WO2020019485A1 - Simulator identification method, identification device, and computer readable medium - Google Patents

Simulator identification method, identification device, and computer readable medium Download PDF

Info

Publication number
WO2020019485A1
WO2020019485A1 PCT/CN2018/107748 CN2018107748W WO2020019485A1 WO 2020019485 A1 WO2020019485 A1 WO 2020019485A1 CN 2018107748 W CN2018107748 W CN 2018107748W WO 2020019485 A1 WO2020019485 A1 WO 2020019485A1
Authority
WO
WIPO (PCT)
Prior art keywords
router
preset
name
target terminal
mac address
Prior art date
Application number
PCT/CN2018/107748
Other languages
French (fr)
Chinese (zh)
Inventor
李骁
Original Assignee
平安科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 平安科技(深圳)有限公司 filed Critical 平安科技(深圳)有限公司
Publication of WO2020019485A1 publication Critical patent/WO2020019485A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45504Abstract machines for programme code execution, e.g. Java virtual machine [JVM], interpreters, emulators
    • G06F9/45508Runtime interpretation or emulation, e g. emulator loops, bytecode interpretation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/70Reducing energy consumption in communication networks in wireless communication networks

Definitions

  • the present application relates to the field of communication technologies, and in particular, to a simulator identification method, an identification device, and a computer-readable medium.
  • the Android emulator is an application that can simulate the operating environment of the Android system on various platforms such as Windows and Linux. Users can run the Android system application on the Android emulator in a terminal such as a personal computer. When using the application of the Android system, for certain services, such as those requiring risk monitoring, it is not desired to be run on the simulator, so it is necessary to identify whether the terminal is running in the Android simulator environment. At present, the risk recognition device has limited recognition ability of the Android simulator, and cannot effectively identify whether the terminal is running in the simulator environment.
  • the application provides a simulator recognition method, a recognition device and a computer-readable medium, which are helpful to improve the accuracy of the simulator recognition.
  • the present application provides a simulator identification method, including:
  • the router information includes a router name and a Media Access Control (MAC) address;
  • MAC Media Access Control
  • the target terminal is running in a simulator environment.
  • the present application provides an identification device including a unit for performing the method of the first aspect.
  • the present application provides another identification device, including a processor, a user interface, a communication interface, and a memory, and the processor, the user interface, the communication interface, and the memory are connected to each other, where the memory is used for storing support
  • a computer program that identifies the device to execute the method the computer program includes program instructions, and the processor is configured to call the program instructions to execute the method of the first aspect.
  • the present application provides a computer-readable storage medium, where the computer storage medium stores a computer program, the computer program includes program instructions, and the program instructions, when executed by a processor, cause the processor to execute The method of the first aspect described above.
  • any one of the router's name and a preset blacklist can be detected.
  • the router name is the same and the MAC address is in a preset MAC address set, it can be determined that the terminal is running in the simulator environment, which helps to improve the accuracy of the simulator recognition.
  • FIG. 1 is a schematic flowchart of a simulator recognition method according to an embodiment of the present application
  • FIG. 2 is a schematic flowchart of another simulator recognition method according to an embodiment of the present application.
  • FIG. 3 is a schematic structural diagram of an identification device according to an embodiment of the present application.
  • FIG. 4 is a schematic structural diagram of another identification device according to an embodiment of the present application.
  • the technical solution of the present application can be applied to an identification device, which can include various terminals, servers, or risk identification products (devices) connected to the terminal, etc., for identifying the behavior of the simulator in the terminal (referred to as " Simulator recognition ") to identify whether the terminal (or an application in the terminal, such as an application embedded in the SDK) is running in the simulator environment, or is called identifying whether the terminal is logged in using the simulator.
  • the simulator may refer to an Android simulator or another simulator.
  • the terminals involved in this application may be mobile phones, computers, tablets, personal computers, smart watches, etc., and this application is not limited.
  • this application can obtain various device information of the terminal, such as connected Wi-Fi hotspot information, model information, CPU manufacturer information, module configuration information, memory space information, number of installed applications, and stored
  • device information of the terminal such as connected Wi-Fi hotspot information, model information, CPU manufacturer information, module configuration information, memory space information, number of installed applications, and stored
  • One or more of the number of files, the network system used, system file abnormal information, running status and other information are used to identify the simulator, thereby improving the accuracy of the simulator recognition. The details are described below.
  • FIG. 1 is a schematic flowchart of a simulator recognition method provided by an embodiment of the present application. Specifically, as shown in FIG. 1, the simulator recognition method may include the following steps:
  • router information of a Wi-Fi hotspot connected to a target terminal where the router information includes a router name and a MAC address.
  • the target terminal may be any terminal that needs to be identified by the simulator, such as a terminal connected to a risk identification product, or a terminal in a specific risk control scenario, or triggered (such as by a preset button or gesture or preset Other triggering methods) are terminals identified by the simulator, etc., which are not limited in this application.
  • the risk control scenario may include a login scenario, a transaction scenario, an APP discount domain scenario, and so on.
  • the identification device can obtain router information of the Wi-Fi hotspot connected to the terminal, such as the name of the router and its MAC address, so as to facilitate the calculation based on the name and MAC address of the router. Determine if the terminal is running in a simulator environment.
  • the first blacklist includes one or more router names, and the first or more router names may be connected to a terminal identified as a simulator in the historical data (that is, a terminal identified as running in a simulator environment).
  • the name of the Wi-Fi router; the second blacklist may include one or more MAC address sets and / or one or more MAC addresses, the one or more MAC addresses are identified by the terminal identified as the simulator in the historical data.
  • the MAC address of the connected router is calculated based on the MAC address of the router connected to the terminal identified as the simulator in the historical data.
  • the first blacklist and the second blacklist may be the same (that is, each router name and MAC address set may be configured in a blacklist), or they may be different (that is, configured separately).
  • the MAC address set that detects whether the MAC address is in the preset second blacklist can also be referred to as detecting whether the MAC address is the same as the MAC address in the MAC address set in the preset second blacklist; accordingly, the MAC address is in
  • the MAC address set may mean that the MAC address is the same as any MAC address in the MAC address set.
  • the first blacklist includes names that are counted more frequently among the names of routers connected to the terminals identified as simulators in the historical data, such as the top M with the most counts (M is an integer greater than 0, such as taking 10) names, or names whose number of counts is greater than a preset number threshold (first threshold);
  • the second blacklist includes MAC addresses with more counts in the MAC address of the router connected to the terminal identified as the simulator in the historical data
  • An address or a set of MAC addresses composed of the MAC address, such as the first N (N is an integer greater than 0, such as 50) MAC addresses with the most statistics, or the MAC whose statistics are greater than a preset number threshold (second threshold) Addresses, or a set of MAC addresses determined by these MAC addresses, etc., are not limited in this application.
  • the first threshold value and the second threshold value can be set in advance, and the first threshold value and the second threshold value can be the same, for example, both are set to 80; or they can be different, such as the first threshold value is 80 and the second threshold value. It is 60, and vice versa.
  • the identification device may match the name of the router corresponding to the target terminal with the router name in the first blacklist described above, and match the MAC address of the router corresponding to the target terminal with the MAC address in the second blacklist described above. Or MAC address set.
  • the router name corresponding to the router corresponding to the target terminal is obtained in the first blacklist by matching, and the MAC address set where the MAC address of the router corresponding to the target terminal is located in the second blacklist by matching ( Or match to obtain the MAC address of the router corresponding to the target terminal), it can be identified that the target terminal is running in the simulator environment.
  • the identification device can obtain the router information of the Wi-Fi hotspot connected to the terminal, and detect and analyze the router information such as the router's name and MAC address. After detecting the router's name and preset black When any router in the list has the same name and the MAC address is in a preset MAC address set, it can be determined that the target terminal is running in the simulator environment.
  • the embodiment of the present application can perform simulator recognition according to the router information of the Wi-Fi hotspot connected to the terminal, which helps to improve the accuracy of the simulator recognition.
  • FIG. 2 is a schematic flowchart of another simulator recognition method provided by an embodiment of the present application. Specifically, as shown in FIG. 2, the simulator recognition method may include the following steps:
  • step 201 Specifically, for a description of step 201, refer to the related description of step 101 in the embodiment shown in FIG. 1 above, and details are not described herein.
  • the identifying device may obtain multiple device information of the target terminal ’s device, for example, the device information may include one or more of the following: router information of the connected Wi-Fi hotspot (including Router name (or Wi-Fi name) such as Wi-Fi Service Set Identifier (SSID), router MAC address (or Wi-Fi MAC address) such as Wi-Fi Basic Service Set Identifier (BSSID) ), Etc.), model (model and / or brand), CPU manufacturer information, Bluetooth information, sensor information, user trace information such as memory space value, network system used, Android status (or called operating status, such as whether In the root state), system file exception information (such as whether there are system files with a preset path and name), the number of installed applications, the number of stored files, the package name of the connected app, the version number of the connected app, and the SDK Version number, operating system type, operating system version, device unique identification code (UDID), whether it has been jailbroken (such as 1 for jailbroken, 0 for jailbroken
  • SSID Wi-
  • the recognition device may perform simulator recognition by acquiring multiple pieces of device information to improve the reliability of recognition.
  • the identification device can use part of the obtained device information items for simulator identification according to a preset simulator identification rule, so that illegal elements cannot determine which information is specifically used for simulator identification. It helps prevent illegal elements from tampering with related device information after learning a certain identification rule, which prevents the simulator from being identified in a timely manner, that is, prevents the identification rule from being cracked, which further improves the reliability of simulator recognition.
  • the identification device can detect whether the function corresponding to the device information has been tampered with, and obtain real device information in a timely manner when tampering is detected, based on the real device information. Perform simulator recognition, thereby improving the accuracy and reliability of simulator recognition.
  • this application may use Android underlying source API to collect device information, so that the device information cannot be easily tampered with.
  • the flag value can be used to mark the state of the objective function.
  • the state can refer to a state that has been tampered with, or can refer to a read-write state, a blocking and non-blocking state, an exit process or program state, and / or a change.
  • the status of the content of the file, etc., so that whether the objective function is hooked can be determined according to the flag value.
  • each function has a corresponding flag.
  • the flag is a variable. When a function is tampered, the flag corresponding to the function will change. Therefore, the identification device can determine whether the function is hooked by detecting whether the flag of the function has changed, that is, whether the device information corresponding to the function has been tampered with.
  • the value of the flag may be stored in a memory corresponding to the objective function.
  • the identification device may perform hook detection using the function as the target function; if the name and MAC address of the router correspond to different functions, the device is identified
  • the hook detection function can be performed for the function corresponding to the name of the router and the function corresponding to the MAC address, that is, the function corresponding to the name of the router and the function corresponding to the MAC address can be used as target functions to restore the real device information.
  • the recognition device may compare a character at a preset position in the flag value with a preset fixed character; when the comparison obtains the preset position When the character of is different from the fixed character, it is determined that the objective function is hooked.
  • the number of characters of the character at the preset position is the same as the number of characters of the fixed character, so as to facilitate comparison and comparison. That is, the change in the flag may refer to a change in one or more bits of the flag value, and the one or more bits may refer to one or more bits in a preset position of the flag. Therefore, the recognition device can compare one or more bits at the preset position of the obtained flag value with the fixed character when it has not been tampered with. If the one or more bits of the flag value change, that is, one bit of the flag value If one or more bits are different from the fixed character, it indicates that the objective function is hooked, that is, the device information corresponding to the objective function has been tampered with.
  • some Xposed plugins set a bit at a fixed position of the function's flag value to 1 when a function is hooked; For tampered functions, this bit of the flag value is 0 (the fixed character described above). Therefore, by detecting whether the fixed bit of the flag value of the function is 0, it can be known whether the function is hooked by the Xposed plugin. That is, if the fixed bit of the flag value of the measurement function is not 0, it can indicate that the function is hooked and the function is tampered with.
  • the recognition device may also perform a logical operation on the flag value according to a preset logic algorithm to obtain an operation result value; when the operation result value is a positive integer
  • the objective function is hooked.
  • the logic algorithm may be determined according to a preset character string and a jump address when a native function in the system is executed. That is to say, the value processed by the flag can also be compared with a fixed character such as 0 when it has not been tampered with according to a preset logic algorithm. If the value after processing changes, it is not 0, such as a positive value. An integer indicates that the function is hooked.
  • the function can be tampered with; if the result of the logical calculation is equal to 0 (that is, a fixed character), Indicates that the function has not been tampered with.
  • the EntryPointFromJni may refer to a jump address when a native function such as a native function is executed, and AccessFlags is the above-mentioned flag.
  • the identification device may determine a system version used by the target terminal target, and then select the target terminal to determine the target based on the flag value according to the system version of the target terminal. Whether the function is hooked to improve the efficiency of hook detection.
  • the correspondence between the system version and the way of hook detection can be set in advance.
  • the function pointer and the hooked function are stored in different fields in the same block of memory, and there is a mapping relationship between different function pointers and the original function, or a mapping relationship between different function pointers and the storage address of the original function.
  • the target function being hooked may mean that the function corresponding to the name of the router and the MAC address is hooked; or, the function corresponding to the name of the router is hooked and / or the function corresponding to the MAC address is hooked.
  • the hooked target function may also be restored, so as to determine the real device information corresponding to the target function.
  • a function pointer corresponding to the objective function can be quickly obtained from its memory, that is, the objective function pointer described above, so as to determine the objective function according to the objective function pointer.
  • Corresponding primitive functions, such as native APIs, are real functions that have not been hooked.
  • the original function corresponding to the target function pointer can be further determined, that is, the actual Method. Furthermore, the original function can be used to replace the objective function to achieve the reduction of the hooked function. Therefore, the recognition device can determine the real router information corresponding to the target terminal through the original function, so as to perform simulator recognition based on the real router information. Specifically, if the function corresponding to the router name and MAC address is hooked, the real original router name and MAC address can be restored; if the function corresponding to the router name is hooked, the real original router can be restored. If the function corresponding to the MAC address is hooked, the original MAC address can be restored.
  • the original function pointer stored in the memory will not be tampered with.
  • the original information of the function will be backed up and stored at a specific address in memory, that is, The address to which the objective function pointer points. Once these backup information has also been tampered with, the Xposed plugin will not work properly. Therefore, the original function obtained at the specific address pointed by the target function pointer must be the correct function, and it cannot be tampered with.
