to the preset weights of the simulator recognition rules.
206、判断该权重的和是否大于预先设置的权重阈值。206: Determine whether the sum of the weights is greater than a preset weight threshold.
207、当该权重的和大于该权重阈值时,确定该目标终端运行于模拟器环境。207. When the sum of the weights is greater than the weight threshold, determine that the target terminal is running in a simulator environment.
具体的,识别设备可通过判断获取的设备信息是否命中预先设置的多个模拟器识别规则,根据是否命中的结果确定各规则的权重,并根据各规则的权重识别是否为模拟器。其中,如果命中某一规则,则取该命中的规则的权重为预先设置的权重;如果未命中某一规则,则取该未命中的规则的权重为0。也即,统计命中的模拟器识别规则即目标识别规则的权重。进一步的,可以预先设置一个阈值,如果累计得到命中的各目标识别规则的权重之和超过该阈值,则可识别为模拟器,即确定该目标终端运行于模拟器环境。Specifically, the recognition device may determine whether the obtained device information hits a plurality of simulator recognition rules set in advance, determine the weight of each rule according to the result of the hit, and identify whether it is a simulator according to the weight of each rule. Wherein, if a rule is hit, the weight of the hit rule is set as a preset weight; if a rule is missed, the weight of the miss rule is taken as 0. That is, the weight of the simulator recognition rule that is the statistical hit, that is, the target recognition rule. Further, a threshold may be set in advance, and if the sum of the weights of the target recognition rules that are cumulatively hit exceeds the threshold, it may be identified as a simulator, that is, the target terminal is determined to be running in a simulator environment.
例如,在一些实施例中,该预设的多个模拟器识别规则为上述的规则1-12,预设的规则1、2的权重均为0.4,规则3、4的权重均为0.35,规则5的权重为0.3,规则6、7、8、9、10的权重均为0.25,规则11的权重为0.2,规则12的权重为0.1,预设的权重阈值为1。该获取的设备信息包括目标终端连接的Wi-Fi热点的路由器的名称和MAC地址,目标终端的型号、品牌、CPU的生产商标识、模块配置信息、内存空间值、安装的应用的第一数目、存储的文件的第二数目、使用的网络制式、运行状态及其他信息。则识别设备可通过检测 该设备信息中的路由器的名称是否与该第一黑名单内的路由器名称相同,以及该设备信息中的MAC地址是否处于该第二黑名单内的MAC地址集合,以及该设备信息中的型号是否与该第三黑名单内的任一终端型号相同,以及该设备信息中的品牌是否与第四黑名单内的任一终端品牌相同,以及该设备信息中的CPU的生产商标识是否与该白名单中的所有生产商标识均不相同,以及该设备信息中的模块配置信息是否指示该目标终端配置有预设模块,以及该设备信息中的内存空间值是否小于预设内存阈值,以及该设备信息中的安装的应用的第一数目是否小于该第一数目阈值,以及该设备信息中的存储的文件的第二数目是否小于预设的第二数目阈值,以及该设备信息中的使用的网络制式是否与预设的网络制式列表中的所有网络制式均不相同,以及该设备信息中的系统文件信息指示是否存在预设路径和名称的系统文件,以及设备信息中的运行状态是否为root状态。如果识别设备检测到该路由器的名称与该第一黑名单内的任一路由器名称相同,则确定命中规则1,如果识别设备检测到该MAC地址处于该第二黑名单内的任一MAC地址集合,则确定命中规则2,如果识别设备检测到该型号与该第三黑名单内的任一终端型号相同,则确定命中规则3,等等,此处不赘述。假设识别设备确定该目标终端的设备信息命中规则1、2、5、12,未命中规则3、4、6、7、8、9、10和11,则命中的规则的权重之和为0.4+0.4+0.3+0.1=1.2,1.2大于权重阈值1,则可确定该目标终端运行于模拟器环境。如果命中的规则的权重之和小于1,则可确定该目标终端未运行于模拟器环境,或者还可结合其他信息进一步识别,或者还可间隔预设时间后再次进行模拟器识别,或者根据权重之和的大小对终端部分操作进行控制,等等,本申请不做限定。For example, in some embodiments, the preset multiple simulator recognition rules are the aforementioned rules 1-12, the preset rules 1 and 2 have a weight of 0.4, the rules 3 and 4 have a weight of 0.35, and the rule The weight of 5 is 0.3, the weights of rules 6, 7, 8, 9, 10 are 0.25, the weight of rule 11 is 0.2, the weight of rule 12 is 0.1, and the preset weight threshold is 1. The obtained device information includes the name and MAC address of the Wi-Fi hotspot router connected to the target terminal, the model, brand, CPU manufacturer's identification of the target terminal, module configuration information, memory space value, and the first number of installed applications. , The second number of stored files, the network system used, operating status, and other information. Then the identification device can detect whether the router name in the device information is the same as the router name in the first blacklist, and whether the MAC address in the device information is in the MAC address set in the second blacklist, and the Whether the model in the device information is the same as any terminal model in the third blacklist, and whether the brand in the device information is the same as any terminal brand in the fourth blacklist, and the production of the CPU in the device information Whether the vendor identification is different from all the manufacturer identifications in the whitelist, and whether the module configuration information in the device information indicates that the target terminal is configured with a preset module, and whether the memory space value in the device information is less than the preset A memory threshold, and whether the first number of installed applications in the device information is less than the first number threshold, and whether the second number of files stored in the device information is less than a preset second number threshold, and the device Whether the network standard used in the information is different from all the network standards in the preset network standard list. And the system file information in the device information indicates whether a system file with a preset path and name exists, and whether the running status in the device information is root. If the identification device detects that the name of the router is the same as the name of any router in the first blacklist, it determines to hit rule 1. If the identification device detects that the MAC address is in any MAC address set in the second blacklist , Then determine the hit rule 2, if the identification device detects that the model is the same as any terminal model in the third blacklist, then determine the hit rule 3, and so on, which will not be repeated here. Assuming that the identification device determines that the device information of the target terminal hits rules 1, 2, 5, 12, and misses rules 3, 4, 6, 7, 8, 9, 10, and 11, the sum of the weights of the hit rules is 0.4+ 0.4 + 0.3 + 0.1 = 1.2, if 1.2 is greater than the weight threshold value 1, it can be determined that the target terminal is running in the simulator environment. If the sum of the weights of the hit rules is less than 1, it can be determined that the target terminal is not running in the simulator environment, or can be further identified in combination with other information, or the simulator can be identified again after a preset time interval, or according to the weight The size of the sum controls the operation of the terminal part, and so on, which is not limited in this application.
在本申请实施例中,识别设备能够根据各个类型的模拟器的共性特征生成各种模拟器识别规则,并可根据历史记录中运行于模拟器环境的终端的设备信息命中该多个模拟器识别规则的命中频率和/或命中次数为各模拟器识别规则设置权重,进而在进行模拟器识别时,能够通过采集目标终端的多项设备信息,确定该设备信息命中的模拟器识别规则,进而根据该命中的各模拟器识别规则的权重之和以及预设权重阈值来确定该目标终端是否运行于模拟器环境,使得提升了模拟器规则的权重设置的灵活性和可靠性,实现了结合多个模拟器识别规则来进行模拟器识别,这就提升了模拟器识别的准确性。In the embodiment of the present application, the recognition device can generate various simulator recognition rules according to the common characteristics of various types of simulators, and can hit the multiple simulator recognitions based on the device information of the terminal running in the simulator environment in the historical record. The rule's hit frequency and / or number of hits set weights for each simulator recognition rule. When the simulator is identified, it can determine the simulator recognition rule for the device information hit by collecting multiple device information of the target terminal. The sum of the weights of the recognition rules of each simulator and the preset weight threshold to determine whether the target terminal is running in the simulator environment, which improves the flexibility and reliability of the weight setting of the simulator rules, and achieves a combination of multiple Simulator recognition rules to perform simulator recognition, which improves the accuracy of simulator recognition.
请参见图3,图3是本申请实施例提供的又一种模拟器识别方法的流程示意图。具体的,如图3所示,该模拟器识别方法可以包括以下步骤:Please refer to FIG. 3, which is a schematic flowchart of another simulator identification method according to an embodiment of the present application. Specifically, as shown in FIG. 3, the simulator recognition method may include the following steps:
301、获取目标终端的设备信息。301. Obtain device information of a target terminal.
其中,获取的设备信息的相关描述可参照上述实施例的相关描述,此处不赘述。For the related description of the obtained device information, reference may be made to the related description of the foregoing embodiment, and details are not described herein.
302、获取该目标终端的设备信息对应的目标函数的flag值,并根据该flag值确定该目标函数是否被hook。302. Obtain a flag value of an objective function corresponding to the device information of the target terminal, and determine whether the objective function is hooked according to the flag value.
可选的,在获取设备信息之后,并在该根据预先设置的多个模拟器识别规则和该目标终端的设备信息,确定该目标终端的设备信息在该多个模拟器识别规则命中的目标识别规则之前,即在根据设备信息进行模拟器识别之前,识别设备还可检测用于进行模拟器识别的设备信息是否被篡改,以确保基于真实的设备信息进行模拟器识别。其中,该检测是否被篡改的设备信息可以仅为该多个模拟器识别规则对应的设备信息,以减小设备开销。Optionally, after acquiring the device information, and in accordance with preset simulator identification rules and device information of the target terminal, determine the target identification of the device information of the target terminal that is hit in the multiple simulator identification rules. Before the rule, that is, before the simulator recognition based on the device information, the recognition device can also detect whether the device information used for simulator recognition has been tampered with to ensure that the simulator recognition is based on the real device information. The device information for detecting whether the tampering has been performed may be only the device information corresponding to the plurality of simulator recognition rules, so as to reduce the device overhead.
具体的,识别设备能够通过检测设备信息对应的函数是否被hook来识别该篡改行为。 其中,该flag值可用于标记所述目标函数的状态,该状态可以是指是否被篡改的状态,或者可以是指读写状态、阻塞与非阻塞状态、退出进程或程序的状态和/或更改文件的内容的状态等等,从而能够根据该flag值确定出该目标函数是否被hook。每一个函数都有对应的flag,该flag为一个变量,当某一函数被hook时,该函数对应的flag会发生改变。由此,识别设备可通过检测函数的flag是否发生改变,来确定该函数是否被hook,也即该函数对应的设备信息是否被篡改。其中,该flag的值可以是存储于该目标函数对应的内存中。Specifically, the identification device can identify the tampering behavior by detecting whether a function corresponding to the device information is hooked. The flag value can be used to mark the state of the objective function. The state can refer to a state that has been tampered with, or can refer to a read-write state, a blocking and non-blocking state, an exit process or program state, and / or a change. The status of the content of the file, etc., so that whether the objective function is hooked can be determined according to the flag value. Each function has a corresponding flag. The flag is a variable. When a function is hooked, the flag corresponding to the function will change. Therefore, the identification device can determine whether the function is hooked by detecting whether the flag of the function has changed, that is, whether the device information corresponding to the function has been tampered with. The value of the flag may be stored in a memory corresponding to the objective function.