  • steps 205-206 refer to the related description of steps 102-103 in the embodiment shown in FIG. 1 above, and details are not described herein.
  • the identification device may further combine other device information to further identify whether the target terminal is running in the simulator environment.
  • the identification device may also obtain model information of the target terminal, where the model information includes the model and / or brand of the target terminal; and detecting whether the model information is related to a preset third blacklist
  • the terminal model information is the same, and the third blacklist includes at least one group of terminal model information.
  • the identification device can determine that the target terminal is running in the simulator environment.
  • the model information is the same as any set of terminal model information in the third blacklist.
  • the model information is a model
  • the model is the same as any terminal model in the third blacklist.
  • the type information is a brand
  • the brand is the same as any terminal brand in the third blacklist;
  • the model information includes the model and brand, the model is the same as any terminal model in the third blacklist, and
  • the brand is the same as any terminal brand on the third blacklist.
  • the third blacklist includes one or more sets of terminal model information, and the one or more sets of terminal model information may be model information of a terminal identified as a simulator in historical data, such as counting times The most previous L (L is an integer greater than 0, such as taking 8) sets of model information, or model information whose number of counts is greater than a preset number threshold (third threshold), etc., is not repeated here.
  • the identification device can perform simulator recognition by combining the router information of the Wi-Fi hotspot connected to the terminal and the model information of the terminal, which further improves the reliability of the simulator recognition.
  • the identification device may also obtain the manufacturer ID of the CPU of the target terminal, and detect whether the manufacturer ID of the CPU is the same as the manufacturer ID in the preset whitelist, and then when the router ’s When the name is the same as the name of any router in the first blacklist, the MAC address is in the MAC address set, and the manufacturer ID of the CPU is different from all the manufacturer IDs in the whitelist, the target terminal is determined Run in the simulator environment.
  • the white list may include the identifications of one or more legal CPU manufacturers.
  • the identification device can perform simulator recognition by combining the router information of the Wi-Fi hotspot connected to the terminal and the CPU manufacturer information of the terminal to improve the reliability of the simulator recognition.
  • the identification device may also perform simulator identification in combination with router information of the Wi-Fi hotspot connected to the terminal and terminal model information to improve the reliability of the simulator identification, which will not be described here.
  • the identification device may also detect whether the device information of the target terminal meets a preset rule, where the device information of the target terminal meets the preset rule may mean that any one or more of the following rules are met :
  • the target terminal is not configured with a preset module, and the preset module includes one or more of a Bluetooth module, a temperature sensor, and a light sensor;
  • the preset module is a module that is not configured in the terminal identified as the simulator according to historical data statistics, such as a Bluetooth module, a temperature sensor, and a light sensor. Therefore, if it is recognized that the terminal is not configured with the preset module, it may be an emulator.
  • the memory space value of the target terminal is less than a preset memory threshold
  • the first number of applications installed by the target terminal is less than a preset first number threshold
  • the second number of files stored by the target terminal is less than a preset second number threshold
  • the first number threshold and the second number threshold can be preset.
  • the network standard used by the target terminal is different from all the network standards in the preset network standard list;
  • the identification device may determine which are the normal network standards in combination with the target area where the target terminal is located, for example, by pre-configuring different areas and their corresponding network standard lists to determine a list of network standards corresponding to the target area, the network The network standard in the standard list is the normal network standard in the target area. If it is detected that the network standard used by the target terminal is not the network standard in its corresponding network standard list, the target terminal may run in the simulator environment because the simulator may tamper with the network standard information.
  • the abnormal system file can include system files with the following paths and names: / dev / qemu_pipe, / dev / socket / qemud, /system/lib/libc_malloc_debug_qemu.so, / sys / qemu_trace, / proc / tty / drivers / goldfish and more.
  • the target terminal is in the root state and so on. If it is detected that the target terminal is in the Android root state, it may be an emulator.
  • the identification device can combine the router information, module configuration information, memory space information, number of installed applications, number of stored files, network standards used, system file exception information, and operation of the Wi-Fi hotspot connected to the terminal. Status and other information to perform simulator recognition to further improve the reliability of simulator recognition.
  • the identification device may further be based on the router information, model information, CPU manufacturer information, module configuration information, memory space information, number of installed applications, Wi-Fi hotspots connected to the terminal, Any one or more of the number of stored files, used network system, system file abnormal information, running status and other information are used to identify the simulator, and details are not described here.
  • the simulator can also detect whether the device information used for the simulator recognition has been tampered with. If tampered, the real device information can be restored and then based on the real device Information for simulator identification. For detecting whether the device information has been tampered with and how to restore it, refer to the descriptions of detecting whether the router information has been tampered with and how to restore it in steps 202-204, which are not described here.
  • the identification device may generate alarm information.
  • the alarm information may include one or more of a risk level, user information, and malicious behavior of the device.
  • the risk level can be determined according to the target risk control scenario of the terminal, and the corresponding relationship between different risk control scenarios and risk levels can be specifically set in advance; or the risk level can be determined according to the application that the terminal target runs, and can be specifically determined in advance. Correspondence between different applications and risk levels can be obtained by setting; or, the risk level can also be determined according to the number of hooked functions of the terminal, and specific correspondences between different numbers of hooks and risk levels can be set in advance; or, It can be determined according to the priority of the tampered device information of the terminal.
  • the priority of different device information can be set in advance, and the corresponding relationship between each priority and risk level, etc., is not limited in this application.
  • the risk level can be classified as high-risk, medium-risk, low-risk, or first-, second-, third-, and so on.
  • the user information may include a user identification (UID), a mobile phone number, an ID number (if collected during registration of an application), and the like.
  • the malicious behavior may include tampering with the MAC address, tampering with the CPU manufacturer, tampering with the model and brand of the mobile phone, tampering with the mobile phone number, etc., which can be specifically determined through the aforementioned hook detection.
  • the identification device may also issue an instruction to the target terminal according to the alarm information to control operations on the target terminal (such as an APP client running on the terminal). For example, if the identification device determines that the risk level is low-risk, the identification device may issue an instruction to instruct the client to output a prompt to require the user to enter verification information.
  • the verification method includes, but is not limited to, a short message verification code, a picture verification code, and the like. If the verification fails, no further operation is possible.
  • the identification device may issue an instruction instructing the client to prohibit the user from requesting access in the target risk control scenario (such as logging in, receiving red envelopes, redeeming coupons, spending, transferring money, etc.) operating.
  • the identification device may issue an instruction to instruct the client to prohibit the user from requesting all access operations, etc., which are not listed here one by one.
  • using the simulator can obtain stronger performance than the mobile phone (actually a game cheating).
  • This application can identify whether the game application is running in the simulator environment through the above-mentioned recognition rules, which can promptly Discover the behavior of the game running in the simulator, which can stop the behavior and prevent the loss of cheating to the user.
  • the risk control strategy of a small loan launched by a financial institution is to allow only users in specific areas, such as the user of Beishangguang. Illegal users may use simulators to modify GPS positioning to bypass the risk control strategy and deceive them. loan. Therefore, the present application can identify whether the device is running in the simulator environment through the above recognition rules, and reject the user's loan request after determining that the device is running in the simulator environment. Further, this application can also restore the GPS positioning by using the above-mentioned hook detection method to obtain the user's true positioning information.
  • illegal persons set up information such as the phone model, brand, and manufacturer in the simulator to achieve the purpose of one simulator software to simulate multiple different Android phones, thereby creating fake identity to cheat preferential activities, registration rewards, and so on.
  • the real mobile phone model, brand, and manufacturer and other information can be restored and the simulator can be identified, so as to identify whether the device operation is timely.
  • the simulator environment When running in the simulator environment, and when it is recognized that it is running in the simulator environment, it can stop the behavior in time and avoid causing losses to legitimate users.
  • the identification device may perform simulator identification by collecting multiple pieces of device information, such as router information of a Wi-Fi hotspot connected to the terminal, so as to improve the accuracy of the simulator identification. Based on the device information to identify whether the terminal is running in the simulator environment, it can identify whether the device information has been tampered with, and restore real device information in a timely manner when tampering is detected, so as to identify the simulator based on the real device information. The accuracy of the simulator recognition is further improved.
  • FIG. 3 is a schematic structural diagram of an identification device according to an embodiment of the present application.
  • the recognition device in the embodiment of the present application includes a unit for executing the above-mentioned simulator recognition method.
  • the identification device 300 in this embodiment may include: an obtaining unit 301 and an identification unit 302. among them,
  • the obtaining unit 301 is configured to obtain router information of a wireless fidelity Wi-Fi hotspot connected to a target terminal, where the router information includes a router name and a media access control MAC address;
  • An identification unit 302 configured to detect whether the name of the router is the same as the router name in the preset first blacklist, and whether the MAC address is in a set of MAC addresses in the preset second blacklist;
  • the identification unit 302 is further configured to determine that the target terminal is running when the name of the router is the same as the name of any router in the first blacklist, and the MAC address is in the MAC address set. Emulator environment.
  • the obtaining unit 301 is further configured to obtain model information of the target terminal, where the model information includes a model and / or a brand of the target terminal;
  • the identification unit 302 is further configured to detect whether the model information is the same as the terminal model information in a preset third blacklist, where the third blacklist includes at least one set of terminal model information;
  • the identifying unit 302 is specifically configured to: when the name of the router is the same as the name of any router in the first blacklist, the MAC address is in the MAC address set, and the model information is the same as the When the information of any set of terminal models in the third blacklist is the same, it is determined that the target terminal is running in the simulator environment.
  • the obtaining unit 301 is further configured to obtain a manufacturer identifier of a central processing unit CPU of the target terminal;
  • the identification unit 302 is further configured to detect whether a manufacturer ID of the CPU is the same as a manufacturer ID in a preset white list;
  • the identification unit 302 is specifically configured to: when the name of the router is the same as the name of any router in the first blacklist, the MAC address is in the MAC address set, and the manufacturer identifier of the CPU is When all the manufacturer IDs in the white list are different, it is determined that the target terminal is running in an simulator environment.
  • the identification unit 302 is further configured to detect whether the device information of the target terminal meets a preset rule, where the device information of the target terminal satisfies the preset rule includes:
  • the target terminal is not configured with a preset module, and the preset module includes one or more of a Bluetooth module, a temperature sensor, and a light sensor; and / or,
  • a memory space value of the target terminal is less than a preset memory threshold; and / or,
  • the first number of applications installed by the target terminal is less than a preset first number threshold; and / or,
  • the second number of files stored by the target terminal is less than a preset second number threshold; and / or,
  • the network standard used by the target terminal is different from all the network standards in the preset network standard list; and / or,
  • a system file of a preset path and name exists in the system of the target terminal; and / or,
  • a running state of the target terminal is a root state
  • the identifying unit 302 is specifically configured to: when the name of the router is the same as the name of any router in the first blacklist, the MAC address is in the MAC address set, and the device information of the target terminal satisfies When the preset rule is determined, the target terminal is determined to be running in a simulator environment.
  • the identification device further includes: a hook detection unit 303 and a restoration unit 304;
  • the obtaining unit 301 is further configured to obtain a flag value of an objective function corresponding to the router information
  • a hook detection unit 303 configured to determine whether the objective function is hooked according to the flag value
  • the obtaining unit 301 is further configured to obtain an objective function pointer corresponding to the objective function from the memory of the objective function when it is determined that the objective function is hooked;
  • a restoration unit 304 configured to determine an original function corresponding to the target function pointer according to a corresponding relationship between function pointers and functions stored in advance, and determine original router information according to the original function;
  • the identifying unit 302 is specifically configured to detect whether the name of the router included in the original router information is the same as the name of the router in the preset first blacklist, and whether the MAC address included in the original router information is in the preset MAC address set in the second blacklist.
  • the hook detection unit 303 is specifically configured to compare a character at a preset position in the flag value with a preset fixed character, and the number of characters of the character at the preset position is the same as that of the character at the preset position.
  • the number of characters of the fixed character is the same; when the character at the preset position is different from the fixed character, it is determined that the objective function is hooked.
  • the hook detection unit 303 is specifically configured to perform a logical operation on the flag value according to a preset logical algorithm to obtain an operation result value, where the logical algorithm is based on a preset character string and the system.
  • the jump address when the native function is executed is determined; when the value of the operation result is a positive integer, it is determined that the target function is hooked.
  • the recognition device may implement some or all steps in the simulator recognition method in the embodiments shown in FIG. 1 to FIG. 2 by using the foregoing units. It should be understood that the embodiments of the present application are device embodiments corresponding to the method embodiments, and the description of the method embodiments is also applicable to the embodiments of the present application.
  • FIG. 4 is a schematic structural diagram of another identification device according to an embodiment of the present application.
  • the identification device is used to perform the method described above.
  • the identification device 400 in this embodiment may include: one or more processors 401 and a memory 402.
  • the identification device may further include one or more user interfaces 403, and / or, one or more communication interfaces 404.
  • the processor 401, the user interface 403, the communication interface 404, and the memory 402 may be connected through a bus 405, or may be connected through other methods.
  • FIG. 4 illustrates the examples by using a bus method.
  • the memory 402 is configured to store a computer program.
  • the computer program includes program instructions, and the processor 401 is configured to execute the program instructions stored in the memory 402.
  • the processor 401 may be used to call the program instructions to perform the following steps: obtaining router information of a wireless fidelity Wi-Fi hotspot connected to a target terminal, the router information including a router name and a media access control MAC address; detecting the Whether the name of the router is the same as the name of the router in the preset first blacklist, and whether the MAC address is in the set of MAC addresses in the preset second blacklist; when the name of the router matches the first blacklist When any router in the list has the same name and the MAC address is in the MAC address set, it is determined that the target terminal is running in an emulator environment.
  • the processor 401 invokes the program instruction to execute the determination that the target terminal runs in the simulator environment, it is further configured to perform the following steps: obtaining model information of the target terminal, and the model information Including the model and / or brand of the target terminal; detecting whether the model information is the same as the terminal model information in a preset third blacklist, and the third blacklist includes at least one set of terminal model information ;
  • the processor 401 invokes the program instruction to execute the target when the name of the router is the same as the name of any router in the first blacklist, and the MAC address is in the MAC address set.
  • the following steps are specifically performed: when the name of the router is the same as the name of any router in the first blacklist, the MAC address is in the MAC address set, and the model
  • the information is the same as that of any set of terminal models in the third blacklist, it is determined that the target terminal is running in the simulator environment.
  • the processor 401 is further configured to perform the following steps: obtain a manufacturer identifier of a central processing unit CPU of the target terminal; Detecting whether the manufacturer ID of the CPU is the same as the manufacturer ID in a preset white list;
  • the processor 401 invokes the program instruction to execute the target when the name of the router is the same as the name of any router in the first blacklist, and the MAC address is in the MAC address set.
  • the following steps are specifically performed: when the name of the router is the same as the name of any router in the first blacklist, the MAC address is in the MAC address set, and the CPU's
  • the manufacturer identification is different from all the manufacturer identifications in the white list, it is determined that the target terminal is running in an simulator environment.
  • the processor 401 is further configured to perform the following steps: detecting whether the device information of the target terminal meets a preset rule, where
  • the device information of the target terminal meeting the preset rule includes: the target terminal is not configured with a preset module, and the preset module includes one or more of a Bluetooth module, a temperature sensor, and a light sensor; and / Or, a memory space value of the target terminal is less than a preset memory threshold; and / or, a first number of applications installed by the target terminal is less than a preset first number threshold; and / or, the target terminal stores The second number of files is less than a preset second number threshold; and / or, the network standard used by the target terminal is different from all the network standards in the preset network standard list; and / or, the target A system file with a preset path and name exists in the terminal system; and / or, the running state of the target terminal is the root
  • the processor 401 invokes the program instruction to execute the target when the name of the router is the same as the name of any router in the first blacklist, and the MAC address is in the MAC address set.
  • the terminal runs in the simulator environment, and specifically performs the following steps: when the name of the router is the same as the name of any router in the first blacklist, the MAC address is in the MAC address set, and the target terminal ’s When the device information meets the preset rule, it is determined that the target terminal is running in a simulator environment.
  • the processor 401 invokes the program instruction to perform the detection to check whether the name of the router is the same as the router name in the preset first blacklist, and whether the MAC address is in the preset second black Before the set of MAC addresses in the list, it is also used to perform the following steps: obtain the flag value of the target function corresponding to the router information, and determine whether the target function is hooked according to the flag value; when it is determined that the target function is When hooking, the target function pointer corresponding to the target function is obtained from the memory of the target function; the original function corresponding to the target function pointer is determined according to the corresponding relationship between the function pointers and functions stored in advance, and according to the The original function described above determines the original router information;
  • the processor 401 invokes the program instruction to execute the detection to determine whether the name of the router is the same as the router name in the preset first blacklist, and whether the MAC address is in a MAC in the preset second blacklist.
  • address collection the following steps are specifically performed: detecting whether the router name included in the original router information is the same as the router name in the preset first blacklist, and whether the MAC address included in the original router information is in the preset MAC address set in the second blacklist.
  • the processor 401 when the processor 401 invokes the program instruction to execute the determination of whether the objective function is hooked according to the flag value, the processor 401 specifically performs the following steps: the character at a preset position in the flag value and The preset fixed characters are compared, and the number of characters of the character at the preset position is the same as the number of characters of the fixed character; when the comparison obtains that the character at the preset position is different from the fixed character, the determined The objective function is hooked.
  • the processor 401 when the processor 401 invokes the program instruction to execute the determination of whether the objective function is hooked according to the flag value, the processor 401 specifically performs the following steps: performs a logical operation on the flag value according to a preset logic algorithm To obtain an operation result value, wherein the logical algorithm is determined according to a preset character string and a jump address when a native function in the system is executed; when the operation result value is a positive integer, the objective function is determined Was hooked.
  • the processor 401 may be a central processing unit (CPU), and the processor may also be another general-purpose processor, a digital signal processor (DSP), or an application specific integrated circuit (Application Specific Integrated). Circuit (ASIC), ready-made programmable gate array (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc.
  • a general-purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
  • the user interface 403 may include an input device and an output device, the input device may include a touch panel, a microphone, and the like, and the output device may include a display (LCD, etc.), a speaker, and the like.
  • the input device may include a touch panel, a microphone, and the like
  • the output device may include a display (LCD, etc.), a speaker, and the like.
  • the communication interface 404 may include a receiver and a transmitter for communicating with other devices.
  • the memory 402 may include a read-only memory and a random access memory, and provide instructions and data to the processor 401.
  • a part of the memory 402 may further include a non-volatile random access memory.
  • the memory 402 may also store the corresponding relationship between the function pointer and the function described above.
  • the processor 401 and the like described in the embodiment of the present application may execute the implementation manners described in the method embodiments shown in FIG. 1 to FIG. 3 described above, and may also execute each of the methods described in FIG. 4 of the embodiment of the present application. The implementation of the unit is not repeated here.
  • An embodiment of the present application further provides a computer-readable storage medium, where the computer-readable storage medium stores a computer program, and when the computer program is executed by a processor, the program described in the corresponding embodiments in FIG. 1 to FIG. 2 can be implemented.
  • Some or all of the steps in the simulator recognition method may also implement the function of the recognition device in the embodiment shown in FIG. 3 or FIG. 4 of the present application, and details are not described herein.
  • An embodiment of the present application further provides a computer program product containing instructions, which when executed on a computer, causes the computer to execute part or all of the steps in the above method.
  • the computer-readable storage medium may be an internal storage unit of the identification device according to any one of the foregoing embodiments, such as a hard disk or a memory of the identification device.
  • the computer-readable storage medium may also be an external storage device of the identification device, such as a plug-in hard disk, a Smart Media Card (SMC), and a secure digital (SD) device. ) Cards, flash cards, etc.
  • the size of the sequence numbers of the above processes does not mean the order of execution.
  • the execution order of each process should be determined by its function and internal logic, and should not deal with the implementation process of the embodiments of the present application. Constitute any limitation.

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Disclosed are a simulator identification method, an identification device, and a computer readable medium. The method comprises: obtaining router information of a Wi-Fi hotspot connected to a target terminal, the router information comprising a name and an MAC address of a router; detecting whether the name of the router is the same as that of a router in a preset first blacklist, and whether the MAC address is within an MAC address set in a preset second blacklist; and if the name of the router is the same as that of any router in the first blacklist, and the MAC address is within the MAC address set, determining that the target terminal runs in a simulator environment. Use of the present application facilitates improving the accuracy of simulator identification.

Description

一种模拟器识别方法、识别设备及计算机可读介质Simulator recognition method, recognition equipment and computer-readable medium
本申请要求于2018年07月27日提交中国专利局、申请号为201810855586.8、申请名称为“一种模拟器识别方法、识别设备及计算机可读介质”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of a Chinese patent application filed on July 27, 2018 with the Chinese Patent Office, application number 201810855586.8, and application name "A Simulator Identification Method, Identification Device, and Computer-readable Media", its entire content Incorporated by reference in this application.
技术领域Technical field
本申请涉及通信技术领域,尤其涉及一种模拟器识别方法、识别设备及计算机可读介质。The present application relates to the field of communication technologies, and in particular, to a simulator identification method, an identification device, and a computer-readable medium.
背景技术Background technique
Android模拟器是一个能在Windows、Linux等各种平台模拟出Android系统的运行环境的应用,用户可以在个人计算机等终端中的Android模拟器上运行Android系统的应用。在使用Android系统的应用时,对于某些业务,如需要进行风险监测的业务,并不希望它被运行在模拟器上,因此需要对终端是否运行于Android模拟器环境进行识别。而目前风险识别设备对Android模拟器的识别能力有限,无法有效识别出终端是否运行于模拟器环境。The Android emulator is an application that can simulate the operating environment of the Android system on various platforms such as Windows and Linux. Users can run the Android system application on the Android emulator in a terminal such as a personal computer. When using the application of the Android system, for certain services, such as those requiring risk monitoring, it is not desired to be run on the simulator, so it is necessary to identify whether the terminal is running in the Android simulator environment. At present, the risk recognition device has limited recognition ability of the Android simulator, and cannot effectively identify whether the terminal is running in the simulator environment.
发明内容Summary of the Invention
本申请提供一种模拟器识别方法、识别设备及计算机可读介质,有助于提升模拟器识别的准确性。The application provides a simulator recognition method, a recognition device and a computer-readable medium, which are helpful to improve the accuracy of the simulator recognition.
第一方面,本申请提供了一种模拟器识别方法,包括:In a first aspect, the present application provides a simulator identification method, including:
获取目标终端连接的无线保真Wi-Fi热点的路由器信息,所述路由器信息包括路由器的名称和媒体访问控制(Media Access Control,MAC)地址;Acquiring router information of a wireless fidelity Wi-Fi hotspot connected to a target terminal, where the router information includes a router name and a Media Access Control (MAC) address;
检测所述路由器的名称是否与预置的第一黑名单内的路由器名称相同,以及所述MAC地址是否处于预置的第二黑名单内的MAC地址集合;Detecting whether the name of the router is the same as the router name in the preset first blacklist, and whether the MAC address is in a set of MAC addresses in the preset second blacklist;
当所述路由器的名称与所述第一黑名单内的任一路由器名称相同,且所述MAC地址处于所述MAC地址集合时,确定所述目标终端运行于模拟器环境。When the name of the router is the same as the name of any router in the first blacklist, and the MAC address is in the MAC address set, it is determined that the target terminal is running in a simulator environment.
第二方面,本申请提供了一种识别设备,该识别设备包括用于执行上述第一方面的方法的单元。In a second aspect, the present application provides an identification device including a unit for performing the method of the first aspect.
第三方面,本申请提供了另一种识别设备,包括处理器、用户接口、通信接口和存储器,所述处理器、用户接口、通信接口和存储器相互连接,其中,所述存储器用于存储支持识别设备执行上述方法的计算机程序,所述计算机程序包括程序指令,所述处理器被配置用于调用所述程序指令,执行上述第一方面的方法。In a third aspect, the present application provides another identification device, including a processor, a user interface, a communication interface, and a memory, and the processor, the user interface, the communication interface, and the memory are connected to each other, where the memory is used for storing support A computer program that identifies the device to execute the method, the computer program includes program instructions, and the processor is configured to call the program instructions to execute the method of the first aspect.
第四方面,本申请提供了一种计算机可读存储介质,所述计算机存储介质存储有计算机程序,所述计算机程序包括程序指令,所述程序指令当被处理器执行时使所述处理器执行上述第一方面的方法。In a fourth aspect, the present application provides a computer-readable storage medium, where the computer storage medium stores a computer program, the computer program includes program instructions, and the program instructions, when executed by a processor, cause the processor to execute The method of the first aspect described above.
本申请实施例能够通过获取终端连接的Wi-Fi热点的路由器信息,并对该路由器信息如路由器的名称和MAC地址进行检测分析,在检测到该路由器的名称与预设黑名单内的 任一路由器名称相同,且该MAC地址处于预设的MAC地址集合时,即可确定该终端运行于模拟器环境,这就有助于提升模拟器识别的准确性。In the embodiment of the present application, by acquiring router information of a Wi-Fi hotspot connected to a terminal, and detecting and analyzing the router information such as the router's name and MAC address, any one of the router's name and a preset blacklist can be detected. When the router name is the same and the MAC address is in a preset MAC address set, it can be determined that the terminal is running in the simulator environment, which helps to improve the accuracy of the simulator recognition.
附图说明BRIEF DESCRIPTION OF THE DRAWINGS
为了更清楚地说明本申请实施例技术方案,下面将对实施例描述中所需要使用的附图进行说明。In order to explain the technical solution of the embodiment of the present application more clearly, the accompanying drawings used in the description of the embodiment will be described below.
图1是本申请实施例提供的一种模拟器识别方法的流程示意图;FIG. 1 is a schematic flowchart of a simulator recognition method according to an embodiment of the present application; FIG.
图2是本申请实施例提供的另一种模拟器识别方法的流程示意图;FIG. 2 is a schematic flowchart of another simulator recognition method according to an embodiment of the present application; FIG.
图3是本申请实施例提供的一种识别设备的结构示意图;3 is a schematic structural diagram of an identification device according to an embodiment of the present application;
图4是本申请实施例提供的另一种识别设备的结构示意图。FIG. 4 is a schematic structural diagram of another identification device according to an embodiment of the present application.
具体实施方式detailed description
下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行描述。The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
本申请的技术方案可应用于识别设备中,该识别设备可包括各种终端、服务器或与终端连接的风险识别产品(设备)等等,用于对终端中的模拟器行为进行识别(简称“模拟器识别”),以识别终端(或终端中的应用,如识别植入SDK的应用)是否运行于模拟器环境,或者称为识别终端是否使用模拟器登录。在本申请中,模拟器可以是指Android模拟器或其他模拟器。本申请涉及的终端可以是手机、电脑、平板、个人计算机、智能手表等,本申请不做限定。The technical solution of the present application can be applied to an identification device, which can include various terminals, servers, or risk identification products (devices) connected to the terminal, etc., for identifying the behavior of the simulator in the terminal (referred to as " Simulator recognition ") to identify whether the terminal (or an application in the terminal, such as an application embedded in the SDK) is running in the simulator environment, or is called identifying whether the terminal is logged in using the simulator. In this application, the simulator may refer to an Android simulator or another simulator. The terminals involved in this application may be mobile phones, computers, tablets, personal computers, smart watches, etc., and this application is not limited.
具体的,本申请可通过获取终端的各种设备信息,比如连接的Wi-Fi热点信息、机型信息、CPU的生产商信息、模块配置信息、内存空间信息、安装的应用的数目、存储的文件的数目、使用的网络制式、系统文件异常信息、运行状态等信息中的一项或多项,来进行模拟器识别,从而能够提升模拟器识别的准确性。以下分别详细说明。Specifically, this application can obtain various device information of the terminal, such as connected Wi-Fi hotspot information, model information, CPU manufacturer information, module configuration information, memory space information, number of installed applications, and stored One or more of the number of files, the network system used, system file abnormal information, running status and other information are used to identify the simulator, thereby improving the accuracy of the simulator recognition. The details are described below.