可选的,在根据该flag值确定该目标函数是否被hook时,识别设备可以将该flag值中的预设位置处的字符与预设的固定字符进行比较;当比较得到该预设位置处的字符与该固定字符不同时,确定该目标函数被hook。其中,该预设位置处的字符的字符数与该固定字符的字符数相同,以便于匹配比较。也就是说,该flag发生改变可以是指该flag值的一位或多位发生改变,且该一位或多位可以是指flag的预设位置处的一位或多位。从而识别设备可以通过将获取的flag值预设位置处的一位或多位与未被篡改时的固定字符进行比较,如果flag值的该一位或多位发生改变,即flag值的一位或多位与该固定字符不同,则表明该目标函数被hook,即该目标函数对应的设备信息被篡改。Optionally, when determining whether the objective function is hooked according to the flag value, the recognition device may compare a character at a preset position in the flag value with a preset fixed character; when the comparison obtains the preset position When the character of is different from the fixed character, it is determined that the objective function is hooked. The number of characters of the character at the preset position is the same as the number of characters of the fixed character, so as to facilitate matching and comparison. That is, the change in the flag may refer to a change in one or more bits of the flag value, and the one or more bits may refer to one or more bits in a preset position of the flag. Therefore, the recognition device can compare one or more bits at the preset position of the obtained flag value with the fixed character when it has not been tampered with. If the one or more bits of the flag value change, that is, one bit of the flag value If one or more bits are different from the fixed character, it indicates that the objective function is hooked, that is, the device information corresponding to the objective function has been tampered with.
例如,针对Android版本在4.4以上及5.0以下的系统,有的Xposed插件对某函数进行hook时,会将该函数的flag值的固定位置处的1位(bit)设置为1;而正常未被篡改的函数,flag值的该位是0(即上述的固定字符)。因此,可通过检测函数的flag值的该固定位是否是0,就可以知道该函数是否被Xposed插件进行了hook。也即,如果该测函数的flag值的该固定位不为0,即可表明该函数被hook,该函数被篡改。For example, for systems with Android versions above 4.4 and below 5.0, some Xposed plugins set a bit at a fixed position of the function's flag value to 1 when a function is hooked; For tampered functions, this bit of the flag value is 0 (the fixed character described above). Therefore, by detecting whether the fixed bit of the flag value of the function is 0, it can be known whether the function is hooked by the Xposed plugin. That is, if the fixed bit of the flag value of the measurement function is not 0, it can indicate that the function is hooked and the function is tampered with.
可选的,在根据该flag值确定该目标函数是否被hook时,识别设备还可以按照预设的逻辑算法对该flag值进行逻辑运算,以得到运算结果值;当该运算结果值为正整数时,确定该目标函数被hook。其中,该逻辑算法可以是根据预设字符串和系统中的原生函数执行时的跳转地址确定的。也就是说,还可将按照预设逻辑算法对flag处理后的值与未被篡改时的固定字符如0进行比较,如果处理后的该值发生改变,即不为0,比如为某一正整数时,则表明该函数被hook。Optionally, when determining whether the objective function is hooked according to the flag value, the recognition device may also perform a logical operation on the flag value according to a preset logic algorithm to obtain an operation result value; when the operation result value is a positive integer When it is determined, the objective function is hooked. The logic algorithm may be determined according to a preset character string and a jump address when a native function in the system is executed. That is to say, the value processed by the flag can also be compared with a fixed character such as 0 when it has not been tampered with according to a preset logic algorithm. If the value after processing changes, it is not 0, such as a positive value. An integer indicates that the function is hooked.
例如,针对Android版本在5.0及其以上的系统,如果按照逻辑算法如逻辑算式EntryPointFromJni&&AccessFlags&0x10000000结果等于正整数,则可表明该函数被篡改;如果该逻辑算式结果等于0(即为固定字符),则可表明该函数未被篡改。其中,该EntryPointFromJni可以是指原生函数如native函数执行时的跳转地址,AccessFlags即为上述的flag。For example, for systems with Android version 5.0 and above, if the result of a logical algorithm such as the logical expression EntryPointFromJni && AccessFlags & 0x10000000 is equal to a positive integer, the function can be tampered with; if the result of the logical calculation is equal to 0 (that is, a fixed character), Indicates that the function has not been tampered with. The EntryPointFromJni may refer to a jump address when a native function such as a native function is executed, and AccessFlags is the above-mentioned flag.
进一步可选的,识别设备在根据该flag值确定该目标函数是否被hook之前,还可确定该目标终端目标使用的系统版本,进而根据该目标终端的系统版本去选择根据该flag值确定该目标函数是否被hook的方式,以提升hook检测的效率。其中,该系统版本和hook检测的方式的对应关系可预先设置得到。Further optionally, before determining whether the objective function is hooked according to the flag value, the identification device may determine a system version used by the target terminal target, and then select the target terminal to determine the target based on the flag value according to the system version of the target terminal. Whether the function is hooked to improve the efficiency of hook detection. The correspondence between the system version and the way of hook detection can be set in advance.
303、当确定该目标函数被hook时,从该目标函数的内存中获取该目标函数对应的目标函数指针。303. When it is determined that the objective function is hooked, obtain an objective function pointer corresponding to the objective function from the memory of the objective function.
其中,该函数指针和被hook的函数是存储于同一块内存的不同字段中的,且不同函数指针和原始函数存在映射关系,或者说不同函数指针和原始函数的存储地址存在映射关系。Among them, the function pointer and the hooked function are stored in different fields in the same block of memory, and there is a mapping relationship between different function pointers and the original function, or a mapping relationship between different function pointers and the storage address of the original function.
可选的,在确定该目标函数被hook之后,还可对该被hook的目标函数进行还原,以便于确定出该目标函数对应的真实设备信息。具体的,在确定某一函数如该目标函数被hook之后,可从其内存中快速获取该目标函数对应的函数指针,即上述的目标函数指针,以便于根据该目标函数指针确定出该目标函数对应的原始函数如原生API,即未被hook的真实函数。Optionally, after the target function is determined to be hooked, the hooked target function may also be restored, so as to determine the real device information corresponding to the target function. Specifically, after determining that a function such as the objective function is hooked, a function pointer corresponding to the objective function can be quickly obtained from its memory, that is, the objective function pointer described above, so as to determine the objective function according to the objective function pointer. Corresponding primitive functions, such as native APIs, are real functions that have not been hooked.
304、根据预先存储的各函数指针和函数的对应关系,确定出该目标函数指针对应的原始函数,并根据该原始函数确定出原始设备信息。304: Determine the original function corresponding to the target function pointer according to the corresponding relationship between the function pointers and functions stored in advance, and determine the original device information according to the original function.
在确定出该目标函数对应的内存中的目标函数指针之后,即可进一步确定出该目标函数指针对应的原始函数,即真实的Method。进而可通过该原始函数替换该目标函数,实现对被hook的函数的还原。从而识别设备可通过该原始函数确定出该目标终端对应的真实设备信息,以基于真实设备信息进行模拟器识别,也就是说,本本申请实施例可在检测到设备信息被篡改时及时地获取真实的设备信息,以基于真实的设备信息进行模拟器识别,由此提升了模拟器识别的准确性和可靠性。After the target function pointer in the memory corresponding to the target function is determined, the original function corresponding to the target function pointer can be further determined, that is, the actual Method. Furthermore, the original function can be used to replace the objective function to achieve the reduction of the hooked function. Therefore, the identification device can determine the real device information corresponding to the target terminal through the original function, and perform simulator identification based on the real device information. That is, the embodiment of the present application can obtain the real time information when the device information is detected to be tampered with. Device identification based on real device information, thereby improving the accuracy and reliability of simulator identification.
例如,假设该设备信息包括该路由器的名称和MAC地址,如果检测到该路由器的名称对应的函数被hook,即可还原得到真实的原始路由器的名称;如果检测到该MAC地址对应的函数被hook,即可还原得到真实的原始MAC地址,进而可以基于该真实的原始路由器的名称和MAC地址以进行模拟器识别。For example, assuming that the device information includes the name and MAC address of the router, if the function corresponding to the name of the router is detected to be hooked, the real original router name can be restored; if the function corresponding to the MAC address is detected to be hooked , The real original MAC address can be restored, and the simulator can be identified based on the name and MAC address of the real original router.
应理解,该内存中存储的原始函数指针是不会被篡改的,根据Xposed插件的工作原理,在篡改目标函数之前,会将函数的原始信息备份下来,并保存在内存中的特定地址,即该目标函数指针指向的地址。而一旦这些备份信息也被篡改,那Xposed插件将无法正常工作。因此,在该目标函数指针指向的特定地址获取到的原始函数,一定是正确的函数,其不会被篡改。It should be understood that the original function pointer stored in the memory will not be tampered with. According to the working principle of the Xposed plugin, before tampering with the target function, the original information of the function will be backed up and stored at a specific address in memory, that is, The address to which the objective function pointer points. Once these backup information has also been tampered with, the Xposed plugin will not work properly. Therefore, the original function obtained at the specific address pointed by the target function pointer must be the correct function, and it cannot be tampered with.
305、根据预先设置的多个模拟器识别规则和该原始设备信息,确定该原始设备信息在该多个模拟器识别规则命中的目标识别规则。305: Determine a target recognition rule that the original device information hits in the plurality of simulator recognition rules according to a preset plurality of simulator recognition rules and the original device information.
306、根据预先设置的该目标识别规则的权重和权重阈值,识别该目标终端是否运行于模拟器环境。306. Identify whether the target terminal is running in a simulator environment according to a preset weight and a weight threshold of the target recognition rule.
在确定出真实的原始设备信息之后,即可确定该原始设备信息是否命中对应的模拟器识别规则,进而根据命中结果来进行模拟器识别,识别方式与上述根据设备信息和预设的多个模拟器规则进行模拟器识别的方式类似,具体请参照上述图1所示实施例中步骤102-103以及图2所示实施例中步骤205-207的相关描述,此处不赘述。After the real original device information is determined, it can be determined whether the original device information hits the corresponding simulator recognition rule, and then the simulator recognition is performed according to the hit result. The recognition method is the same as the above based on the device information and preset multiple simulations. The simulator rules are similar to the simulator identification method. For details, please refer to the descriptions of steps 102-103 in the embodiment shown in FIG. 1 and steps 205-207 in the embodiment shown in FIG. 2, and details are not described herein.