请参见图1,图1是本申请实施例提供的一种模拟器识别方法的流程示意图。具体的,如图1所示,该模拟器识别方法可以包括以下步骤:Please refer to FIG. 1, which is a schematic flowchart of a simulator recognition method provided by an embodiment of the present application. Specifically, as shown in FIG. 1, the simulator recognition method may include the following steps:
101、获取目标终端连接的Wi-Fi热点的路由器信息,该路由器信息包括路由器的名称和MAC地址。101. Obtain router information of a Wi-Fi hotspot connected to a target terminal, where the router information includes a router name and a MAC address.
其中,该目标终端可以是指需要进行模拟器识别的任一终端,比如与风险识别产品连接的终端,或者处于特定风控场景下的终端,或者触发(比如通过预设按键或手势或预设的其他触发方式)了模拟器识别的终端,等等,本申请不做限定。该风控场景可以包括登录场景、交易场景、APP优惠领域场景等等。The target terminal may be any terminal that needs to be identified by the simulator, such as a terminal connected to a risk identification product, or a terminal in a specific risk control scenario, or triggered (such as by a preset button or gesture or preset Other triggering methods) are terminals identified by the simulator, etc., which are not limited in this application. The risk control scenario may include a login scenario, a transaction scenario, an APP discount domain scenario, and so on.
具体的,在需要对某一终端进行模拟器识别时,识别设备可获取该终端连接的Wi-Fi热点的路由器信息如路由器的名称及其MAC地址等,以便于根据该路由器的名称和MAC地址确定该终端是否运行于模拟器环境。Specifically, when it is necessary to identify a terminal by a simulator, the identification device can obtain router information of the Wi-Fi hotspot connected to the terminal, such as the name of the router and its MAC address, so as to facilitate the calculation based on the name and MAC address of the router. Determine if the terminal is running in a simulator environment.
102、检测该路由器的名称是否与预置的第一黑名单内的路由器名称相同,以及该MAC地址是否处于预置的第二黑名单内的MAC地址集合。102. Detect whether the name of the router is the same as the router name in the preset first blacklist, and whether the MAC address is in a set of MAC addresses in the preset second blacklist.
其中,该第一黑名单包括一个或多个路由器名称,该第一个或多个路由器名称可以是历史数据中识别为模拟器的终端(即识别为运行在模拟器环境的终端)所连接的Wi-Fi的 路由器的名称;该第二黑名单可包括一个或多个MAC地址集合和/或一个或多个MAC地址,该一个或多个MAC地址为历史数据中识别为模拟器的终端所连接的路由器的MAC地址,该一个或多个MAC地址集合是根据历史数据中识别为模拟器的终端所连接的路由器的MAC地址统计出的。可选的,该第一黑名单和第二黑名单可以相同(即各路由器名称和MAC地址集合可以配置于一个黑名单中),也可以不同(即分别独立配置)。检测MAC地址是否处于预置的第二黑名单内的MAC地址集合还可以称为检测MAC地址是否与预置的第二黑名单内的MAC地址集合中的MAC地址相同;相应的,MAC地址处于MAC地址集合可以是指MAC地址与该MAC地址集合中的任一MAC地址相同。The first blacklist includes one or more router names, and the first or more router names may be connected to a terminal identified as a simulator in the historical data (that is, a terminal identified as running in a simulator environment). The name of the Wi-Fi router; the second blacklist may include one or more MAC address sets and / or one or more MAC addresses, the one or more MAC addresses are identified by the terminal identified as the simulator in the historical data The MAC address of the connected router. The one or more MAC address sets are calculated based on the MAC address of the router connected to the terminal identified as the simulator in the historical data. Optionally, the first blacklist and the second blacklist may be the same (that is, each router name and MAC address set may be configured in a blacklist), or they may be different (that is, configured separately). The MAC address set that detects whether the MAC address is in the preset second blacklist can also be referred to as detecting whether the MAC address is the same as the MAC address in the MAC address set in the preset second blacklist; accordingly, the MAC address is in The MAC address set may mean that the MAC address is the same as any MAC address in the MAC address set.
可选的,该第一黑名单包括历史数据中识别为模拟器的终端所连接的路由器的名称中统计次数较多的名称,比如统计次数最多的前M(M为大于0的整数,如取10)个名称,或者统计次数大于预设数目阈值(第一阈值)的名称;该第二黑名单包括历史数据中识别为模拟器的终端所连接的路由器的MAC地址中统计次数较多的MAC地址或者由该MAC地址组成的MAC地址集合,比如统计次数最多的前N(N为大于0的整数,如取50)个MAC地址,或者统计次数大于预设数目阈值(第二阈值)的MAC地址,或者由这些MAC地址确定的MAC地址集合,等等,本申请不做限定。其中,该第一阈值和第二阈值可以预先设置得到,该第一阈值和第二阈值可以相同,比如均设置为80;或者,两者也可以不同,比如第一阈值为80,第二阈值为60,反之亦可,此处不赘述。Optionally, the first blacklist includes names that are counted more frequently among the names of routers connected to the terminals identified as simulators in the historical data, such as the top M with the most counts (M is an integer greater than 0, such as taking 10) names, or names whose number of counts is greater than a preset number threshold (first threshold); the second blacklist includes MAC addresses with more counts in the MAC address of the router connected to the terminal identified as the simulator in the historical data An address or a set of MAC addresses composed of the MAC address, such as the first N (N is an integer greater than 0, such as 50) MAC addresses with the most statistics, or the MAC whose statistics are greater than a preset number threshold (second threshold) Addresses, or a set of MAC addresses determined by these MAC addresses, etc., are not limited in this application. The first threshold value and the second threshold value can be set in advance, and the first threshold value and the second threshold value can be the same, for example, both are set to 80; or they can be different, such as the first threshold value is 80 and the second threshold value. It is 60, and vice versa.
103、当该路由器的名称与该第一黑名单内的任一路由器名称相同,且该MAC地址处于该MAC地址集合时,确定该目标终端运行于模拟器环境。103. When the name of the router is the same as the name of any router in the first blacklist, and the MAC address is in the MAC address set, determine that the target terminal is running in the simulator environment.
具体的,识别设备可通过将目标终端对应的路由器的名称和上述的第一黑名单中的路由器名称进行匹配,并将目标终端对应的路由器的MAC地址和上述的第二黑名单中的MAC地址或MAC地址集合进行匹配。当在该第一黑名单中匹配得到与该目标终端对应的路由器的名称相同的路由器名称,以及在该第二黑名单中匹配得到该目标终端对应的路由器的MAC地址所处的MAC地址集合(或匹配得到与该目标终端对应的路由器的MAC地址相同的MAC地址),则可识别为该目标终端是运行于模拟器环境的。Specifically, the identification device may match the name of the router corresponding to the target terminal with the router name in the first blacklist described above, and match the MAC address of the router corresponding to the target terminal with the MAC address in the second blacklist described above. Or MAC address set. When the router name corresponding to the router corresponding to the target terminal is obtained in the first blacklist by matching, and the MAC address set where the MAC address of the router corresponding to the target terminal is located in the second blacklist by matching ( Or match to obtain the MAC address of the router corresponding to the target terminal), it can be identified that the target terminal is running in the simulator environment.
在本申请实施例中,识别设备能够通过获取终端连接的Wi-Fi热点的路由器信息,并对该路由器信息如路由器的名称和MAC地址进行检测分析,在检测到该路由器的名称与预设黑名单内的任一路由器名称相同,且该MAC地址处于预设的MAC地址集合时,即可确定该目标终端运行于模拟器环境。本申请实施例能够根据终端连接的Wi-Fi热点的路由器信息来进行模拟器识别,这就有助于提升模拟器识别的准确性。In the embodiment of the present application, the identification device can obtain the router information of the Wi-Fi hotspot connected to the terminal, and detect and analyze the router information such as the router's name and MAC address. After detecting the router's name and preset black When any router in the list has the same name and the MAC address is in a preset MAC address set, it can be determined that the target terminal is running in the simulator environment. The embodiment of the present application can perform simulator recognition according to the router information of the Wi-Fi hotspot connected to the terminal, which helps to improve the accuracy of the simulator recognition.
请参见图2,图2是本申请实施例提供的另一种模拟器识别方法的流程示意图。具体的,如图2所示,该模拟器识别方法可以包括以下步骤:Please refer to FIG. 2, which is a schematic flowchart of another simulator recognition method provided by an embodiment of the present application. Specifically, as shown in FIG. 2, the simulator recognition method may include the following steps:
201、获取目标终端连接的Wi-Fi热点的路由器信息,该路由器信息包括路由器的名称和MAC地址。201. Obtain router information of a Wi-Fi hotspot connected to a target terminal, where the router information includes a router name and a MAC address.
具体的,该步骤201的描述请参照上述图1所示实施例中步骤101的相关描述,此处不赘述。Specifically, for a description of step 201, refer to the related description of step 101 in the embodiment shown in FIG. 1 above, and details are not described herein.
可选的,在进行模拟器识别时,识别设备可通过获取目标终端的设备底层多项设备信息,比如该设备信息可包括以下一项或多项:连接的Wi-Fi热点的路由器信息(包括路由 器名称(或Wi-Fi名称)如Wi-Fi服务集标识(Service Set Identifier,SSID),路由器MAC地址(或Wi-Fi MAC地址)如Wi-Fi基本服务集标识(Basic Service Set Identifier,BSSID)等)、机型(型号和/或品牌)、CPU生产商信息、蓝牙信息、传感器信息、用户使用痕迹信息如内存空间值、使用的网络制式、Android状态(或称为运行状态,如是否处于root状态)、系统文件异常信息(如是否存在预设路径和名称的系统文件)、安装的应用的数目、存储的文件的数目、接入App的包名、接入App的版本号、SDK的版本号、操作系统类型、操作系统版本、设备唯一标识码(UDID)、是否已经越狱(比如1代表已越狱,0代表未越狱)、经纬度信息、网络类型、指定App是否安装(比如1代表已安装,0代表未安装)、是否安装了阿里小号、是否安装了v8插件、当前时间戳(比如精度为毫秒)、广告标示符、Vendor标识符、设备型号、主机名、CPU核心数、CPU类型、CPU子类型、屏幕分辨率、存储总空间、存储剩余空间、时区、语言、电量、电池状态、运营商名称、国家ISO、启动时间、键盘列表、did被抹掉或篡改、localfile中存储的did、是否打开GPS开关(比如0代表关闭,1代表开启)、GPS授权状态、APP加载的动态链接库列表等等,来进行模拟器识别。具体的,识别设备可通过获取多项设备信息来进行模拟器识别,以提升识别的可靠性。而且,该识别设备可按照预设的模拟器识别规则使用该获取的设备信息项中的部分信息用于模拟器识别,使得非法分子无法确定具体使用哪些信息来进行模拟器识别的,这就有助于防止非法分子了解到某一识别规则后篡改相关设备信息导致无法及时识别模拟器的情况的发生,即防止识别规则被破解,使得进一步提升了模拟器识别的可靠性。Optionally, when performing simulator recognition, the identifying device may obtain multiple device information of the target terminal ’s device, for example, the device information may include one or more of the following: router information of the connected Wi-Fi hotspot (including Router name (or Wi-Fi name) such as Wi-Fi Service Set Identifier (SSID), router MAC address (or Wi-Fi MAC address) such as Wi-Fi Basic Service Set Identifier (BSSID) ), Etc.), model (model and / or brand), CPU manufacturer information, Bluetooth information, sensor information, user trace information such as memory space value, network system used, Android status (or called operating status, such as whether In the root state), system file exception information (such as whether there are system files with a preset path and name), the number of installed applications, the number of stored files, the package name of the connected app, the version number of the connected app, and the SDK Version number, operating system type, operating system version, device unique identification code (UDID), whether it has been jailbroken (such as 1 for jailbroken, 0 for jailbroken), latitude and longitude information, network Type, specify whether the app is installed (such as 1 for installed, 0 for not installed), whether Ali trumpet is installed, whether v8 plugin is installed, current timestamp (such as millisecond precision), advertising identifier, Vendor identifier, Device model, host name, number of CPU cores, CPU type, CPU subtype, screen resolution, total storage space, remaining storage space, time zone, language, power, battery status, operator name, country ISO, boot time, keyboard list , Did is erased or tampered with, did is stored in the localfile, whether the GPS switch is turned on (for example, 0 means off, 1 means on), GPS authorization status, dynamic link library list loaded by the APP, etc., for simulator recognition. Specifically, the recognition device may perform simulator recognition by acquiring multiple pieces of device information to improve the reliability of recognition. In addition, the identification device can use part of the obtained device information items for simulator identification according to a preset simulator identification rule, so that illegal elements cannot determine which information is specifically used for simulator identification. It helps prevent illegal elements from tampering with related device information after learning a certain identification rule, which prevents the simulator from being identified in a timely manner, that is, prevents the identification rule from being cracked, which further improves the reliability of simulator recognition.
202、获取该路由器信息对应的目标函数的flag值,并根据该flag值确定该目标函数是否被hook。202. Obtain a flag value of an objective function corresponding to the router information, and determine whether the objective function is hooked according to the flag value.
可选的,在根据设备信息识别是否为模拟器之前,识别设备能够通过检测设备信息对应的函数是否被篡改,并在检测到被篡改时及时地获取真实的设备信息,以基于真实的设备信息进行模拟器识别,由此提升了模拟器识别的准确性和可靠性。此外,可选的,本申请可采用Android底层源生API采集设备信息,使得设备信息不容易被篡改。Optionally, before identifying whether the device is an emulator according to the device information, the identification device can detect whether the function corresponding to the device information has been tampered with, and obtain real device information in a timely manner when tampering is detected, based on the real device information. Perform simulator recognition, thereby improving the accuracy and reliability of simulator recognition. In addition, optionally, this application may use Android underlying source API to collect device information, so that the device information cannot be easily tampered with.