可选的,如果确定目标终端运行在模拟器环境中,识别设备可生成告警信息,以进行风控。例如,该告警信息可以包括:风险等级、用户信息、设备恶意行为中的一项或多项。其中,该风险等级可以根据终端的目标风控场景确定出,具体可预先设置得到不同风控场景和风险等级的对应关系;或者,该风险等级可以根据终端目标运行的应用确定出,具体可预先设置得到不同应用和风险等级的对应关系;或者,该风险等级还可根据终端被hook的函数的数目确定出,具体可预先设置得到不同hook数目和风险等级的对应关系;或者,该风险等级还可根据终端被篡改的设备信息的优先级确定出,具体可预先设置得到不同设备信息的优先级,以及各优先级和风险等级的对应关系,等等,本申请不做限定。例如, 该风险等级可以分为高危、中危、低危,或者一级、二级、三级等等。该用户信息可包括用户标识(User Identification,UID)、手机号码、身份证号码(如果注册应用时采集到的话)等。该恶意行为可包括篡改MAC地址、篡改CPU生产商、篡改手机型号及品牌、篡改手机号码等等,具体可通过上述的hook检测确定出。Optionally, if it is determined that the target terminal is running in the simulator environment, the identification device may generate alarm information for risk control. For example, the alarm information may include one or more of a risk level, user information, and malicious behavior of the device. The risk level can be determined according to the target risk control scenario of the terminal, and the corresponding relationship between different risk control scenarios and risk levels can be specifically set in advance; or the risk level can be determined according to the application that the terminal target runs, and can be specifically determined in advance. Correspondence between different applications and risk levels can be obtained by setting; or, the risk level can also be determined according to the number of hooked functions of the terminal, and specific correspondences between different numbers of hooks and risk levels can be set in advance; or, It can be determined according to the priority of the tampered device information of the terminal. Specifically, the priority of different device information can be set in advance, and the corresponding relationship between each priority and risk level, etc., is not limited in this application. For example, the risk level can be classified as high-risk, medium-risk, low-risk, or first-, second-, third-, and so on. The user information may include a user identification (UID), a mobile phone number, an ID number (if collected during registration of an application), and the like. The malicious behavior may include tampering with the MAC address, tampering with the CPU manufacturer, tampering with the model and brand of the mobile phone, tampering with the mobile phone number, etc., which can be specifically determined through the aforementioned hook detection.
此外,可选的,识别设备还可根据该告警信息,向目标终端下发指令,以对目标终端(如终端上运行的APP客户端)上的操作进行控制。例如,如果识别设备确定该风险等级为低危,识别设备可以下发指令指示客户端输出提示,要求用户输入验证信息,验证方式包括但不限于短信验证码、图片验证码等方式。如果验证未通过则无法进行后续操作。又如,如果识别设备确定该风险等级为中危,识别设备可以下发指令指示客户端禁止用户在目标风控场景(例如登录、领取红包、兑换优惠券、消费、转账等等)的请求访问操作。又如,如果识别设备确定该风险等级为高危,识别设备可以下发指令指示客户端禁止用户一切请求访问操作,等等,此处不一一列举。In addition, optionally, the identification device may also issue an instruction to the target terminal according to the alarm information to control operations on the target terminal (such as an APP client running on the terminal). For example, if the identification device determines that the risk level is low-risk, the identification device may issue an instruction to instruct the client to output a prompt to require the user to enter verification information. The verification method includes, but is not limited to, a short message verification code, a picture verification code, and the like. If the verification fails, no further operation is possible. As another example, if the identification device determines that the risk level is medium risk, the identification device may issue an instruction instructing the client to prohibit the user from requesting access in the target risk control scenario (such as logging in, receiving red envelopes, redeeming coupons, spending, transferring money, etc.) operating. For another example, if the identification device determines that the risk level is high, the identification device may issue an instruction to instruct the client to prohibit the user from requesting all access operations, etc., which are not listed here one by one.
例如,对于某些手机游戏,使用模拟器可以获得比手机更强的性能(实际上属于游戏作弊),本申请能够通过上述的识别方式识别出游戏应用是否运行在模拟器环境中,能够及时的发现运行于模拟器中的游戏行为,进而可制止该行为,防止作弊给用户带来的损失。For example, for some mobile games, using the simulator can obtain stronger performance than a mobile phone (actually a game cheating). This application can identify whether the game application is running in the simulator environment through the above identification method, and can timely Discover the behavior of the game running in the simulator, which can stop the behavior and prevent the loss of cheating to the user.
又如,某一金融机构推出的小额贷款的风控策略是仅允许特定区域的用户如北上广的用户贷款,非法用户可能使用模拟器修改GPS定位,达到绕过风控策略的目的,骗取贷款。由此,本申请可通过上述的识别方式识别出设备是否运行于模拟器环境,并在确定设备运行于模拟器环境之后,拒绝该用户的贷款请求。进一步的,本申请还可采用上述的hook检测方式对该GPS定位进行还原,以获取得到用户的真实定位信息。As another example, the risk control strategy of a small loan launched by a financial institution is to allow only users in specific areas, such as the user of Beishangguang. Illegal users may use simulators to modify GPS positioning to bypass the risk control strategy and deceive them. loan. Therefore, the present application can identify whether the device is running in the simulator environment through the above identification method, and reject the user's loan request after determining that the device is running in the simulator environment. Further, this application can also restore the GPS positioning by using the above-mentioned hook detection method to obtain the user's true positioning information.
又如,非法分子通过在模拟器中设置手机型号、品牌、厂商等信息,实现一个模拟器软件模拟多台不同安卓手机的目的,从而创建假身份骗取优惠活动、注册奖励等等。通过本申请,能够根据上述的hook检测方式确定手机型号、品牌、厂商等信息被篡改后,还原真实的手机型号、品牌、厂商等信息并进行模拟器识别,进而能够及时地识别出设备操作是否运行在模拟器环境中,并在识别出运行在模拟器环境中时能够及时地制止该行为,避免给合法用户造成损失。For another example, illegal persons set up information such as the phone model, brand, and manufacturer in the simulator to achieve the purpose of one simulator software to simulate multiple different Android phones, thereby creating fake identity to cheat preferential activities, registration rewards, and so on. Through this application, after the information of the mobile phone model, brand, and manufacturer has been tampered with according to the above-mentioned hook detection method, the real mobile phone model, brand, and manufacturer and other information can be restored and the simulator can be identified, so as to identify whether the device operation is timely. When running in the simulator environment, and when it is recognized that it is running in the simulator environment, it can stop the behavior in time and avoid causing losses to legitimate users.
在本申请实施例中,识别设备能够根据设置的多个模拟器识别规则和采集的终端设备信息,根据终端设备信息命中的模拟器识别规则,来识别该终端是否运行于模拟器环境,使得实现了结合多个模拟器识别规则来进行模拟器识别,这就提升了模拟器识别的准确性。而且,在根据设备信息识别是否为模拟器之前,能够通过识别设备信息是否被篡改,并在检测到被篡改时及时地还原真实的设备信息,以基于真实的设备信息进行模拟器识别,这就进一步提升了模拟器识别的准确性。In the embodiment of the present application, the identification device can identify whether the terminal is running in the simulator environment according to a plurality of simulator identification rules that are set and collected terminal device information, and according to the simulator identification rules that the terminal device information hits, so as to implement It combines simulator recognition rules to perform simulator recognition, which improves the accuracy of simulator recognition. In addition, before identifying whether the device is an emulator according to the device information, it is possible to identify the device information by tampering and restore the real device information in time to detect the tampering, so as to identify the simulator based on the real device information. The accuracy of the simulator recognition is further improved.
上述方法实施例都是对本申请的模拟器识别方法的举例说明,对各个实施例的描述都各有侧重,某个实施例中没有详述的部分,可以参见其他实施例的相关描述。The foregoing method embodiments are examples of the simulator identification method of the present application, and the description of each embodiment has its own emphasis. For a part that is not described in detail in an embodiment, reference may be made to related descriptions in other embodiments.
请参见图4,图4是本申请实施例提供的一种识别设备的结构示意图。本申请实施例的识别设备包括用于执行上述模拟器识别方法的单元。具体的,本实施例的识别设备400可包括:获取单元401和处理单元402。其中,Please refer to FIG. 4, which is a schematic structural diagram of an identification device according to an embodiment of the present application. The recognition device in the embodiment of the present application includes a unit for executing the above-mentioned simulator recognition method. Specifically, the identification device 400 in this embodiment may include: an obtaining unit 401 and a processing unit 402. among them,
获取单元401,用于获取目标终端的设备信息,所述设备信息包括与所述目标终端的 机型信息、中央处理器CPU的生产商标识、内存空间值、安装的应用的第一数目、存储的文件的第二数目、使用的网络制式、运行状态、连接的无线保真Wi-Fi热点的路由器信息中的任一项或多项;The obtaining unit 401 is configured to obtain device information of a target terminal, where the device information includes information about a model of the target terminal, a manufacturer identifier of a central processing unit CPU, a memory space value, a first number of installed applications, storage Any one or more of the second number of files, the network system used, the operating status, and the router information of the connected Wi-Fi hotspot;
处理单元402,用于根据预先设置的多个模拟器识别规则和所述目标终端的设备信息,确定所述目标终端的设备信息在所述多个模拟器识别规则命中的目标识别规则,其中,所述多个模拟器识别规则是根据历史记录中运行于模拟器环境的终端的设备信息确定出的;The processing unit 402 is configured to determine a target recognition rule that the device information of the target terminal hits in the multiple simulator recognition rules according to a preset plurality of simulator recognition rules and the device information of the target terminal. The plurality of simulator identification rules are determined according to device information of a terminal running in the simulator environment in a historical record;
所述处理单元402,还用于根据预先设置的所述目标识别规则的权重和权重阈值,识别所述目标终端是否运行于模拟器环境。The processing unit 402 is further configured to identify whether the target terminal is running in a simulator environment according to a preset weight and a weight threshold of the target recognition rule.
可选的,所述处理单元402,具体用于在命中的所述目标识别规则为多个时,根据预先设置的各模拟器识别规则的权重,计算各个所述目标识别规则的权重的和;判断所述权重的和是否大于预先设置的权重阈值;当所述权重的和大于所述权重阈值时,确定所述目标终端运行于模拟器环境。Optionally, the processing unit 402 is specifically configured to calculate the sum of the weights of the target recognition rules according to the preset weights of the simulator recognition rules when there are multiple target recognition rules that are hit; Determining whether the sum of the weights is greater than a preset weight threshold; when the sum of the weights is greater than the weight threshold, determining that the target terminal is running in a simulator environment.
可选的,所述识别设备还包括:权重设置单元403,;Optionally, the identification device further includes: a weight setting unit 403;
所述权重设置单元403,用于分别统计历史记录中运行于模拟器环境的终端的设备信息命中所述多个模拟器识别规则的命中信息;根据各模拟器识别规则对应的命中信息确定各模拟器识别规则对应的权重。The weight setting unit 403 is configured to separately count the device information of the terminal running in the simulator environment in the historical record and hit the hit information of the plurality of simulator recognition rules; determine each simulation according to the hit information corresponding to each simulator recognition rule. The device identifies the weights corresponding to the rules.