其中,该flag值可用于标记所述目标函数的状态,该状态可以是指是否被篡改的状态,或者可以是指读写状态、阻塞与非阻塞状态、退出进程或程序的状态和/或更改文件的内容的状态等等,从而能够根据该flag值确定出该目标函数是否被hook。具体的,每一个函数都有对应的flag,该flag为一个变量,当某一函数被篡改时,该函数对应的flag会发生改变。由此,识别设备可通过检测函数的flag是否发生改变,来确定该函数是否被hook,也即该函数对应的设备信息是否被篡改。其中,该flag的值可以是存储于该目标函数对应的内存中。在本申请实施例中,如果该路由器的名称和MAC地址对应同一个函数,则识别设备可将该函数作为目标函数进行hook检测;如果该路由器的名称和MAC地址对应不同的函数,则识别设备可以分别针对该路由器的名称对应的函数和MAC地址对应的函数进行hook检测,也即分别将该路由器的名称对应的函数和MAC地址对应的函数作为目标函数以实现真实设备信息的还原。The flag value can be used to mark the state of the objective function. The state can refer to a state that has been tampered with, or can refer to a read-write state, a blocking and non-blocking state, an exit process or program state, and / or a change. The status of the content of the file, etc., so that whether the objective function is hooked can be determined according to the flag value. Specifically, each function has a corresponding flag. The flag is a variable. When a function is tampered, the flag corresponding to the function will change. Therefore, the identification device can determine whether the function is hooked by detecting whether the flag of the function has changed, that is, whether the device information corresponding to the function has been tampered with. The value of the flag may be stored in a memory corresponding to the objective function. In the embodiment of the present application, if the name and MAC address of the router correspond to the same function, the identification device may perform hook detection using the function as the target function; if the name and MAC address of the router correspond to different functions, the device is identified The hook detection function can be performed for the function corresponding to the name of the router and the function corresponding to the MAC address, that is, the function corresponding to the name of the router and the function corresponding to the MAC address can be used as target functions to restore the real device information.
可选的,在根据该flag值确定该目标函数是否被hook时,识别设备可以将该flag值中的预设位置处的字符与预设的固定字符进行比较;当比较得到该预设位置处的字符与该固定字符不同时,确定该目标函数被hook。其中,该预设位置处的字符的字符数与该固定字 符的字符数相同,以便于匹配比较。也就是说,该flag发生改变可以是指该flag值的一位或多位发生改变,且该一位或多位可以是指flag的预设位置处的一位或多位。从而识别设备可以通过将获取的flag值预设位置处的一位或多位与未被篡改时的固定字符进行比较,如果flag值的该一位或多位发生改变,即flag值的一位或多位与该固定字符不同,则表明该目标函数被hook,即该目标函数对应的设备信息被篡改。Optionally, when determining whether the objective function is hooked according to the flag value, the recognition device may compare a character at a preset position in the flag value with a preset fixed character; when the comparison obtains the preset position When the character of is different from the fixed character, it is determined that the objective function is hooked. The number of characters of the character at the preset position is the same as the number of characters of the fixed character, so as to facilitate comparison and comparison. That is, the change in the flag may refer to a change in one or more bits of the flag value, and the one or more bits may refer to one or more bits in a preset position of the flag. Therefore, the recognition device can compare one or more bits at the preset position of the obtained flag value with the fixed character when it has not been tampered with. If the one or more bits of the flag value change, that is, one bit of the flag value If one or more bits are different from the fixed character, it indicates that the objective function is hooked, that is, the device information corresponding to the objective function has been tampered with.
例如,针对Android版本在4.4以上及5.0以下的系统,有的Xposed插件对某函数进行hook时,会将该函数的flag值的固定位置处的1位(bit)设置为1;而正常未被篡改的函数,flag值的该位是0(即上述的固定字符)。因此,可通过检测函数的flag值的该固定位是否是0,就可以知道该函数是否被Xposed插件进行了hook。也即,如果该测函数的flag值的该固定位不为0,即可表明该函数被hook,该函数被篡改。For example, for systems with Android versions above 4.4 and below 5.0, some Xposed plugins set a bit at a fixed position of the function's flag value to 1 when a function is hooked; For tampered functions, this bit of the flag value is 0 (the fixed character described above). Therefore, by detecting whether the fixed bit of the flag value of the function is 0, it can be known whether the function is hooked by the Xposed plugin. That is, if the fixed bit of the flag value of the measurement function is not 0, it can indicate that the function is hooked and the function is tampered with.
可选的,在根据该flag值确定该目标函数是否被hook时,识别设备还可以按照预设的逻辑算法对该flag值进行逻辑运算,以得到运算结果值;当该运算结果值为正整数时,确定该目标函数被hook。其中,该逻辑算法可以是根据预设字符串和系统中的原生函数执行时的跳转地址确定的。也就是说,还可将按照预设逻辑算法对flag处理后的值与未被篡改时的固定字符如0进行比较,如果处理后的该值发生改变,即不为0,比如为某一正整数时,则表明该函数被hook。Optionally, when determining whether the objective function is hooked according to the flag value, the recognition device may also perform a logical operation on the flag value according to a preset logic algorithm to obtain an operation result value; when the operation result value is a positive integer When it is determined, the objective function is hooked. The logic algorithm may be determined according to a preset character string and a jump address when a native function in the system is executed. That is to say, the value processed by the flag can also be compared with a fixed character such as 0 when it has not been tampered with according to a preset logic algorithm. If the value after processing changes, it is not 0, such as a positive value. An integer indicates that the function is hooked.
例如,针对Android版本在5.0及其以上的系统,如果按照逻辑算法如逻辑算式EntryPointFromJni&&AccessFlags&0x10000000结果等于正整数,则可表明该函数被篡改;如果该逻辑算式结果等于0(即为固定字符),则可表明该函数未被篡改。其中,该EntryPointFromJni可以是指原生函数如native函数执行时的跳转地址,AccessFlags即为上述的flag。For example, for systems with Android version 5.0 and above, if the result of a logical algorithm such as the logical expression EntryPointFromJni && AccessFlags & 0x10000000 is equal to a positive integer, the function can be tampered with; if the result of the logical calculation is equal to 0 (that is, a fixed character), Indicates that the function has not been tampered with. The EntryPointFromJni may refer to a jump address when a native function such as a native function is executed, and AccessFlags is the above-mentioned flag.
进一步可选的,识别设备在根据该flag值确定该目标函数是否被hook之前,还可确定该目标终端目标使用的系统版本,进而根据该目标终端的系统版本去选择根据该flag值确定该目标函数是否被hook的方式,以提升hook检测的效率。其中,该系统版本和hook检测的方式的对应关系可预先设置得到。Further optionally, before determining whether the objective function is hooked according to the flag value, the identification device may determine a system version used by the target terminal target, and then select the target terminal to determine the target based on the flag value according to the system version of the target terminal. Whether the function is hooked to improve the efficiency of hook detection. The correspondence between the system version and the way of hook detection can be set in advance.
203、当确定该目标函数被hook时,从该目标函数的内存中获取该目标函数对应的目标函数指针。203. When it is determined that the objective function is hooked, obtain an objective function pointer corresponding to the objective function from the memory of the objective function.
其中,该函数指针和被hook的函数是存储于同一块内存的不同字段中的,且不同函数指针和原始函数存在映射关系,或者说不同函数指针和原始函数的存储地址存在映射关系。该目标函数被hook可以是指该路由器的名称和MAC地址对应的函数被hook;或者,该路由器的名称对应的函数被hook和/或该MAC地址对应的函数被hook。Among them, the function pointer and the hooked function are stored in different fields in the same block of memory, and there is a mapping relationship between different function pointers and the original function, or a mapping relationship between different function pointers and the storage address of the original function. The target function being hooked may mean that the function corresponding to the name of the router and the MAC address is hooked; or, the function corresponding to the name of the router is hooked and / or the function corresponding to the MAC address is hooked.
可选的,在确定该目标函数被hook之后,还可对该被hook的目标函数进行还原,以便于确定出该目标函数对应的真实设备信息。具体的,在确定某一函数如该目标函数被hook之后,可从其内存中快速获取该目标函数对应的函数指针,即上述的目标函数指针,以便于根据该目标函数指针确定出该目标函数对应的原始函数如原生API,即未被hook的真实函数。Optionally, after the target function is determined to be hooked, the hooked target function may also be restored, so as to determine the real device information corresponding to the target function. Specifically, after determining that a function such as the objective function is hooked, a function pointer corresponding to the objective function can be quickly obtained from its memory, that is, the objective function pointer described above, so as to determine the objective function according to the objective function pointer. Corresponding primitive functions, such as native APIs, are real functions that have not been hooked.
204、根据预先存储的各函数指针和函数的对应关系,确定出该目标函数指针对应的原始函数,并根据该原始函数确定出原始路由器信息。204. Determine the original function corresponding to the target function pointer according to the corresponding relationship between the function pointers and functions stored in advance, and determine the original router information according to the original function.
在确定出该目标函数对应的内存中的目标函数指针之后,即可进一步确定出该目标函数指针对应的原始函数,即真实的Method。进而可通过该原始函数替换该目标函数,实现对被hook的函数的还原。从而识别设备可通过该原始函数确定出该目标终端对应的真实路由器信息,以基于真实路由器信息进行模拟器识别。具体的,如果该路由器的名称和MAC地址对应的函数被hook,即可还原得到真实的原始路由器的名称和MAC地址;如果该路由器的名称对应的函数被hook,即可还原得到真实的原始路由器的名称;如果该MAC地址对应的函数被hook,即可还原得到真实的原始MAC地址。After the target function pointer in the memory corresponding to the target function is determined, the original function corresponding to the target function pointer can be further determined, that is, the actual Method. Furthermore, the original function can be used to replace the objective function to achieve the reduction of the hooked function. Therefore, the recognition device can determine the real router information corresponding to the target terminal through the original function, so as to perform simulator recognition based on the real router information. Specifically, if the function corresponding to the router name and MAC address is hooked, the real original router name and MAC address can be restored; if the function corresponding to the router name is hooked, the real original router can be restored. If the function corresponding to the MAC address is hooked, the original MAC address can be restored.
应理解,该内存中存储的原始函数指针是不会被篡改的,根据Xposed插件的工作原理,在篡改目标函数之前,会将函数的原始信息备份下来,并保存在内存中的特定地址,即该目标函数指针指向的地址。而一旦这些备份信息也被篡改,那Xposed插件将无法正常工作。因此,在该目标函数指针指向的特定地址获取到的原始函数,一定是正确的函数,其不会被篡改。It should be understood that the original function pointer stored in the memory will not be tampered with. According to the working principle of the Xposed plugin, before tampering with the target function, the original information of the function will be backed up and stored at a specific address in memory, that is, The address to which the objective function pointer points. Once these backup information has also been tampered with, the Xposed plugin will not work properly. Therefore, the original function obtained at the specific address pointed by the target function pointer must be the correct function, and it cannot be tampered with.
205、检测该原始路由器信息包括的路由器的名称是否与预置的第一黑名单内的路由器名称相同,以及该原始路由器信息包括的MAC地址是否处于预置的第二黑名单内的MAC地址集合。205. Detect whether the name of the router included in the original router information is the same as the name of the router in the preset first blacklist, and whether the MAC address included in the original router information is in the set of MAC addresses in the preset second blacklist. .
206、当该路由器的名称与该第一黑名单内的任一路由器名称相同,且该MAC地址处于该MAC地址集合时,确定该目标终端运行于模拟器环境。206. When the name of the router is the same as the name of any router in the first blacklist, and the MAC address is in the MAC address set, determine that the target terminal is running in an emulator environment.
具体的,该步骤205-206的描述请参照上述图1所示实施例中步骤102-103的相关描述,此处不赘述。Specifically, for the description of steps 205-206, refer to the related description of steps 102-103 in the embodiment shown in FIG. 1 above, and details are not described herein.
可选的,在其他实施例中,识别设备还可结合其他设备信息来进一步识别该目标终端是否运行于模拟器环境。例如,在一些实施例中,识别设备还可获取该目标终端的机型信息,该机型信息包括该目标终端的型号和/或品牌;检测该机型信息是否与预置的第三黑名单内的终端机型信息相同,该第三黑名单中包括至少一组终端机型信息。进一步的,当该路由器的名称与该第一黑名单内的任一路由器名称相同,该MAC地址处于该MAC地址集合,且该机型信息与该第三黑名单内的任一组终端机型信息相同时,识别设备可确定该目标终端运行于模拟器环境。该机型信息与该第三黑名单内的任一组终端机型信息相同包括:当该机型信息为型号时,该型号与该第三黑名单内的任一终端型号相同;当该机型信息为品牌时,该品牌与该第三黑名单内的任一终端品牌相同;当该机型信息包括型号和品牌时,该型号与该第三黑名单内的任一终端型号相同,且该品牌与该第三黑名单内的任一终端品牌相同。可选的,该第三黑名单中包括一组或多组终端机型信息,该一组或多组终端机型信息可以是历史数据中识别为模拟器的终端的机型信息,比如统计次数最多的前L(L为大于0的整数,如取8)组机型信息,或者统计次数大于预设数目阈值(第三阈值)的机型信息等等,此处不赘述。也就是说,识别设备可结合终端连接的Wi-Fi热点的路由器信息和终端的机型信息来进行模拟器识别,这就进一步提升了模拟器识别的可靠性。Optionally, in other embodiments, the identification device may further combine other device information to further identify whether the target terminal is running in the simulator environment. For example, in some embodiments, the identification device may also obtain model information of the target terminal, where the model information includes the model and / or brand of the target terminal; and detecting whether the model information is related to a preset third blacklist The terminal model information is the same, and the third blacklist includes at least one group of terminal model information. Further, when the name of the router is the same as the name of any router in the first blacklist, the MAC address is in the MAC address set, and the model information is the same as any set of terminal models in the third blacklist. When the information is the same, the identification device can determine that the target terminal is running in the simulator environment. The model information is the same as any set of terminal model information in the third blacklist. When the model information is a model, the model is the same as any terminal model in the third blacklist. When the type information is a brand, the brand is the same as any terminal brand in the third blacklist; when the model information includes the model and brand, the model is the same as any terminal model in the third blacklist, and The brand is the same as any terminal brand on the third blacklist. Optionally, the third blacklist includes one or more sets of terminal model information, and the one or more sets of terminal model information may be model information of a terminal identified as a simulator in historical data, such as counting times The most previous L (L is an integer greater than 0, such as taking 8) sets of model information, or model information whose number of counts is greater than a preset number threshold (third threshold), etc., is not repeated here. In other words, the identification device can perform simulator recognition by combining the router information of the Wi-Fi hotspot connected to the terminal and the model information of the terminal, which further improves the reliability of the simulator recognition.