其中,所述命中信息包括命中频率和/或命中次数,每个模拟器识别规则对应的权重和该模拟器识别规则对应的命中频率成正比,和/或,每个模拟器识别规则对应的权重和该模拟器识别规则对应的命中次数成正比。Wherein, the hit information includes a hit frequency and / or the number of hits, a weight corresponding to each simulator recognition rule is proportional to a hit frequency corresponding to the simulator recognition rule, and / or a weight corresponding to each simulator recognition rule It is proportional to the number of hits corresponding to the simulator recognition rule.
可选的,所述机型信息包括所述目标终端的型号和/或品牌,所述路由器信息包括路由器的名称和/或媒体访问控制MAC地址;所述多个模拟器识别规则包括以下至少两项:Optionally, the model information includes a model and / or brand of the target terminal, the router information includes a router name and / or a media access control MAC address, and the plurality of simulator identification rules includes at least two of the following item:
待识别终端连接的Wi-Fi热点的路由器的名称与预置的第一黑名单内的路由器名称相同;The name of the router of the Wi-Fi hotspot to which the terminal to be identified is the same as the name of the router in the preset first blacklist;
所述待识别终端连接的Wi-Fi热点的路由器的MAC地址处于预置的第二黑名单内的MAC地址集合;The MAC address of the router of the Wi-Fi hotspot connected to the terminal to be identified is a set of MAC addresses in a preset second blacklist;
所述待识别终端的型号与预置的第三黑名单内的任一终端型号相同;The type of the terminal to be identified is the same as any terminal type in the preset third blacklist;
所述待识别终端的品牌与预置的第四黑名单内的任一终端品牌相同;The brand of the terminal to be identified is the same as any terminal brand in the preset fourth blacklist;
所述待识别终端的中央处理器CPU的生产商标识与预置的白名单中的所有生产商标识均不相同;The manufacturer identification of the central processing unit CPU of the terminal to be identified is different from all the manufacturer identifications in the preset white list;
所述待识别终端中未配置有预设模块,所述预设模块包括蓝牙模块、温度传感器、光线传感器中的一个或多个;The terminal to be identified is not configured with a preset module, and the preset module includes one or more of a Bluetooth module, a temperature sensor, and a light sensor;
所述待识别终端的内存空间值小于预设内存阈值;A memory space value of the terminal to be identified is less than a preset memory threshold;
所述待识别终端安装的应用的第一数目小于预设的第一数目阈值;The first number of applications installed by the terminal to be identified is less than a preset first number threshold;
所述待识别终端存储的文件的第二数目小于预设的第二数目阈值;The second number of files stored by the terminal to be identified is less than a preset second number threshold;
所述待识别终端使用的网络制式与预设的网络制式列表中的所有网络制式均不相同;The network standard used by the terminal to be identified is different from all the network standards in the preset network standard list;
所述待识别终端的系统中存在预设路径和名称的系统文件;A system file of a preset path and name exists in the system of the terminal to be identified;
所述待识别终端的运行状态为root状态。The running state of the terminal to be identified is the root state.
可选的,所述识别设备还包括:hook检测单元404和还原单元405;Optionally, the identification device further includes: a hook detection unit 404 and a reduction unit 405;
所述获取单元401,还用于获取所述目标终端的设备信息对应的目标函数的flag值;The obtaining unit 401 is further configured to obtain a flag value of an objective function corresponding to the device information of the target terminal;
hook检测单元404,用于根据所述flag值确定所述目标函数是否被hook;a hook detection unit 404, configured to determine whether the objective function is hooked according to the flag value;
所述获取单元401,还用于当确定所述目标函数被hook时,从所述目标函数的内存中获取所述目标函数对应的目标函数指针;The obtaining unit 401 is further configured to obtain an objective function pointer corresponding to the objective function from the memory of the objective function when it is determined that the objective function is hooked;
还原单元405,用于根据预先存储的各函数指针和函数的对应关系,确定出所述目标函数指针对应的原始函数,并根据所述原始函数确定出原始设备信息;A restoration unit 405, configured to determine an original function corresponding to the target function pointer according to a corresponding relationship between function pointers and functions stored in advance, and determine original device information according to the original function;
所述处理单元402,具体用于根据预先设置的多个模拟器识别规则和所述原始设备信息,确定所述原始设备信息在所述多个模拟器识别规则命中的目标识别规则。The processing unit 402 is specifically configured to determine a target recognition rule that the original device information hits in the plurality of simulator recognition rules according to a preset plurality of simulator recognition rules and the original device information.
可选的,所述hook检测单元404,具体用于将所述flag值中的预设位置处的字符与预设的固定字符进行比较,所述预设位置处的字符的字符数与所述固定字符的字符数相同;当比较得到所述预设位置处的字符与所述固定字符不同时,确定所述目标函数被hook。Optionally, the hook detection unit 404 is specifically configured to compare a character at a preset position in the flag value with a preset fixed character, and the number of characters of the character at the preset position is the same as that of the character at the preset position. The number of characters of the fixed character is the same; when the character at the preset position is different from the fixed character, it is determined that the objective function is hooked.
可选的,所述hook检测单元404,具体用于按照预设的逻辑算法对所述flag值进行逻辑运算,以得到运算结果值,其中,所述逻辑算法是根据预设字符串和系统中的原生函数执行时的跳转地址确定的;当所述运算结果值为正整数时,确定所述目标函数被hook。Optionally, the hook detection unit 404 is specifically configured to perform a logical operation on the flag value according to a preset logical algorithm to obtain an operation result value, wherein the logical algorithm is based on a preset character string and the system. The jump address when the native function is executed is determined; when the value of the operation result is a positive integer, it is determined that the target function is hooked.
具体的,该识别设备可通过上述单元实现上述图1至图3所示实施例中的模拟器识别方法中的部分或全部步骤。应理解,本申请实施例是对应方法实施例的装置实施例,对方法实施例的描述,也适用于本申请实施例。Specifically, the recognition device may implement some or all steps in the simulator recognition method in the embodiments shown in FIG. 1 to FIG. 3 by using the foregoing units. It should be understood that the embodiments of the present application are device embodiments corresponding to the method embodiments, and the description of the method embodiments is also applicable to the embodiments of the present application.
请参见图5,图5是本申请实施例提供的另一种识别设备的结构示意图。该识别设备用于执行上述的方法。如图5所示,本实施例中的识别设备500可以包括:一个或多个处理器501和存储器502。可选的,该识别设备还可包括一个或多个用户接口503,和/或,一个或多个通信接口504。上述处理器501、用户接口503、通信接口504和存储器502可通过总线505连接,或者可以通过其他方式连接,图5中以总线方式进行示例说明。其中,存储器502用于存储计算机程序,所述计算机程序包括程序指令,处理器501用于执行存储器502存储的程序指令。Please refer to FIG. 5, which is a schematic structural diagram of another identification device according to an embodiment of the present application. The identification device is used to perform the method described above. As shown in FIG. 5, the identification device 500 in this embodiment may include: one or more processors 501 and a memory 502. Optionally, the identification device may further include one or more user interfaces 503, and / or, one or more communication interfaces 504. The processor 501, the user interface 503, the communication interface 504, and the memory 502 may be connected through a bus 505, or may be connected through other methods. FIG. 5 illustrates the examples by using a bus method. The memory 502 is configured to store a computer program, where the computer program includes program instructions, and the processor 501 is configured to execute the program instructions stored in the memory 502.
其中,处理器501可用于调用所述程序指令执行以下步骤:获取目标终端的设备信息,所述设备信息包括与所述目标终端的机型信息、中央处理器CPU的生产商标识、内存空间值、安装的应用的第一数目、存储的文件的第二数目、使用的网络制式、运行状态、连接的无线保真Wi-Fi热点的路由器信息中的任一项或多项;根据预先设置的多个模拟器识别规则和所述目标终端的设备信息,确定所述目标终端的设备信息在所述多个模拟器识别规则命中的目标识别规则,其中,所述多个模拟器识别规则是根据历史记录中运行于模拟器环境的终端的设备信息确定出的;根据预先设置的所述目标识别规则的权重和权重阈值,识别所述目标终端是否运行于模拟器环境。The processor 501 may be used to call the program instructions to perform the following steps: obtaining device information of the target terminal, where the device information includes information about a model of the target terminal, a manufacturer identifier of the central processing unit CPU, and a memory space value Any one or more of the first number of installed applications, the second number of stored files, the network system used, the operating status, and the router information of the connected Wi-Fi hotspot; according to the preset A plurality of simulator recognition rules and device information of the target terminal, and determine a target recognition rule that the device information of the target terminal hits in the plurality of simulator recognition rules, wherein the plurality of simulator recognition rules are based on It is determined from the device information of the terminal running in the simulator environment in the historical record; according to the preset weight and weight threshold of the target recognition rule, identifying whether the target terminal is running in the simulator environment.
可选的,处理器501调用所述程序指令执行所述根据预先设置的所述目标识别规则的权重和权重阈值,识别所述目标终端是否运行于模拟器环境时,具体执行以下步骤:当命中的所述目标识别规则包括多个时,根据预先设置的各模拟器识别规则的权重,计算各个所述目标识别规则的权重的和;判断所述权重的和是否大于预先设置的权重阈值;当所述权重的和大于所述权重阈值时,确定所述目标终端运行于模拟器环境。Optionally, the processor 501 invokes the program instruction to execute the weight and weight threshold of the target recognition rule according to a preset setting to identify whether the target terminal is running in a simulator environment, and specifically performs the following steps: When there are multiple target recognition rules, the sum of the weights of each of the target recognition rules is calculated according to the preset weights of each simulator recognition rule; determining whether the sum of the weights is greater than a preset weight threshold; when When the sum of the weights is greater than the weight threshold, it is determined that the target terminal is running in a simulator environment.
可选的,处理器501还用于调用所述程序指令执行以下步骤:分别统计历史记录中运 行于模拟器环境的终端的设备信息命中所述多个模拟器识别规则的命中信息,所述命中信息包括命中频率和/或命中次数;根据各模拟器识别规则对应的命中信息确定各模拟器识别规则对应的权重;其中,每个模拟器识别规则对应的权重和该模拟器识别规则对应的命中频率成正比,和/或,每个模拟器识别规则对应的权重和该模拟器识别规则对应的命中次数成正比。Optionally, the processor 501 is further configured to call the program instructions to perform the following steps: respectively counting device information of a terminal running in the simulator environment in the history record to hit the hit information of the plurality of simulator recognition rules, and the hit The information includes the hit frequency and / or the number of hits; the weight corresponding to each simulator recognition rule is determined according to the hit information corresponding to each simulator recognition rule; wherein the weight corresponding to each simulator recognition rule and the hit corresponding to the simulator recognition rule The frequency is directly proportional, and / or, the weight corresponding to each simulator recognition rule is directly proportional to the number of hits corresponding to the simulator recognition rule.