又如,在一些实施例中,识别设备还可获取该目标终端的CPU的生产商标识,检测该CPU的生产商标识是否与预置的白名单中的生产商标识相同,进而当该路由器的名称与该第一黑名单内的任一路由器名称相同,该MAC地址处于该MAC地址集合,且该CPU的生产商标识与该白名单内的所有生产商标识均不相同时,确定该目标终端运行于模拟器环 境。其中,该白名单中可包括一个或多个合法的CPU生产商的标识。也就是说,识别设备可结合终端连接的Wi-Fi热点的路由器信息和终端的CPU生产商信息来进行模拟器识别,以提升模拟器识别的可靠性。As another example, in some embodiments, the identification device may also obtain the manufacturer ID of the CPU of the target terminal, and detect whether the manufacturer ID of the CPU is the same as the manufacturer ID in the preset whitelist, and then when the router ’s When the name is the same as the name of any router in the first blacklist, the MAC address is in the MAC address set, and the manufacturer ID of the CPU is different from all the manufacturer IDs in the whitelist, the target terminal is determined Run in the simulator environment. The white list may include the identifications of one or more legal CPU manufacturers. In other words, the identification device can perform simulator recognition by combining the router information of the Wi-Fi hotspot connected to the terminal and the CPU manufacturer information of the terminal to improve the reliability of the simulator recognition.
又如,在一些实施例中,识别设备还可结合终端连接的Wi-Fi热点的路由器信息、终端的机型信息来进行模拟器识别,以提升模拟器识别的可靠性,此处不赘述。As another example, in some embodiments, the identification device may also perform simulator identification in combination with router information of the Wi-Fi hotspot connected to the terminal and terminal model information to improve the reliability of the simulator identification, which will not be described here.
又如,在一些实施例中,识别设备还可检测该目标终端的设备信息是否满足预设规则,其中,目标终端的设备信息满足该预设规则可以是指满足以下任一项或多项规则:As another example, in some embodiments, the identification device may also detect whether the device information of the target terminal meets a preset rule, where the device information of the target terminal meets the preset rule may mean that any one or more of the following rules are met :
1)目标终端中未配置有预设模块,预设模块包括蓝牙模块、温度传感器、光线传感器中的一个或多个;1) The target terminal is not configured with a preset module, and the preset module includes one or more of a Bluetooth module, a temperature sensor, and a light sensor;
该预设模块为根据历史数据统计的识别为模拟器的终端中没有配置的模块,如蓝牙模块、温度传感器、光线传感器。因此如果识别到终端没有配置该预设模块,则可能为模拟器。The preset module is a module that is not configured in the terminal identified as the simulator according to historical data statistics, such as a Bluetooth module, a temperature sensor, and a light sensor. Therefore, if it is recognized that the terminal is not configured with the preset module, it may be an emulator.
2)目标终端的内存空间值小于预设内存阈值;2) The memory space value of the target terminal is less than a preset memory threshold;
3)目标终端安装的应用的第一数目小于预设的第一数目阈值;3) the first number of applications installed by the target terminal is less than a preset first number threshold;
4)目标终端存储的文件的第二数目小于预设的第二数目阈值;4) the second number of files stored by the target terminal is less than a preset second number threshold;
其中,该第一数目阈值和第二数目阈值可以预先设置得到。The first number threshold and the second number threshold can be preset.
5)目标终端使用的网络制式与预设的网络制式列表中的所有网络制式均不相同;5) The network standard used by the target terminal is different from all the network standards in the preset network standard list;
可选的,识别设备可以结合目标终端所在的目标区域确定哪些是正常的网络制式,比如通过预先配置不同区域及其对应的网络制式列表,来确定与该目标区域对应的网络制式列表,该网络制式列表中的网络制式即为该目标区域的正常网络制式。如果检测到该目标终端使用的网络制式不为其对应的网络制式列表中的网络制式,则该目标终端可能运行于模拟器环境,因为模拟器可能篡改网络制式信息。Optionally, the identification device may determine which are the normal network standards in combination with the target area where the target terminal is located, for example, by pre-configuring different areas and their corresponding network standard lists to determine a list of network standards corresponding to the target area, the network The network standard in the standard list is the normal network standard in the target area. If it is detected that the network standard used by the target terminal is not the network standard in its corresponding network standard list, the target terminal may run in the simulator environment because the simulator may tamper with the network standard information.
6)目标终端的系统中存在预设路径和名称的系统文件;6) There is a system file with a preset path and name in the system of the target terminal;
如果目标终端中存在异常的系统文件,则可能为模拟器。例如,该异常的系统文件可包括以下路径和名称的系统文件:/dev/qemu_pipe、/dev/socket/qemud、/system/lib/libc_malloc_debug_qemu.so、/sys/qemu_trace、/proc/tty/drivers/goldfish等等。If there is an abnormal system file in the target terminal, it may be an emulator. For example, the abnormal system file can include system files with the following paths and names: / dev / qemu_pipe, / dev / socket / qemud, /system/lib/libc_malloc_debug_qemu.so, / sys / qemu_trace, / proc / tty / drivers / goldfish and more.
7)目标终端处于root状态等等。如果检测到目标终端处于Android root状态,则可能为模拟器。7) The target terminal is in the root state and so on. If it is detected that the target terminal is in the Android root state, it may be an emulator.
在一些实施例中,当该路由器的名称与该第一黑名单内的任一路由器名称相同,该MAC地址处于该MAC地址集合,且该目标终端的设备信息满足该预设规则时,识别设备可确定该目标终端运行于模拟器环境。也就是说,识别设备可结合终端连接的Wi-Fi热点的路由器信息、模块配置信息、内存空间信息、安装的应用的数目、存储的文件的数目、使用的网络制式、系统文件异常信息、运行状态等信息来进行模拟器识别,以进一步提升模拟器识别的可靠性。In some embodiments, when the name of the router is the same as the name of any router in the first blacklist, the MAC address is in the MAC address set, and the device information of the target terminal meets the preset rule, the device is identified It can be determined that the target terminal is running in a simulator environment. In other words, the identification device can combine the router information, module configuration information, memory space information, number of installed applications, number of stored files, network standards used, system file exception information, and operation of the Wi-Fi hotspot connected to the terminal. Status and other information to perform simulator recognition to further improve the reliability of simulator recognition.
又如,在一些实施例中,识别设备还可根据上述的终端连接的Wi-Fi热点的路由器信息、机型信息、CPU生产商信息、模块配置信息、内存空间信息、安装的应用的数目、存储的文件的数目、使用的网络制式、系统文件异常信息、运行状态等信息中的任一项或多项进行模拟器识别,此处不赘述。For another example, in some embodiments, the identification device may further be based on the router information, model information, CPU manufacturer information, module configuration information, memory space information, number of installed applications, Wi-Fi hotspots connected to the terminal, Any one or more of the number of stored files, used network system, system file abnormal information, running status and other information are used to identify the simulator, and details are not described here.
可选的,在根据目标终端的机型信息、CPU生产商信息、模块配置信息、内存空间信息、安装的应用的数目、存储的文件的数目、使用的网络制式、系统文件异常信息、运行状态等设备信息中的任一项或多项进行模拟器识别之前,还可检测用于进行模拟器识别的设备信息是否被篡改,如果被篡改,即可还原真实的设备信息后再基于真实的设备信息进行模拟器识别。其中,检测设备信息是否被篡改及其还原方式可参照上述步骤202-204中检测路由器信息是否被篡改及其还原方式的相关描述,此处不赘述。Optionally, based on the model information of the target terminal, CPU manufacturer information, module configuration information, memory space information, number of installed applications, number of stored files, network system used, system file exception information, and operating status Before any or more of the device information is recognized by the simulator, it can also detect whether the device information used for the simulator recognition has been tampered with. If tampered, the real device information can be restored and then based on the real device Information for simulator identification. For detecting whether the device information has been tampered with and how to restore it, refer to the descriptions of detecting whether the router information has been tampered with and how to restore it in steps 202-204, which are not described here.
进一步可选的,如果确定目标终端运行在模拟器环境中,识别设备可生成告警信息。例如,该告警信息可以包括:风险等级、用户信息、设备恶意行为中的一项或多项。其中,该风险等级可以根据终端的目标风控场景确定出,具体可预先设置得到不同风控场景和风险等级的对应关系;或者,该风险等级可以根据终端目标运行的应用确定出,具体可预先设置得到不同应用和风险等级的对应关系;或者,该风险等级还可根据终端被hook的函数的数目确定出,具体可预先设置得到不同hook数目和风险等级的对应关系;或者,该风险等级还可根据终端被篡改的设备信息的优先级确定出,具体可预先设置得到不同设备信息的优先级,以及各优先级和风险等级的对应关系,等等,本申请不做限定。例如,该风险等级可以分为高危、中危、低危,或者一级、二级、三级等等。该用户信息可包括用户标识(User Identification,UID)、手机号码、身份证号码(如果注册应用时采集到的话)等。该恶意行为可包括篡改MAC地址、篡改CPU生产商、篡改手机型号及品牌、篡改手机号码等等,具体可通过上述的hook检测确定出。Further optionally, if it is determined that the target terminal is running in the simulator environment, the identification device may generate alarm information. For example, the alarm information may include one or more of a risk level, user information, and malicious behavior of the device. The risk level can be determined according to the target risk control scenario of the terminal, and the corresponding relationship between different risk control scenarios and risk levels can be specifically set in advance; or the risk level can be determined according to the application that the terminal target runs, and can be specifically determined in advance. Correspondence between different applications and risk levels can be obtained by setting; or, the risk level can also be determined according to the number of hooked functions of the terminal, and specific correspondences between different numbers of hooks and risk levels can be set in advance; or, It can be determined according to the priority of the tampered device information of the terminal. Specifically, the priority of different device information can be set in advance, and the corresponding relationship between each priority and risk level, etc., is not limited in this application. For example, the risk level can be classified as high-risk, medium-risk, low-risk, or first-, second-, third-, and so on. The user information may include a user identification (UID), a mobile phone number, an ID number (if collected during registration of an application), and the like. The malicious behavior may include tampering with the MAC address, tampering with the CPU manufacturer, tampering with the model and brand of the mobile phone, tampering with the mobile phone number, etc., which can be specifically determined through the aforementioned hook detection.
此外,可选的,识别设备还可根据该告警信息,向目标终端下发指令,以对目标终端(如终端上运行的APP客户端)上的操作进行控制。例如,如果识别设备确定该风险等级为低危,识别设备可以下发指令指示客户端输出提示,要求用户输入验证信息,验证方式包括但不限于短信验证码、图片验证码等方式。如果验证未通过则无法进行后续操作。又如,如果识别设备确定该风险等级为中危,识别设备可以下发指令指示客户端禁止用户在目标风控场景(例如登录、领取红包、兑换优惠券、消费、转账等等)的请求访问操作。又如,如果识别设备确定该风险等级为高危,识别设备可以下发指令指示客户端禁止用户一切请求访问操作,等等,此处不一一列举。In addition, optionally, the identification device may also issue an instruction to the target terminal according to the alarm information to control operations on the target terminal (such as an APP client running on the terminal). For example, if the identification device determines that the risk level is low-risk, the identification device may issue an instruction to instruct the client to output a prompt to require the user to enter verification information. The verification method includes, but is not limited to, a short message verification code, a picture verification code, and the like. If the verification fails, no further operation is possible. As another example, if the identification device determines that the risk level is medium risk, the identification device may issue an instruction instructing the client to prohibit the user from requesting access in the target risk control scenario (such as logging in, receiving red envelopes, redeeming coupons, spending, transferring money, etc.) operating. For another example, if the identification device determines that the risk level is high, the identification device may issue an instruction to instruct the client to prohibit the user from requesting all access operations, etc., which are not listed here one by one.
例如,对于某些手机游戏,使用模拟器可以获得比手机更强的性能(实际上属于游戏作弊),本申请能够通过上述的识别规则识别出游戏应用是否运行在模拟器环境中,能够及时的发现运行于模拟器中的游戏行为,进而可制止该行为,防止作弊给用户带来的损失。For example, for some mobile games, using the simulator can obtain stronger performance than the mobile phone (actually a game cheating). This application can identify whether the game application is running in the simulator environment through the above-mentioned recognition rules, which can promptly Discover the behavior of the game running in the simulator, which can stop the behavior and prevent the loss of cheating to the user.
又如,某一金融机构推出的小额贷款的风控策略是仅允许特定区域的用户如北上广的用户贷款,非法用户可能使用模拟器修改GPS定位,达到绕过风控策略的目的,骗取贷款。由此,本申请可通过上述的识别规则识别出设备是否运行于模拟器环境,并在确定设备运行于模拟器环境之后,拒绝该用户的贷款请求。进一步的,本申请还可采用上述的hook检测方式对该GPS定位进行还原,以获取得到用户的真实定位信息。As another example, the risk control strategy of a small loan launched by a financial institution is to allow only users in specific areas, such as the user of Beishangguang. Illegal users may use simulators to modify GPS positioning to bypass the risk control strategy and deceive them. loan. Therefore, the present application can identify whether the device is running in the simulator environment through the above recognition rules, and reject the user's loan request after determining that the device is running in the simulator environment. Further, this application can also restore the GPS positioning by using the above-mentioned hook detection method to obtain the user's true positioning information.
又如,非法分子通过在模拟器中设置手机型号、品牌、厂商等信息,实现一个模拟器软件模拟多台不同安卓手机的目的,从而创建假身份骗取优惠活动、注册奖励等等。通过本申请,能够根据上述的hook检测方式确定手机型号、品牌、厂商等信息被篡改后,还原真实的手机型号、品牌、厂商等信息并进行模拟器识别,进而能够及时地识别出设备操作 是否运行在模拟器环境中,并在识别出运行在模拟器环境中时能够及时地制止该行为,避免给合法用户造成损失。For another example, illegal persons set up information such as the phone model, brand, and manufacturer in the simulator to achieve the purpose of one simulator software to simulate multiple different Android phones, thereby creating fake identity to cheat preferential activities, registration rewards, and so on. Through this application, after the information of the mobile phone model, brand, and manufacturer has been tampered with according to the above-mentioned hook detection method, the real mobile phone model, brand, and manufacturer and other information can be restored and the simulator can be identified, so as to identify whether the device operation is timely. When running in the simulator environment, and when it is recognized that it is running in the simulator environment, it can stop the behavior in time and avoid causing losses to legitimate users.