可选的,所述机型信息包括所述目标终端的型号和/或品牌,所述路由器信息包括路由器的名称和/或媒体访问控制MAC地址;所述多个模拟器识别规则包括以下至少两项:待识别终端连接的Wi-Fi热点的路由器的名称与预置的第一黑名单内的路由器名称相同;所述待识别终端连接的Wi-Fi热点的路由器的MAC地址处于预置的第二黑名单内的MAC地址集合;所述待识别终端的型号与预置的第三黑名单内的任一终端型号相同;所述待识别终端的品牌与预置的第四黑名单内的任一终端品牌相同;所述待识别终端的中央处理器CPU的生产商标识与预置的白名单中的所有生产商标识均不相同;所述待识别终端中未配置有预设模块,所述预设模块包括蓝牙模块、温度传感器、光线传感器中的一个或多个;所述待识别终端的内存空间值小于预设内存阈值;所述待识别终端安装的应用的第一数目小于预设的第一数目阈值;所述待识别终端存储的文件的第二数目小于预设的第二数目阈值;所述待识别终端使用的网络制式与预设的网络制式列表中的所有网络制式均不相同;所述待识别终端的系统中存在预设路径和名称的系统文件;所述待识别终端的运行状态为root状态。Optionally, the model information includes a model and / or brand of the target terminal, the router information includes a router name and / or a media access control MAC address, and the plurality of simulator identification rules includes at least two of the following Item: The name of the router of the Wi-Fi hotspot connected to the terminal to be identified is the same as the router name in the preset first blacklist; the MAC address of the router of the Wi-Fi hotspot connected to the terminal to be identified is in the preset first The set of MAC addresses in the second blacklist; the model of the terminal to be identified is the same as any terminal model in the preset third blacklist; the brand of the terminal to be identified is the same as any of the terminals in the preset blacklist A terminal brand is the same; the manufacturer identification of the central processing unit CPU of the terminal to be identified is different from all the manufacturer identifications in the preset whitelist; the preset module is not configured in the terminal to be identified, and The preset module includes one or more of a Bluetooth module, a temperature sensor, and a light sensor; a memory space value of the terminal to be identified is less than a preset memory threshold; The first number used is less than a preset first number threshold; the second number of files stored by the terminal to be identified is less than a preset second number threshold; the network standard used by the terminal to be identified and the preset network standard All network standards in the list are different; a system file with a preset path and name exists in the system of the terminal to be identified; and the running state of the terminal to be identified is the root state.
可选的,处理器501在调用所述程序指令执行所述根据预先设置的多个模拟器识别规则和所述目标终端的设备信息,确定所述目标终端的设备信息在所述多个模拟器识别规则命中的目标识别规则之前,还执行以下步骤:获取所述目标终端的设备信息对应的目标函数的flag值,并根据所述flag值确定所述目标函数是否被hook;当确定所述目标函数被hook时,从所述目标函数的内存中获取所述目标函数对应的目标函数指针;根据预先存储的各函数指针和函数的对应关系,确定出所述目标函数指针对应的原始函数,并根据所述原始函数确定出原始设备信息;Optionally, the processor 501 invokes the program instruction to execute the device identification information of the target terminal in the multiple simulators according to a preset preset simulator identification rule and device information of the target terminal. Before the target identification rule hit by the identification rule, the following steps are further performed: obtaining a flag value of the target function corresponding to the device information of the target terminal, and determining whether the target function is hooked according to the flag value; when determining the target When the function is hooked, obtain an objective function pointer corresponding to the objective function from the memory of the objective function; determine the original function corresponding to the objective function pointer according to the corresponding relationship between the function pointers and functions stored in advance, and Determining original device information according to the original function;
处理器501调用所述程序指令执行所述根据预先设置的多个模拟器识别规则和所述目标终端的设备信息,确定所述目标终端的设备信息在所述多个模拟器识别规则命中的目标识别规则时,具体执行以下步骤:根据预先设置的多个模拟器识别规则和所述原始设备信息,确定所述原始设备信息在所述多个模拟器识别规则命中的目标识别规则。The processor 501 invokes the program instruction to execute the target of the device information of the target terminal that is hit by the plurality of simulator recognition rules according to a preset plurality of simulator recognition rules and the device information of the target terminal. When recognizing the rules, the following steps are specifically performed: according to a plurality of simulator recognition rules set in advance and the original device information, a target recognition rule that the original device information hits in the plurality of simulator recognition rules is determined.
可选的,处理器501在调用所述程序指令执行所述根据所述flag值确定所述目标函数是否被hook时,具体执行以下步骤:将所述flag值中的预设位置处的字符与预设的固定字符进行比较,所述预设位置处的字符的字符数与所述固定字符的字符数相同;当比较得到所述预设位置处的字符与所述固定字符不同时,确定所述目标函数被hook。Optionally, when the processor 501 calls the program instruction to execute the determination of whether the objective function is hooked according to the flag value, the processor 501 specifically executes the following steps: the character at a preset position in the flag value and The preset fixed characters are compared, and the number of characters of the character at the preset position is the same as the number of characters of the fixed character; when the comparison obtains that the character at the preset position is different from the fixed character, the determined The objective function is hooked.
可选的,处理器501在调用所述程序指令执行所述根据所述flag值确定所述目标函数是否被hook时,具体执行以下步骤:按照预设的逻辑算法对所述flag值进行逻辑运算,以得到运算结果值,其中,所述逻辑算法是根据预设字符串和系统中的原生函数执行时的跳转地址确定的;当所述运算结果值为正整数时,确定所述目标函数被hook。Optionally, when the processor 501 invokes the program instruction to execute the determining whether the objective function is hooked according to the flag value, the processor 501 specifically performs the following steps: performing a logical operation on the flag value according to a preset logic algorithm To obtain an operation result value, wherein the logical algorithm is determined according to a preset character string and a jump address when a native function in the system is executed; when the operation result value is a positive integer, the objective function is determined Was hooked.
其中,所述处理器501可以是中央处理单元(Central Processing Unit,CPU),该处理器 还可以是其他通用处理器、数字信号处理器(Digital Signal Processor,DSP)、专用集成电路(Application Specific Integrated Circuit,ASIC)、现成可编程门阵列(Field-Programmable Gate Array,FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。The processor 501 may be a central processing unit (CPU), and the processor may also be another general-purpose processor, digital signal processor (DSP), or application specific integrated circuit (Application Specific Integrated). Circuit (ASIC), ready-made programmable gate array (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. A general-purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
用户接口503可包括输入设备和输出设备,输入设备可以包括触控板、麦克风等,输出设备可以包括显示器(LCD等)、扬声器等。The user interface 503 may include an input device and an output device, the input device may include a touch panel, a microphone, and the like, and the output device may include a display (LCD, etc.), a speaker, and the like.
通信接口504可包括接收器和发射器,用于与其他设备进行通信。The communication interface 504 may include a receiver and a transmitter for communicating with other devices.
存储器502可以包括只读存储器和随机存取存储器,并向处理器501提供指令和数据。存储器502的一部分还可以包括非易失性随机存取存储器。例如,存储器502还可以存储上述的函数指针和函数的对应关系等等。The memory 502 may include a read-only memory and a random access memory, and provide instructions and data to the processor 501. A part of the memory 502 may further include a non-volatile random access memory. For example, the memory 502 may further store the corresponding relationship between the function pointer and the function, and so on.
具体实现中,本申请实施例中所描述的处理器501等可执行上述图1至图3所示的方法实施例中所描述的实现方式,也可执行本申请实施例图4所描述的各单元的实现方式,此处不赘述。In specific implementation, the processor 501 and the like described in the embodiment of the present application may execute the implementation manners described in the method embodiments shown in FIG. 1 to FIG. 3 described above, and may also execute each of the methods described in FIG. 4 of the embodiment of the present application. The implementation of the unit is not repeated here.
本申请实施例还提供了一种计算机可读存储介质,所述计算机可读存储介质存储有计算机程序,所述计算机程序被处理器执行时可实现图1至图3所对应实施例中描述的模拟器识别方法中的部分或全部步骤,也可实现本申请图4或图5所示实施例的识别设备的功能,此处不赘述。An embodiment of the present application further provides a computer-readable storage medium, where the computer-readable storage medium stores a computer program, and when the computer program is executed by a processor, the computer program described in the embodiments corresponding to FIG. 1 to FIG. 3 can be implemented. Some or all of the steps in the simulator recognition method may also implement the function of the recognition device in the embodiment shown in FIG. 4 or FIG. 5 of the application, which is not described herein.
本申请实施例还提供了一种包含指令的计算机程序产品,当其在计算机上运行时,使得计算机执行上述方法中的部分或全部步骤。An embodiment of the present application further provides a computer program product containing instructions, which when executed on a computer, causes the computer to execute part or all of the steps in the above method.
所述计算机可读存储介质可以是前述任一实施例所述的识别设备的内部存储单元,例如识别设备的硬盘或内存。所述计算机可读存储介质也可以是所述识别设备的外部存储设备,例如所述识别设备上配备的插接式硬盘,智能存储卡(Smart Media Card,SMC),安全数字(Secure Digital,SD)卡,闪存卡(Flash Card)等。The computer-readable storage medium may be an internal storage unit of the identification device according to any one of the foregoing embodiments, such as a hard disk or a memory of the identification device. The computer-readable storage medium may also be an external storage device of the identification device, such as a plug-in hard disk, a Smart Media Card (SMC), and a secure digital (SD) device. ) Cards, flash cards, etc.
在本申请中,术语“和/或”,仅仅是一种描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况。另外,本文中字符“/”,一般表示前后关联对象是一种“或”的关系。In the present application, the term "and / or" is merely an association relationship describing an associated object, which means that there can be three kinds of relationships, for example, A and / or B can mean: A exists alone, and A and B exist simultaneously. There are three cases of B alone. In addition, the character "/" in this article generally indicates that the related objects are an "or" relationship.
在本申请的各种实施例中,上述各过程的序号的大小并不意味着执行顺序的先后,各过程的执行顺序应以其功能和内在逻辑确定,而不应对本申请实施例的实施过程构成任何限定。In various embodiments of the present application, the size of the sequence numbers of the above processes does not mean the order of execution. The execution order of each process should be determined by its function and internal logic, and should not deal with the implementation process of the embodiments of the present application. Constitute any limitation.
以上所述,仅为本申请的部分实施方式,但本申请的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本申请揭露的技术范围内,可轻易想到各种等效的修改或替换,这些修改或替换都应涵盖在本申请的保护范围之内。The above description is only part of the implementation of this application, but the scope of protection of this application is not limited to this. Any person skilled in the art can easily think of various equivalents within the technical scope disclosed in this application. Modifications or replacements, and these modifications or replacements should be covered by the protection scope of this application.

Claims (20)

  1. 一种模拟器识别方法,其特征在于,包括:A simulator identification method, which comprises:
    获取目标终端的设备信息,所述设备信息包括与所述目标终端的机型信息、中央处理器CPU的生产商标识、内存空间值、安装的应用的第一数目、存储的文件的第二数目、使用的网络制式、运行状态、连接的无线保真Wi-Fi热点的路由器信息中的任一项或多项;Obtain device information of a target terminal, where the device information includes information about a model of the target terminal, a manufacturer ID of a central processing unit CPU, a memory space value, a first number of installed applications, and a second number of stored files Any one or more of the network system used, operating status, and router information of the connected Wi-Fi hotspot;
    根据预先设置的多个模拟器识别规则和所述目标终端的设备信息,确定所述目标终端的设备信息在所述多个模拟器识别规则命中的目标识别规则,其中,所述多个模拟器识别规则是根据历史记录中运行于模拟器环境的终端的设备信息确定出的;Determining a target recognition rule that the device information of the target terminal hits in the plurality of simulator recognition rules according to a preset plurality of simulator recognition rules and the device information of the target terminal, wherein the plurality of simulators The identification rule is determined based on the device information of the terminal running in the simulator environment in the historical record;
    根据预先设置的所述目标识别规则的权重和权重阈值,识别所述目标终端是否运行于模拟器环境。According to a preset weight and a weight threshold of the target recognition rule, identify whether the target terminal is running in a simulator environment.
  2. 根据权利要求1所述的方法,其特征在于,所述根据预先设置的所述目标识别规则的权重和权重阈值,识别所述目标终端是否运行于模拟器环境,包括:The method according to claim 1, wherein the identifying whether the target terminal is running in a simulator environment according to a preset weight and a weight threshold of the target recognition rule comprises:
    当命中的所述目标识别规则为多个时,根据预先设置的各模拟器识别规则的权重,计算各个所述目标识别规则的权重的和;When there are multiple target recognition rules that are hit, the sum of the weights of the target recognition rules is calculated according to the preset weights of the simulator recognition rules;
    判断所述权重的和是否大于预先设置的权重阈值;Determining whether the sum of the weights is greater than a preset weight threshold;
    当所述权重的和大于所述权重阈值时,确定所述目标终端运行于模拟器环境。When the sum of the weights is greater than the weight threshold, it is determined that the target terminal is running in a simulator environment.
  3. 根据权利要求1所述的方法,其特征在于,所述方法还包括:The method according to claim 1, further comprising:
    分别统计历史记录中运行于模拟器环境的终端的设备信息命中所述多个模拟器识别规则的命中信息,所述命中信息包括命中频率和/或命中次数;The device information of the terminal running in the simulator environment in the historical records is respectively matched with the hit information of the plurality of simulator recognition rules, and the hit information includes the hit frequency and / or the number of hits;
    根据各模拟器识别规则对应的命中信息确定各模拟器识别规则对应的权重;Determine the weight corresponding to each simulator recognition rule according to the hit information corresponding to each simulator recognition rule;
    其中,每个模拟器识别规则对应的权重和该模拟器识别规则对应的命中频率成正比,和/或,每个模拟器识别规则对应的权重和该模拟器识别规则对应的命中次数成正比。The weight corresponding to each simulator recognition rule is directly proportional to the hit frequency corresponding to the simulator recognition rule, and / or the weight corresponding to each simulator recognition rule is proportional to the number of hits corresponding to the simulator recognition rule.
  4. 根据权利要求1-3任一项所述的方法,其特征在于,所述机型信息包括所述目标终端的型号和/或品牌,所述路由器信息包括路由器的名称和/或媒体访问控制MAC地址;所述多个模拟器识别规则包括以下至少两项:The method according to any one of claims 1-3, wherein the model information includes a model and / or a brand of the target terminal, and the router information includes a router name and / or a media access control MAC Address; the plurality of simulator recognition rules includes at least two of the following:
    待识别终端连接的Wi-Fi热点的路由器的名称与预置的第一黑名单内的路由器名称相同;The name of the router of the Wi-Fi hotspot to which the terminal to be identified is the same as the name of the router in the preset first blacklist;
    所述待识别终端连接的Wi-Fi热点的路由器的MAC地址处于预置的第二黑名单内的MAC地址集合;The MAC address of the router of the Wi-Fi hotspot connected to the terminal to be identified is a set of MAC addresses in a preset second blacklist;
    所述待识别终端的型号与预置的第三黑名单内的任一终端型号相同;The type of the terminal to be identified is the same as any terminal type in the preset third blacklist;
    所述待识别终端的品牌与预置的第四黑名单内的任一终端品牌相同;The brand of the terminal to be identified is the same as any terminal brand in the preset fourth blacklist;
    所述待识别终端的中央处理器CPU的生产商标识与预置的白名单中的所有生产商标识均不相同;The manufacturer identification of the central processing unit CPU of the terminal to be identified is different from all the manufacturer identifications in the preset white list;
    所述待识别终端中未配置有预设模块,所述预设模块包括蓝牙模块、温度传感器、光线传感器中的一个或多个;The terminal to be identified is not configured with a preset module, and the preset module includes one or more of a Bluetooth module, a temperature sensor, and a light sensor;
    所述待识别终端的内存空间值小于预设内存阈值;A memory space value of the terminal to be identified is less than a preset memory threshold;
    所述待识别终端安装的应用的第一数目小于预设的第一数目阈值;The first number of applications installed by the terminal to be identified is less than a preset first number threshold;
    所述待识别终端存储的文件的第二数目小于预设的第二数目阈值;The second number of files stored by the terminal to be identified is less than a preset second number threshold;
    所述待识别终端使用的网络制式与预设的网络制式列表中的所有网络制式均不相同;The network standard used by the terminal to be identified is different from all the network standards in the preset network standard list;
    所述待识别终端的系统中存在预设路径和名称的系统文件;A system file of a preset path and name exists in the system of the terminal to be identified;
    所述待识别终端的运行状态为root状态。The running state of the terminal to be identified is the root state.
  5. 根据权利要求1所述的方法,其特征在于,在所述根据预先设置的多个模拟器识别规则和所述目标终端的设备信息,确定所述目标终端的设备信息在所述多个模拟器识别规则命中的目标识别规则之前,所述方法还包括:The method according to claim 1, characterized in that, in the step of determining the device information of the target terminal in the plurality of simulators according to a plurality of preset simulator identification rules and device information of the target terminal, Before the target recognition rule hit by the identification rule, the method further includes:
    获取所述目标终端的设备信息对应的目标函数的flag值,并根据所述flag值确定所述目标函数是否被hook;Acquiring a flag value of an objective function corresponding to the device information of the target terminal, and determining whether the objective function is hooked according to the flag value;
    当确定所述目标函数被hook时,从所述目标函数的内存中获取所述目标函数对应的目标函数指针;When it is determined that the objective function is hooked, obtaining an objective function pointer corresponding to the objective function from the memory of the objective function;
    根据预先存储的各函数指针和函数的对应关系,确定出所述目标函数指针对应的原始函数,并根据所述原始函数确定出原始设备信息;Determine the original function corresponding to the target function pointer according to the corresponding relationship between the function pointers and functions stored in advance, and determine the original device information according to the original function;
    根据预先设置的多个模拟器识别规则和所述目标终端的设备信息,确定所述目标终端的设备信息在所述多个模拟器识别规则命中的目标识别规则,包括:Determining a target recognition rule that the device information of the target terminal hits in the plurality of simulator recognition rules according to a preset plurality of simulator recognition rules and the device information of the target terminal includes:
    根据预先设置的多个模拟器识别规则和所述原始设备信息,确定所述原始设备信息在所述多个模拟器识别规则命中的目标识别规则。According to a preset plurality of simulator recognition rules and the original device information, a target recognition rule that the original device information hits in the plurality of simulator recognition rules is determined.
  6. 根据权利要求5所述的方法,其特征在于,所述根据所述flag值确定所述目标函数是否被hook,包括:The method according to claim 5, wherein the determining whether the objective function is hooked according to the flag value comprises:
    将所述flag值中的预设位置处的字符与预设的固定字符进行比较,所述预设位置处的字符的字符数与所述固定字符的字符数相同;Comparing a character at a preset position in the flag value with a preset fixed character, and the number of characters of the character at the preset position is the same as the number of characters of the fixed character;
    当比较得到所述预设位置处的字符与所述固定字符不同时,确定所述目标函数被hook。When the character at the preset position is different from the fixed character, it is determined that the objective function is hooked.
  7. 根据权利要求5所述的方法,其特征在于,所述根据所述flag值确定所述目标函数是否被hook,包括:The method according to claim 5, wherein the determining whether the objective function is hooked according to the flag value comprises:
    按照预设的逻辑算法对所述flag值进行逻辑运算,以得到运算结果值,其中,所述逻辑算法是根据预设字符串和系统中的原生函数执行时的跳转地址确定的;Perform logical operation on the flag value according to a preset logical algorithm to obtain an operation result value, wherein the logical algorithm is determined according to a preset string and a jump address when a native function in the system is executed;
    当所述运算结果值为正整数时,确定所述目标函数被hook。When the operation result value is a positive integer, it is determined that the objective function is hooked.
  8. 一种识别设备,其特征在于,包括:获取单元和处理单元;An identification device, comprising: an obtaining unit and a processing unit;
    所述获取单元,用于获取目标终端的设备信息,所述设备信息包括与所述目标终端的机型信息、中央处理器CPU的生产商标识、内存空间值、安装的应用的第一数目、存储的文件的第二数目、使用的网络制式、运行状态、连接的无线保真Wi-Fi热点的路由器信息中的任一项或多项;The obtaining unit is configured to obtain device information of a target terminal, where the device information includes model information of the target terminal, a manufacturer identifier of a central processing unit CPU, a memory space value, a first number of installed applications, Any one or more of the second number of stored files, the network system used, the operating status, and the router information of the connected wireless fidelity Wi-Fi hotspot;
    所述处理单元,用于根据预先设置的多个模拟器识别规则和所述目标终端的设备信息,确定所述目标终端的设备信息在所述多个模拟器识别规则命中的目标识别规则,其中,所述多个模拟器识别规则是根据历史记录中运行于模拟器环境的终端的设备信息确定出的;The processing unit is configured to determine a target recognition rule that the device information of the target terminal hits in the multiple simulator recognition rules according to a preset plurality of simulator recognition rules and the device information of the target terminal, where The plurality of simulator recognition rules are determined according to device information of a terminal running in the simulator environment in a historical record;
    所述处理单元,还用于根据预先设置的所述目标识别规则的权重和权重阈值,识别所述目标终端是否运行于模拟器环境。The processing unit is further configured to identify whether the target terminal is running in a simulator environment according to a preset weight and a weight threshold of the target recognition rule.
  9. 根据权利要求8所述的识别设备,其特征在于,The identification device according to claim 8, characterized in that:
    所述处理单元,具体用于在命中的所述目标识别规则为多个时,根据预先设置的各模拟器识别规则的权重,计算各个所述目标识别规则的权重的和;判断所述权重的和是否大于预先设置的权重阈值;当所述权重的和大于所述权重阈值时,确定所述目标终端运行于模拟器环境。The processing unit is specifically configured to calculate a sum of the weights of each of the target recognition rules according to a preset weight of each simulator recognition rule when there are multiple target recognition rules that are hit; and determine the weight of Whether the sum is greater than a preset weight threshold; when the sum of the weights is greater than the weight threshold, determining that the target terminal is running in a simulator environment.
  10. 根据权利要求8所述的识别设备,其特征在于,所述识别设备还包括:权重设置单元;The identification device according to claim 8, further comprising: a weight setting unit;
    所述权重设置单元,用于分别统计历史记录中运行于模拟器环境的终端的设备信息命中所述多个模拟器识别规则的命中信息;根据各模拟器识别规则对应的命中信息确定各模拟器识别规则对应的权重;The weight setting unit is configured to separately count device information of a terminal running in the simulator environment in the historical record and hit the hit information of the plurality of simulator recognition rules; and determine each simulator according to the hit information corresponding to each simulator recognition rule. The weight corresponding to the identification rule;
    其中,所述命中信息包括命中频率和/或命中次数,每个模拟器识别规则对应的权重和该模拟器识别规则对应的命中频率成正比,和/或,每个模拟器识别规则对应的权重和该模拟器识别规则对应的命中次数成正比。Wherein, the hit information includes a hit frequency and / or the number of hits, a weight corresponding to each simulator recognition rule is proportional to a hit frequency corresponding to the simulator recognition rule, and / or a weight corresponding to each simulator recognition rule It is proportional to the number of hits corresponding to the simulator recognition rule.
  11. 根据权利要求8-10任一项所述的识别设备,其特征在于,The identification device according to any one of claims 8 to 10, wherein
    所述机型信息包括所述目标终端的型号和/或品牌,所述路由器信息包括路由器的名称和/或媒体访问控制MAC地址;所述多个模拟器识别规则包括以下至少两项:The model information includes a model and / or a brand of the target terminal, the router information includes a router name and / or a media access control MAC address, and the plurality of simulator identification rules includes at least two of the following:
    待识别终端连接的Wi-Fi热点的路由器的名称与预置的第一黑名单内的路由器名称相同;The name of the router of the Wi-Fi hotspot to which the terminal to be identified is the same as the name of the router in the preset first blacklist;
    所述待识别终端连接的Wi-Fi热点的路由器的MAC地址处于预置的第二黑名单内的MAC地址集合;The MAC address of the router of the Wi-Fi hotspot connected to the terminal to be identified is a set of MAC addresses in a preset second blacklist;
    所述待识别终端的型号与预置的第三黑名单内的任一终端型号相同;The type of the terminal to be identified is the same as any terminal type in the preset third blacklist;