在本申请实施例中,识别设备可通过采集多项设备信息,比如终端连接的Wi-Fi热点的路由器信息等设备信息来进行模拟器识别,使得提升了模拟器识别的准确性,而且,在根据设备信息识别终端是否运行于模拟器环境之前,能够通过识别设备信息是否被篡改,并在检测到被篡改时及时地还原真实的设备信息,以基于真实的设备信息进行模拟器识别,这就进一步提升了模拟器识别的准确性。In the embodiment of the present application, the identification device may perform simulator identification by collecting multiple pieces of device information, such as router information of a Wi-Fi hotspot connected to the terminal, so as to improve the accuracy of the simulator identification. Based on the device information to identify whether the terminal is running in the simulator environment, it can identify whether the device information has been tampered with, and restore real device information in a timely manner when tampering is detected, so as to identify the simulator based on the real device information. The accuracy of the simulator recognition is further improved.
上述方法实施例都是对本申请的模拟器识别方法的举例说明,对各个实施例的描述都各有侧重,某个实施例中没有详述的部分,可以参见其他实施例的相关描述。The foregoing method embodiments are examples of the simulator identification method of the present application, and the description of each embodiment has its own emphasis. For a part that is not described in detail in an embodiment, reference may be made to related descriptions in other embodiments.
请参见图3,图3是本申请实施例提供的一种识别设备的结构示意图。本申请实施例的识别设备包括用于执行上述模拟器识别方法的单元。具体的,本实施例的识别设备300可包括:获取单元301和识别单元302。其中,Please refer to FIG. 3, which is a schematic structural diagram of an identification device according to an embodiment of the present application. The recognition device in the embodiment of the present application includes a unit for executing the above-mentioned simulator recognition method. Specifically, the identification device 300 in this embodiment may include: an obtaining unit 301 and an identification unit 302. among them,
获取单元301,用于获取目标终端连接的无线保真Wi-Fi热点的路由器信息,所述路由器信息包括路由器的名称和媒体访问控制MAC地址;The obtaining unit 301 is configured to obtain router information of a wireless fidelity Wi-Fi hotspot connected to a target terminal, where the router information includes a router name and a media access control MAC address;
识别单元302,用于检测所述路由器的名称是否与预置的第一黑名单内的路由器名称相同,以及所述MAC地址是否处于预置的第二黑名单内的MAC地址集合;An identification unit 302, configured to detect whether the name of the router is the same as the router name in the preset first blacklist, and whether the MAC address is in a set of MAC addresses in the preset second blacklist;
所述识别单元302,还用于当所述路由器的名称与所述第一黑名单内的任一路由器名称相同,且所述MAC地址处于所述MAC地址集合时,确定所述目标终端运行于模拟器环境。The identification unit 302 is further configured to determine that the target terminal is running when the name of the router is the same as the name of any router in the first blacklist, and the MAC address is in the MAC address set. Emulator environment.
可选的,所述获取单元301,还用于获取所述目标终端的机型信息,所述机型信息包括所述目标终端的型号和/或品牌;Optionally, the obtaining unit 301 is further configured to obtain model information of the target terminal, where the model information includes a model and / or a brand of the target terminal;
所述识别单元302,还用于检测所述机型信息是否与预置的第三黑名单内的终端机型信息相同,所述第三黑名单中包括至少一组终端机型信息;The identification unit 302 is further configured to detect whether the model information is the same as the terminal model information in a preset third blacklist, where the third blacklist includes at least one set of terminal model information;
所述识别单元302,具体用于当所述路由器的名称与所述第一黑名单内的任一路由器名称相同,所述MAC地址处于所述MAC地址集合,且所述机型信息与所述第三黑名单内的任一组终端机型信息相同时,确定所述目标终端运行于模拟器环境。The identifying unit 302 is specifically configured to: when the name of the router is the same as the name of any router in the first blacklist, the MAC address is in the MAC address set, and the model information is the same as the When the information of any set of terminal models in the third blacklist is the same, it is determined that the target terminal is running in the simulator environment.
可选的,所述获取单元301,还用于获取所述目标终端的中央处理器CPU的生产商标识;Optionally, the obtaining unit 301 is further configured to obtain a manufacturer identifier of a central processing unit CPU of the target terminal;
所述识别单元302,还用于检测所述CPU的生产商标识是否与预置的白名单中的生产商标识相同;The identification unit 302 is further configured to detect whether a manufacturer ID of the CPU is the same as a manufacturer ID in a preset white list;
所述识别单元302,具体用于当所述路由器的名称与所述第一黑名单内的任一路由器名称相同,所述MAC地址处于所述MAC地址集合,且所述CPU的生产商标识与所述白名单内的所有生产商标识均不相同时,确定所述目标终端运行于模拟器环境。The identification unit 302 is specifically configured to: when the name of the router is the same as the name of any router in the first blacklist, the MAC address is in the MAC address set, and the manufacturer identifier of the CPU is When all the manufacturer IDs in the white list are different, it is determined that the target terminal is running in an simulator environment.
可选的,所述识别单元302,还用于检测所述目标终端的设备信息是否满足预设规则,其中,所述目标终端的设备信息满足所述预设规则包括:Optionally, the identification unit 302 is further configured to detect whether the device information of the target terminal meets a preset rule, where the device information of the target terminal satisfies the preset rule includes:
所述目标终端中未配置有预设模块,所述预设模块包括蓝牙模块、温度传感器、光线传感器中的一个或多个;和/或,The target terminal is not configured with a preset module, and the preset module includes one or more of a Bluetooth module, a temperature sensor, and a light sensor; and / or,
所述目标终端的内存空间值小于预设内存阈值;和/或,A memory space value of the target terminal is less than a preset memory threshold; and / or,
所述目标终端安装的应用的第一数目小于预设的第一数目阈值;和/或,The first number of applications installed by the target terminal is less than a preset first number threshold; and / or,
所述目标终端存储的文件的第二数目小于预设的第二数目阈值;和/或,The second number of files stored by the target terminal is less than a preset second number threshold; and / or,
所述目标终端使用的网络制式与预设的网络制式列表中的所有网络制式均不相同;和/或,The network standard used by the target terminal is different from all the network standards in the preset network standard list; and / or,
所述目标终端的系统中存在预设路径和名称的系统文件;和/或,A system file of a preset path and name exists in the system of the target terminal; and / or,
所述目标终端的运行状态为root状态;A running state of the target terminal is a root state;
所述识别单元302,具体用于当所述路由器的名称与所述第一黑名单内的任一路由器名称相同,所述MAC地址处于所述MAC地址集合,且所述目标终端的设备信息满足所述预设规则时,确定所述目标终端运行于模拟器环境。The identifying unit 302 is specifically configured to: when the name of the router is the same as the name of any router in the first blacklist, the MAC address is in the MAC address set, and the device information of the target terminal satisfies When the preset rule is determined, the target terminal is determined to be running in a simulator environment.
可选的,所述识别设备还包括:hook检测单元303和还原单元304;Optionally, the identification device further includes: a hook detection unit 303 and a restoration unit 304;
所述获取单元301,还用于获取所述路由器信息对应的目标函数的flag值;The obtaining unit 301 is further configured to obtain a flag value of an objective function corresponding to the router information;
hook检测单元303,用于根据所述flag值确定所述目标函数是否被hook;a hook detection unit 303, configured to determine whether the objective function is hooked according to the flag value;
所述获取单元301,还用于当确定所述目标函数被hook时,从所述目标函数的内存中获取所述目标函数对应的目标函数指针;The obtaining unit 301 is further configured to obtain an objective function pointer corresponding to the objective function from the memory of the objective function when it is determined that the objective function is hooked;
还原单元304,用于根据预先存储的各函数指针和函数的对应关系,确定出所述目标函数指针对应的原始函数,并根据所述原始函数确定出原始路由器信息;A restoration unit 304, configured to determine an original function corresponding to the target function pointer according to a corresponding relationship between function pointers and functions stored in advance, and determine original router information according to the original function;
所述识别单元302,具体用于检测所述原始路由器信息包括的路由器的名称是否与预置的第一黑名单内的路由器名称相同,以及所述原始路由器信息包括的MAC地址是否处于预置的第二黑名单内的MAC地址集合。The identifying unit 302 is specifically configured to detect whether the name of the router included in the original router information is the same as the name of the router in the preset first blacklist, and whether the MAC address included in the original router information is in the preset MAC address set in the second blacklist.
可选的,所述hook检测单元303,具体用于将所述flag值中的预设位置处的字符与预设的固定字符进行比较,所述预设位置处的字符的字符数与所述固定字符的字符数相同;当比较得到所述预设位置处的字符与所述固定字符不同时,确定所述目标函数被hook。Optionally, the hook detection unit 303 is specifically configured to compare a character at a preset position in the flag value with a preset fixed character, and the number of characters of the character at the preset position is the same as that of the character at the preset position. The number of characters of the fixed character is the same; when the character at the preset position is different from the fixed character, it is determined that the objective function is hooked.
可选的,所述hook检测单元303,具体用于按照预设的逻辑算法对所述flag值进行逻辑运算,以得到运算结果值,其中,所述逻辑算法是根据预设字符串和系统中的原生函数执行时的跳转地址确定的;当所述运算结果值为正整数时,确定所述目标函数被hook。Optionally, the hook detection unit 303 is specifically configured to perform a logical operation on the flag value according to a preset logical algorithm to obtain an operation result value, where the logical algorithm is based on a preset character string and the system. The jump address when the native function is executed is determined; when the value of the operation result is a positive integer, it is determined that the target function is hooked.
具体的,该识别设备可通过上述单元实现上述图1至图2所示实施例中的模拟器识别方法中的部分或全部步骤。应理解,本申请实施例是对应方法实施例的装置实施例,对方法实施例的描述,也适用于本申请实施例。Specifically, the recognition device may implement some or all steps in the simulator recognition method in the embodiments shown in FIG. 1 to FIG. 2 by using the foregoing units. It should be understood that the embodiments of the present application are device embodiments corresponding to the method embodiments, and the description of the method embodiments is also applicable to the embodiments of the present application.
请参见图4,图4是本申请实施例提供的另一种识别设备的结构示意图。该识别设备用于执行上述的方法。如图4所示,本实施例中的识别设备400可以包括:一个或多个处理器401和存储器402。可选的,该识别设备还可包括一个或多个用户接口403,和/或,一个或多个通信接口404。上述处理器401、用户接口403、通信接口404和存储器402可通过总线405连接,或者可以通过其他方式连接,图4中以总线方式进行示例说明。其中,存储器402用于存储计算机程序,所述计算机程序包括程序指令,处理器401用于执行存储器402存储的程序指令。Please refer to FIG. 4, which is a schematic structural diagram of another identification device according to an embodiment of the present application. The identification device is used to perform the method described above. As shown in FIG. 4, the identification device 400 in this embodiment may include: one or more processors 401 and a memory 402. Optionally, the identification device may further include one or more user interfaces 403, and / or, one or more communication interfaces 404. The processor 401, the user interface 403, the communication interface 404, and the memory 402 may be connected through a bus 405, or may be connected through other methods. FIG. 4 illustrates the examples by using a bus method. The memory 402 is configured to store a computer program. The computer program includes program instructions, and the processor 401 is configured to execute the program instructions stored in the memory 402.
其中,处理器401可用于调用所述程序指令执行以下步骤:获取目标终端连接的无线保真Wi-Fi热点的路由器信息,所述路由器信息包括路由器的名称和媒体访问控制MAC地址;检测所述路由器的名称是否与预置的第一黑名单内的路由器名称相同,以及所述MAC 地址是否处于预置的第二黑名单内的MAC地址集合;当所述路由器的名称与所述第一黑名单内的任一路由器名称相同,且所述MAC地址处于所述MAC地址集合时,确定所述目标终端运行于模拟器环境。The processor 401 may be used to call the program instructions to perform the following steps: obtaining router information of a wireless fidelity Wi-Fi hotspot connected to a target terminal, the router information including a router name and a media access control MAC address; detecting the Whether the name of the router is the same as the name of the router in the preset first blacklist, and whether the MAC address is in the set of MAC addresses in the preset second blacklist; when the name of the router matches the first blacklist When any router in the list has the same name and the MAC address is in the MAC address set, it is determined that the target terminal is running in an emulator environment.
可选的,处理器401在调用所述程序指令执行所述确定所述目标终端运行于模拟器环境之前,还用于执行以下步骤:获取所述目标终端的机型信息,所述机型信息包括所述目标终端的型号和/或品牌;检测所述机型信息是否与预置的第三黑名单内的终端机型信息相同,所述第三黑名单中包括至少一组终端机型信息;Optionally, before the processor 401 invokes the program instruction to execute the determination that the target terminal runs in the simulator environment, it is further configured to perform the following steps: obtaining model information of the target terminal, and the model information Including the model and / or brand of the target terminal; detecting whether the model information is the same as the terminal model information in a preset third blacklist, and the third blacklist includes at least one set of terminal model information ;
处理器401在调用所述程序指令执行所述当所述路由器的名称与所述第一黑名单内的任一路由器名称相同,且所述MAC地址处于所述MAC地址集合时,确定所述目标终端运行于模拟器环境时,具体执行以下步骤:当所述路由器的名称与所述第一黑名单内的任一路由器名称相同,所述MAC地址处于所述MAC地址集合,且所述机型信息与所述第三黑名单内的任一组终端机型信息相同时,确定所述目标终端运行于模拟器环境。The processor 401 invokes the program instruction to execute the target when the name of the router is the same as the name of any router in the first blacklist, and the MAC address is in the MAC address set. When the terminal is running in the simulator environment, the following steps are specifically performed: when the name of the router is the same as the name of any router in the first blacklist, the MAC address is in the MAC address set, and the model When the information is the same as that of any set of terminal models in the third blacklist, it is determined that the target terminal is running in the simulator environment.