    所述待识别终端的品牌与预置的第四黑名单内的任一终端品牌相同;The brand of the terminal to be identified is the same as any terminal brand in the preset fourth blacklist;
    所述待识别终端的中央处理器CPU的生产商标识与预置的白名单中的所有生产商标识均不相同;The manufacturer identification of the central processing unit CPU of the terminal to be identified is different from all the manufacturer identifications in the preset white list;
    所述待识别终端中未配置有预设模块,所述预设模块包括蓝牙模块、温度传感器、光线传感器中的一个或多个;The terminal to be identified is not configured with a preset module, and the preset module includes one or more of a Bluetooth module, a temperature sensor, and a light sensor;
    所述待识别终端的内存空间值小于预设内存阈值;A memory space value of the terminal to be identified is less than a preset memory threshold;
    所述待识别终端安装的应用的第一数目小于预设的第一数目阈值;The first number of applications installed by the terminal to be identified is less than a preset first number threshold;
    所述待识别终端存储的文件的第二数目小于预设的第二数目阈值;The second number of files stored by the terminal to be identified is less than a preset second number threshold;
    所述待识别终端使用的网络制式与预设的网络制式列表中的所有网络制式均不相同;The network standard used by the terminal to be identified is different from all the network standards in the preset network standard list;
    所述待识别终端的系统中存在预设路径和名称的系统文件;A system file of a preset path and name exists in the system of the terminal to be identified;
    所述待识别终端的运行状态为root状态。The running state of the terminal to be identified is the root state.
  12. 根据权利要求8所述的识别设备,其特征在于,所述识别设备还包括:hook检测单元和还原单元;The identification device according to claim 8, further comprising: a hook detection unit and a reduction unit;
    所述获取单元,还用于获取所述目标终端的设备信息对应的目标函数的flag值;The acquiring unit is further configured to acquire a flag value of an objective function corresponding to the device information of the target terminal;
    所述hook检测单元,用于根据所述flag值确定所述目标函数是否被hook;The hook detection unit is configured to determine whether the objective function is hooked according to the flag value;
    所述获取单元,还用于当确定所述目标函数被hook时,从所述目标函数的内存中获取所述目标函数对应的目标函数指针;The obtaining unit is further configured to obtain an objective function pointer corresponding to the objective function from the memory of the objective function when it is determined that the objective function is hooked;
    所述还原单元,用于根据预先存储的各函数指针和函数的对应关系,确定出所述目标 函数指针对应的原始函数,并根据所述原始函数确定出原始设备信息;The restoration unit is configured to determine an original function corresponding to the target function pointer according to a corresponding relationship between function pointers and functions stored in advance, and determine original device information according to the original function;
    所述处理单元,具体用于根据预先设置的多个模拟器识别规则和所述原始设备信息,确定所述原始设备信息在所述多个模拟器识别规则命中的目标识别规则。The processing unit is specifically configured to determine a target recognition rule that the original device information hits in the plurality of simulator recognition rules according to a preset plurality of simulator recognition rules and the original device information.
  13. 根据权利要求12所述的识别设备,其特征在于,The identification device according to claim 12, characterized in that:
    所述hook检测单元,具体用于将所述flag值中的预设位置处的字符与预设的固定字符进行比较,所述预设位置处的字符的字符数与所述固定字符的字符数相同;当比较得到所述预设位置处的字符与所述固定字符不同时,确定所述目标函数被hook。The hook detection unit is specifically configured to compare a character at a preset position in the flag value with a preset fixed character, and the number of characters of the character at the preset position and the number of characters of the fixed character The same; when the character at the preset position is different from the fixed character, it is determined that the objective function is hooked.
  14. 根据权利要求12所述的识别设备,其特征在于,The identification device according to claim 12, characterized in that:
    所述hook检测单元,具体用于按照预设的逻辑算法对所述flag值进行逻辑运算,以得到运算结果值,其中,所述逻辑算法是根据预设字符串和系统中的原生函数执行时的跳转地址确定的;当所述运算结果值为正整数时,确定所述目标函数被hook。The hook detection unit is specifically configured to perform a logical operation on the flag value according to a preset logical algorithm to obtain an operation result value, wherein the logical algorithm is executed according to a preset string and a native function in the system. The jump address is determined; when the value of the operation result is a positive integer, it is determined that the objective function is hooked.
  15. 一种识别设备,其特征在于,包括处理器和存储器,所述处理器和存储器相互连接,其中,所述存储器用于存储计算机程序,所述计算机程序包括程序指令,所述处理器被配置用于调用所述程序指令,执行以下步骤:An identification device, comprising a processor and a memory, wherein the processor and the memory are connected to each other, wherein the memory is used to store a computer program, the computer program includes program instructions, and the processor is configured to use When calling the program instruction, the following steps are performed:
    获取目标终端的设备信息,所述设备信息包括与所述目标终端的机型信息、中央处理器CPU的生产商标识、内存空间值、安装的应用的第一数目、存储的文件的第二数目、使用的网络制式、运行状态、连接的无线保真Wi-Fi热点的路由器信息中的任一项或多项;根据预先设置的多个模拟器识别规则和所述目标终端的设备信息,确定所述目标终端的设备信息在所述多个模拟器识别规则命中的目标识别规则,其中,所述多个模拟器识别规则是根据历史记录中运行于模拟器环境的终端的设备信息确定出的;根据预先设置的所述目标识别规则的权重和权重阈值,识别所述目标终端是否运行于模拟器环境。Obtain device information of a target terminal, where the device information includes information about a model of the target terminal, a manufacturer ID of a central processing unit CPU, a memory space value, a first number of installed applications, and a second number of stored files Any one or more of the network standard, operating status, and router information of the connected wireless fidelity Wi-Fi hotspot; determined according to a plurality of preset emulator identification rules and device information of the target terminal The target recognition rule of device information of the target terminal hit in the plurality of simulator recognition rules, wherein the plurality of simulator recognition rules are determined according to the device information of the terminal running in the simulator environment in the historical record Identifying whether the target terminal is running in a simulator environment according to a preset weight and a weight threshold of the target recognition rule.
  16. 根据权利要求15所述的识别设备,其特征在于,所述处理器调用所述程序指令执行所述根据预先设置的所述目标识别规则的权重和权重阈值,识别所述目标终端是否运行于模拟器环境时,具体执行以下步骤:The identification device according to claim 15, wherein the processor invokes the program instruction to execute the weight and weight threshold of the target recognition rule set in advance to identify whether the target terminal is running in a simulation Environment, perform the following steps:
    当命中的所述目标识别规则为多个时,根据预先设置的各模拟器识别规则的权重,计算各个所述目标识别规则的权重的和;判断所述权重的和是否大于预先设置的权重阈值;当所述权重的和大于所述权重阈值时,确定所述目标终端运行于模拟器环境。When there are a plurality of target recognition rules that are hit, a sum of the weights of each of the target recognition rules is calculated according to a preset weight of each simulator recognition rule; it is determined whether the sum of the weights is greater than a preset weight threshold ; When the sum of the weights is greater than the weight threshold, determining that the target terminal is running in a simulator environment.
  17. 根据权利要求15所述的识别设备,其特征在于,所述处理器还用于调用所述程序指令执行以下步骤:The identification device according to claim 15, wherein the processor is further configured to call the program instruction to perform the following steps:
    分别统计历史记录中运行于模拟器环境的终端的设备信息命中所述多个模拟器识别规则的命中信息,所述命中信息包括命中频率和/或命中次数;根据各模拟器识别规则对应的命中信息确定各模拟器识别规则对应的权重;其中,每个模拟器识别规则对应的权重和该模拟器识别规则对应的命中频率成正比,和/或,每个模拟器识别规则对应的权重和该模拟器识别规则对应的命中次数成正比。The device information of the terminal running in the simulator environment in the historical record is separately counted for the hit information of the plurality of simulator recognition rules, and the hit information includes the hit frequency and / or the number of hits; according to the hits corresponding to each simulator recognition rule The information determines the weight corresponding to each simulator recognition rule; wherein the weight corresponding to each simulator recognition rule is directly proportional to the hit frequency corresponding to the simulator recognition rule, and / or, the weight corresponding to each simulator recognition rule and the The number of hits corresponding to the simulator recognition rule is directly proportional.
  18. 根据权利要求15-17任一项所述的识别设备,其特征在于,所述机型信息包括所述目标终端的型号和/或品牌,所述路由器信息包括路由器的名称和/或媒体访问控制MAC地址;所述多个模拟器识别规则包括以下至少两项:待识别终端连接的Wi-Fi热点的路由器的名称与预置的第一黑名单内的路由器名称相同;所述待识别终端连接的Wi-Fi热点的 路由器的MAC地址处于预置的第二黑名单内的MAC地址集合;所述待识别终端的型号与预置的第三黑名单内的任一终端型号相同;所述待识别终端的品牌与预置的第四黑名单内的任一终端品牌相同;所述待识别终端的中央处理器CPU的生产商标识与预置的白名单中的所有生产商标识均不相同;所述待识别终端中未配置有预设模块,所述预设模块包括蓝牙模块、温度传感器、光线传感器中的一个或多个;所述待识别终端的内存空间值小于预设内存阈值;所述待识别终端安装的应用的第一数目小于预设的第一数目阈值;所述待识别终端存储的文件的第二数目小于预设的第二数目阈值;所述待识别终端使用的网络制式与预设的网络制式列表中的所有网络制式均不相同;所述待识别终端的系统中存在预设路径和名称的系统文件;所述待识别终端的运行状态为root状态。The identification device according to any one of claims 15-17, wherein the model information includes a model and / or a brand of the target terminal, and the router information includes a router name and / or media access control MAC address; the plurality of simulator recognition rules include at least two of the following: the name of the router of the Wi-Fi hotspot connected to the terminal to be identified is the same as the router name in the preset first blacklist; the terminal to be identified is connected The MAC address of the router of the Wi-Fi hotspot is in the preset MAC address set in the second blacklist; the model of the terminal to be identified is the same as any terminal model in the preset third blacklist; The brand of the identification terminal is the same as any terminal brand in the preset fourth blacklist; the manufacturer identification of the central processing unit CPU of the terminal to be identified is different from all the manufacturer identifications in the preset whitelist; There is no preset module configured in the terminal to be identified, and the preset module includes one or more of a Bluetooth module, a temperature sensor, and a light sensor; the memory of the terminal to be identified is empty The value is less than a preset memory threshold; the first number of applications installed by the terminal to be identified is less than the preset first number threshold; the second number of files stored by the terminal to be identified is less than the preset second number threshold; The network standard used by the terminal to be identified is different from all the network standards in the preset network standard list; there is a system file with a preset path and name in the system of the terminal to be identified; and the operating status of the terminal to be identified It is root.
  19. 根据权利要求15所述的识别设备,其特征在于,所述处理器在调用所述程序指令执行所述根据预先设置的多个模拟器识别规则和所述目标终端的设备信息,确定所述目标终端的设备信息在所述多个模拟器识别规则命中的目标识别规则之前,还执行以下步骤:The identification device according to claim 15, wherein the processor determines the target by invoking the program instruction to execute the program according to multiple preset simulator identification rules and device information of the target terminal. Before the device information of the terminal hits the target recognition rule hit by the plurality of simulator recognition rules, the following steps are further performed:
    获取所述目标终端的设备信息对应的目标函数的flag值,并根据所述flag值确定所述目标函数是否被hook;当确定所述目标函数被hook时,从所述目标函数的内存中获取所述目标函数对应的目标函数指针;根据预先存储的各函数指针和函数的对应关系,确定出所述目标函数指针对应的原始函数,并根据所述原始函数确定出原始设备信息;Obtain a flag value of an objective function corresponding to the device information of the target terminal, and determine whether the objective function is hooked according to the flag value; when it is determined that the objective function is hooked, obtain it from the memory of the objective function An objective function pointer corresponding to the objective function; determining an original function corresponding to the objective function pointer according to a corresponding relationship between each function pointer and a function stored in advance, and determining original equipment information according to the original function;
    所述处理器调用所述程序指令执行所述根据预先设置的多个模拟器识别规则和所述目标终端的设备信息,确定所述目标终端的设备信息在所述多个模拟器识别规则命中的目标识别规则时,具体执行以下步骤:Calling, by the processor, the program instructions to execute, according to a preset preset simulator identification rules and device information of the target terminal, determining that the device information of the target terminal hits in the multiple simulator identification rules When identifying a rule, perform the following steps:
    根据预先设置的多个模拟器识别规则和所述原始设备信息,确定所述原始设备信息在所述多个模拟器识别规则命中的目标识别规则。According to a preset plurality of simulator recognition rules and the original device information, a target recognition rule that the original device information hits in the plurality of simulator recognition rules is determined.
  20. 一种计算机可读存储介质,其特征在于,所述计算机可读存储介质存储有计算机程序,所述计算机程序包括程序指令,所述程序指令当被处理器执行时使所述处理器执行如权利要求1-7任一项所述的方法。A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program, the computer program includes program instructions, and when the program instructions are executed by a processor, the processor executes The method according to any one of 1-7 is required.
PCT/CN2018/107747 2018-07-27 2018-09-26 Simulator recognition method, recognition device, and computer readable medium WO2020019484A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201810855587.2A CN109117250B (en) 2018-07-27 2018-07-27 Simulator identification method, simulator identification equipment and computer readable medium
CN201810855587.2 2018-07-27

Publications (1)

Publication Number Publication Date
WO2020019484A1 true WO2020019484A1 (en) 2020-01-30

Family

ID=64862409

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/107747 WO2020019484A1 (en) 2018-07-27 2018-09-26 Simulator recognition method, recognition device, and computer readable medium

Country Status (2)

Country Link
CN (1) CN109117250B (en)
WO (1) WO2020019484A1 (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111338946A (en) * 2020-02-24 2020-06-26 北京新氧科技有限公司 Android simulator detection method and device
CN111461545A (en) * 2020-03-31 2020-07-28 北京深演智能科技股份有限公司 Method and device for determining machine access data
CN111611254A (en) * 2020-04-30 2020-09-01 广东良实机电工程有限公司 Equipment energy consumption abnormity monitoring method and device, terminal equipment and storage medium
CN113337995A (en) * 2021-06-29 2021-09-03 海信(山东)冰箱有限公司 Clothes information identification method for washing machine and washing machine
CN114079623A (en) * 2020-08-04 2022-02-22 中国移动通信集团河北有限公司 Method and device for identifying transmission capability of user side router
CN115909019A (en) * 2022-10-26 2023-04-04 吉林省吉林祥云信息技术有限公司 Scheduling method in multi-model node scene of identifying code image

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110248372B (en) * 2019-04-25 2023-04-11 深圳壹账通智能科技有限公司 Simulator detection method and device, storage medium and computer equipment
CN110213341B (en) * 2019-05-13 2023-06-23 百度在线网络技术(北京)有限公司 Method and device for detecting downloading of application program
CN110378112A (en) * 2019-07-08 2019-10-25 北京达佳互联信息技术有限公司 A kind of user identification method and device
CN110619210A (en) * 2019-08-27 2019-12-27 苏宁云计算有限公司 Simulator detection method and system
CN111177483A (en) * 2019-12-04 2020-05-19 北京奇虎科技有限公司 Terminal device identification method, device and computer readable storage medium
CN111107064B (en) * 2019-12-04 2022-07-12 北京奇虎科技有限公司 Terminal equipment identification method, device, equipment and readable storage medium
CN113282304B (en) * 2021-05-14 2022-04-29 杭州云深科技有限公司 System for identifying virtual machine based on app installation list
CN113468541B (en) * 2021-06-30 2024-03-12 北京达佳互联信息技术有限公司 Identification method, identification device, electronic equipment and storage medium
CN113902458A (en) * 2021-12-07 2022-01-07 深圳市活力天汇科技股份有限公司 Malicious user identification method and device and computer equipment
CN115294408B (en) * 2022-10-08 2023-03-24 汉达科技发展集团有限公司 Operation abnormity identification method for driving simulator

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104951355A (en) * 2015-07-03 2015-09-30 北京数字联盟网络科技有限公司 Application program virtual operation environment recognition method and device
CN106648835A (en) * 2016-12-26 2017-05-10 武汉斗鱼网络科技有限公司 Method and system for detecting running of Android application program in Android simulator
US20170277891A1 (en) * 2016-03-25 2017-09-28 The Mitre Corporation System and method for vetting mobile phone software applications
CN107678834A (en) * 2017-09-30 2018-02-09 北京梆梆安全科技有限公司 A kind of Android simulator detection method and device based on hardware configuration
CN108021805A (en) * 2017-12-18 2018-05-11 上海众人网络安全技术有限公司 Detect method, apparatus, equipment and the storage medium of Android application program running environment

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107729121A (en) * 2017-09-30 2018-02-23 北京梆梆安全科技有限公司 Simulator detection method and device

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104951355A (en) * 2015-07-03 2015-09-30 北京数字联盟网络科技有限公司 Application program virtual operation environment recognition method and device
US20170277891A1 (en) * 2016-03-25 2017-09-28 The Mitre Corporation System and method for vetting mobile phone software applications
CN106648835A (en) * 2016-12-26 2017-05-10 武汉斗鱼网络科技有限公司 Method and system for detecting running of Android application program in Android simulator
CN107678834A (en) * 2017-09-30 2018-02-09 北京梆梆安全科技有限公司 A kind of Android simulator detection method and device based on hardware configuration
CN108021805A (en) * 2017-12-18 2018-05-11 上海众人网络安全技术有限公司 Detect method, apparatus, equipment and the storage medium of Android application program running environment

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111338946A (en) * 2020-02-24 2020-06-26 北京新氧科技有限公司 Android simulator detection method and device
CN111338946B (en) * 2020-02-24 2023-07-14 北京新氧科技有限公司 Android simulator detection method and device
CN111461545A (en) * 2020-03-31 2020-07-28 北京深演智能科技股份有限公司 Method and device for determining machine access data
CN111461545B (en) * 2020-03-31 2023-11-10 北京深演智能科技股份有限公司 Method and device for determining machine access data
CN111611254A (en) * 2020-04-30 2020-09-01 广东良实机电工程有限公司 Equipment energy consumption abnormity monitoring method and device, terminal equipment and storage medium
CN111611254B (en) * 2020-04-30 2023-05-09 广东良实机电工程有限公司 Equipment energy consumption abnormality monitoring method and device, terminal equipment and storage medium
CN114079623A (en) * 2020-08-04 2022-02-22 中国移动通信集团河北有限公司 Method and device for identifying transmission capability of user side router
CN114079623B (en) * 2020-08-04 2023-07-21 中国移动通信集团河北有限公司 Method and device for identifying transmission capacity of user side router
CN113337995A (en) * 2021-06-29 2021-09-03 海信(山东)冰箱有限公司 Clothes information identification method for washing machine and washing machine
CN113337995B (en) * 2021-06-29 2023-11-03 海信冰箱有限公司 Clothes information identification method for washing machine and washing machine
CN115909019A (en) * 2022-10-26 2023-04-04 吉林省吉林祥云信息技术有限公司 Scheduling method in multi-model node scene of identifying code image
CN115909019B (en) * 2022-10-26 2024-02-09 吉林省吉林祥云信息技术有限公司 Scheduling method in multi-model node scene for identifying verification code image

Also Published As

Publication number Publication date
CN109117250A (en) 2019-01-01
CN109117250B (en) 2022-03-08

Similar Documents

Publication Publication Date Title
WO2020019484A1 (en) Simulator recognition method, recognition device, and computer readable medium
WO2020019483A1 (en) Emulator identification method, identification device, and computer readable medium
WO2020019485A1 (en) Simulator identification method, identification device, and computer readable medium
US11126717B2 (en) Techniques for identifying computer virus variant
CN109492378A (en) A kind of auth method based on EIC equipment identification code, server and medium
US10073916B2 (en) Method and system for facilitating terminal identifiers
US9558358B2 (en) Random number generator in a virtualized environment
US9614867B2 (en) System and method for detection of malware on a user device using corrected antivirus records
CN109561085B (en) Identity verification method based on equipment identification code, server and medium
CN110417778B (en) Access request processing method and device
WO2020019482A1 (en) Function hook detection method, function hook detection device, and computer-readable medium
CN103440456B (en) The method and device that a kind of application security is assessed
CN105357204B (en) Method and device for generating terminal identification information
CN109600362B (en) Zombie host recognition method, device and medium based on recognition model
US11880458B2 (en) Malware detection based on user interactions
US10623417B1 (en) Software development kit (SDK) fraud prevention and detection
CN109815702B (en) Software behavior safety detection method, device and equipment
CN109815697B (en) Method and device for processing false alarm behavior
CN111464513A (en) Data detection method, device, server and storage medium
WO2016127037A1 (en) Method and device for identifying computer virus variants
CN113225356B (en) TTP-based network security threat hunting method and network equipment
CN113468541A (en) Operating environment recognition method and device, electronic equipment and storage medium
CN108810230B (en) Method, device and equipment for acquiring incoming call prompt information
CN110801630A (en) Cheating program determining method, device, equipment and storage medium
US20210294895A1 (en) Method and system for detecting malware using memory map

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18927780

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18927780

Country of ref document: EP

Kind code of ref document: A1