可选的,处理器401在调用所述程序指令执行所述确定所述目标终端运行于模拟器环境之前,还用于执行以下步骤:获取所述目标终端的中央处理器CPU的生产商标识;检测所述CPU的生产商标识是否与预置的白名单中的生产商标识相同;Optionally, before the processor 401 invokes the program instructions to execute the determination that the target terminal is running in the simulator environment, the processor 401 is further configured to perform the following steps: obtain a manufacturer identifier of a central processing unit CPU of the target terminal; Detecting whether the manufacturer ID of the CPU is the same as the manufacturer ID in a preset white list;
处理器401在调用所述程序指令执行所述当所述路由器的名称与所述第一黑名单内的任一路由器名称相同,且所述MAC地址处于所述MAC地址集合时,确定所述目标终端运行于模拟器环境时,具体执行以下步骤:当所述路由器的名称与所述第一黑名单内的任一路由器名称相同,所述MAC地址处于所述MAC地址集合,且所述CPU的生产商标识与所述白名单内的所有生产商标识均不相同时,确定所述目标终端运行于模拟器环境。The processor 401 invokes the program instruction to execute the target when the name of the router is the same as the name of any router in the first blacklist, and the MAC address is in the MAC address set. When the terminal is running in the simulator environment, the following steps are specifically performed: when the name of the router is the same as the name of any router in the first blacklist, the MAC address is in the MAC address set, and the CPU's When the manufacturer identification is different from all the manufacturer identifications in the white list, it is determined that the target terminal is running in an simulator environment.
可选的,处理器401在调用所述程序指令执行所述确定所述目标终端运行于模拟器环境之前,还用于执行以下步骤:检测所述目标终端的设备信息是否满足预设规则,其中,所述目标终端的设备信息满足所述预设规则包括:所述目标终端中未配置有预设模块,所述预设模块包括蓝牙模块、温度传感器、光线传感器中的一个或多个;和/或,所述目标终端的内存空间值小于预设内存阈值;和/或,所述目标终端安装的应用的第一数目小于预设的第一数目阈值;和/或,所述目标终端存储的文件的第二数目小于预设的第二数目阈值;和/或,所述目标终端使用的网络制式与预设的网络制式列表中的所有网络制式均不相同;和/或,所述目标终端的系统中存在预设路径和名称的系统文件;和/或,所述目标终端的运行状态为root状态;Optionally, before the processor 401 invokes the program instruction to execute the determination that the target terminal is running in the simulator environment, the processor 401 is further configured to perform the following steps: detecting whether the device information of the target terminal meets a preset rule, where The device information of the target terminal meeting the preset rule includes: the target terminal is not configured with a preset module, and the preset module includes one or more of a Bluetooth module, a temperature sensor, and a light sensor; and / Or, a memory space value of the target terminal is less than a preset memory threshold; and / or, a first number of applications installed by the target terminal is less than a preset first number threshold; and / or, the target terminal stores The second number of files is less than a preset second number threshold; and / or, the network standard used by the target terminal is different from all the network standards in the preset network standard list; and / or, the target A system file with a preset path and name exists in the terminal system; and / or, the running state of the target terminal is the root state;
处理器401在调用所述程序指令执行所述当所述路由器的名称与所述第一黑名单内的任一路由器名称相同,且所述MAC地址处于所述MAC地址集合时,确定所述目标终端运行于模拟器环境,具体执行以下步骤:当所述路由器的名称与所述第一黑名单内的任一路由器名称相同,所述MAC地址处于所述MAC地址集合,且所述目标终端的设备信息满足所述预设规则时,确定所述目标终端运行于模拟器环境。The processor 401 invokes the program instruction to execute the target when the name of the router is the same as the name of any router in the first blacklist, and the MAC address is in the MAC address set. The terminal runs in the simulator environment, and specifically performs the following steps: when the name of the router is the same as the name of any router in the first blacklist, the MAC address is in the MAC address set, and the target terminal ’s When the device information meets the preset rule, it is determined that the target terminal is running in a simulator environment.
可选的,处理器401在调用所述程序指令执行所述检测所述路由器的名称是否与预置的第一黑名单内的路由器名称相同,以及所述MAC地址是否处于预置的第二黑名单内的MAC地址集合之前,还用于执行以下步骤:获取所述路由器信息对应的目标函数的flag值,并根据所述flag值确定所述目标函数是否被hook;当确定所述目标函数被hook时,从所 述目标函数的内存中获取所述目标函数对应的目标函数指针;根据预先存储的各函数指针和函数的对应关系,确定出所述目标函数指针对应的原始函数,并根据所述原始函数确定出原始路由器信息;Optionally, the processor 401 invokes the program instruction to perform the detection to check whether the name of the router is the same as the router name in the preset first blacklist, and whether the MAC address is in the preset second black Before the set of MAC addresses in the list, it is also used to perform the following steps: obtain the flag value of the target function corresponding to the router information, and determine whether the target function is hooked according to the flag value; when it is determined that the target function is When hooking, the target function pointer corresponding to the target function is obtained from the memory of the target function; the original function corresponding to the target function pointer is determined according to the corresponding relationship between the function pointers and functions stored in advance, and according to the The original function described above determines the original router information;
处理器401在调用所述程序指令执行所述检测所述路由器的名称是否与预置的第一黑名单内的路由器名称相同,以及所述MAC地址是否处于预置的第二黑名单内的MAC地址集合时,具体执行以下步骤:检测所述原始路由器信息包括的路由器的名称是否与预置的第一黑名单内的路由器名称相同,以及所述原始路由器信息包括的MAC地址是否处于预置的第二黑名单内的MAC地址集合。The processor 401 invokes the program instruction to execute the detection to determine whether the name of the router is the same as the router name in the preset first blacklist, and whether the MAC address is in a MAC in the preset second blacklist. When address collection is performed, the following steps are specifically performed: detecting whether the router name included in the original router information is the same as the router name in the preset first blacklist, and whether the MAC address included in the original router information is in the preset MAC address set in the second blacklist.
可选的,处理器401在调用所述程序指令执行所述根据所述flag值确定所述目标函数是否被hook时,具体执行以下步骤:将所述flag值中的预设位置处的字符与预设的固定字符进行比较,所述预设位置处的字符的字符数与所述固定字符的字符数相同;当比较得到所述预设位置处的字符与所述固定字符不同时,确定所述目标函数被hook。Optionally, when the processor 401 invokes the program instruction to execute the determination of whether the objective function is hooked according to the flag value, the processor 401 specifically performs the following steps: the character at a preset position in the flag value and The preset fixed characters are compared, and the number of characters of the character at the preset position is the same as the number of characters of the fixed character; when the comparison obtains that the character at the preset position is different from the fixed character, the determined The objective function is hooked.
可选的,处理器401在调用所述程序指令执行所述根据所述flag值确定所述目标函数是否被hook时,具体执行以下步骤:按照预设的逻辑算法对所述flag值进行逻辑运算,以得到运算结果值,其中,所述逻辑算法是根据预设字符串和系统中的原生函数执行时的跳转地址确定的;当所述运算结果值为正整数时,确定所述目标函数被hook。Optionally, when the processor 401 invokes the program instruction to execute the determination of whether the objective function is hooked according to the flag value, the processor 401 specifically performs the following steps: performs a logical operation on the flag value according to a preset logic algorithm To obtain an operation result value, wherein the logical algorithm is determined according to a preset character string and a jump address when a native function in the system is executed; when the operation result value is a positive integer, the objective function is determined Was hooked.
其中,所述处理器401可以是中央处理单元(Central Processing Unit,CPU),该处理器还可以是其他通用处理器、数字信号处理器(Digital Signal Processor,DSP)、专用集成电路(Application Specific Integrated Circuit,ASIC)、现成可编程门阵列(Field-Programmable Gate Array,FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。The processor 401 may be a central processing unit (CPU), and the processor may also be another general-purpose processor, a digital signal processor (DSP), or an application specific integrated circuit (Application Specific Integrated). Circuit (ASIC), ready-made programmable gate array (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. A general-purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
用户接口403可包括输入设备和输出设备,输入设备可以包括触控板、麦克风等,输出设备可以包括显示器(LCD等)、扬声器等。The user interface 403 may include an input device and an output device, the input device may include a touch panel, a microphone, and the like, and the output device may include a display (LCD, etc.), a speaker, and the like.
通信接口404可包括接收器和发射器,用于与其他设备进行通信。The communication interface 404 may include a receiver and a transmitter for communicating with other devices.
存储器402可以包括只读存储器和随机存取存储器,并向处理器401提供指令和数据。存储器402的一部分还可以包括非易失性随机存取存储器。例如,存储器402还可以存储上述的函数指针和函数的对应关系等等。The memory 402 may include a read-only memory and a random access memory, and provide instructions and data to the processor 401. A part of the memory 402 may further include a non-volatile random access memory. For example, the memory 402 may also store the corresponding relationship between the function pointer and the function described above.
具体实现中,本申请实施例中所描述的处理器401等可执行上述图1至图3所示的方法实施例中所描述的实现方式,也可执行本申请实施例图4所描述的各单元的实现方式,此处不赘述。In specific implementation, the processor 401 and the like described in the embodiment of the present application may execute the implementation manners described in the method embodiments shown in FIG. 1 to FIG. 3 described above, and may also execute each of the methods described in FIG. 4 of the embodiment of the present application. The implementation of the unit is not repeated here.
本申请实施例还提供了一种计算机可读存储介质,所述计算机可读存储介质存储有计算机程序,所述计算机程序被处理器执行时可实现图1至图2所对应实施例中描述的模拟器识别方法中的部分或全部步骤,也可实现本申请图3或图4所示实施例的识别设备的功能,此处不赘述。An embodiment of the present application further provides a computer-readable storage medium, where the computer-readable storage medium stores a computer program, and when the computer program is executed by a processor, the program described in the corresponding embodiments in FIG. 1 to FIG. 2 can be implemented. Some or all of the steps in the simulator recognition method may also implement the function of the recognition device in the embodiment shown in FIG. 3 or FIG. 4 of the present application, and details are not described herein.
本申请实施例还提供了一种包含指令的计算机程序产品,当其在计算机上运行时,使得计算机执行上述方法中的部分或全部步骤。An embodiment of the present application further provides a computer program product containing instructions, which when executed on a computer, causes the computer to execute part or all of the steps in the above method.
所述计算机可读存储介质可以是前述任一实施例所述的识别设备的内部存储单元,例如识别设备的硬盘或内存。所述计算机可读存储介质也可以是所述识别设备的外部存储设 备,例如所述识别设备上配备的插接式硬盘,智能存储卡(Smart Media Card,SMC),安全数字(Secure Digital,SD)卡,闪存卡(Flash Card)等。The computer-readable storage medium may be an internal storage unit of the identification device according to any one of the foregoing embodiments, such as a hard disk or a memory of the identification device. The computer-readable storage medium may also be an external storage device of the identification device, such as a plug-in hard disk, a Smart Media Card (SMC), and a secure digital (SD) device. ) Cards, flash cards, etc.
在本申请中,术语“和/或”,仅仅是一种描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况。另外,本文中字符“/”,一般表示前后关联对象是一种“或”的关系。In the present application, the term "and / or" is merely an association relationship describing an associated object, which means that there can be three kinds of relationships, for example, A and / or B can mean: A exists alone, and A and B exist simultaneously. There are three cases of B alone. In addition, the character "/" in this article generally indicates that the related objects are an "or" relationship.
在本申请的各种实施例中,上述各过程的序号的大小并不意味着执行顺序的先后,各过程的执行顺序应以其功能和内在逻辑确定,而不应对本申请实施例的实施过程构成任何限定。In various embodiments of the present application, the size of the sequence numbers of the above processes does not mean the order of execution. The execution order of each process should be determined by its function and internal logic, and should not deal with the implementation process of the embodiments of the present application. Constitute any limitation.
以上所述,仅为本申请的部分实施方式,但本申请的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本申请揭露的技术范围内,可轻易想到各种等效的修改或替换,这些修改或替换都应涵盖在本申请的保护范围之内。The above description is only part of the implementation of this application, but the scope of protection of this application is not limited to this. Any person skilled in the art can easily think of various equivalents within the technical scope disclosed in this application. Modifications or replacements, and these modifications or replacements should be covered by the protection scope of this application.

Claims (20)

  1. 一种模拟器识别方法,其特征在于,包括:A simulator identification method, which comprises:
    获取目标终端连接的无线保真Wi-Fi热点的路由器信息,所述路由器信息包括路由器的名称和媒体访问控制MAC地址;Acquiring router information of a wireless fidelity Wi-Fi hotspot connected to a target terminal, where the router information includes a router name and a media access control MAC address;
    检测所述路由器的名称是否与预置的第一黑名单内的路由器名称相同,以及所述MAC地址是否处于预置的第二黑名单内的MAC地址集合;Detecting whether the name of the router is the same as the router name in the preset first blacklist, and whether the MAC address is in a set of MAC addresses in the preset second blacklist;
    当所述路由器的名称与所述第一黑名单内的任一路由器名称相同,且所述MAC地址处于所述MAC地址集合时,确定所述目标终端运行于模拟器环境。When the name of the router is the same as the name of any router in the first blacklist, and the MAC address is in the MAC address set, it is determined that the target terminal is running in a simulator environment.
  2. 根据权利要求1所述的方法,其特征在于,在所述确定所述目标终端运行于模拟器环境之前,所述方法还包括:The method according to claim 1, wherein before the determining that the target terminal runs in an simulator environment, the method further comprises:
    获取所述目标终端的机型信息,所述机型信息包括所述目标终端的型号和/或品牌;Acquiring model information of the target terminal, where the model information includes a model and / or brand of the target terminal;
    检测所述机型信息是否与预置的第三黑名单内的终端机型信息相同,所述第三黑名单中包括至少一组终端机型信息;Detecting whether the model information is the same as the terminal model information in a preset third blacklist, and the third blacklist includes at least one set of terminal model information;
    所述当所述路由器的名称与所述第一黑名单内的任一路由器名称相同,且所述MAC地址处于所述MAC地址集合时,确定所述目标终端运行于模拟器环境,包括:When the name of the router is the same as the name of any router in the first blacklist, and the MAC address is in the MAC address set, determining that the target terminal is running in a simulator environment includes:
    当所述路由器的名称与所述第一黑名单内的任一路由器名称相同,所述MAC地址处于所述MAC地址集合,且所述机型信息与所述第三黑名单内的任一组终端机型信息相同时,确定所述目标终端运行于模拟器环境。When the name of the router is the same as the name of any router in the first blacklist, the MAC address is in the MAC address set, and the model information is the same as any group in the third blacklist When the terminal model information is the same, it is determined that the target terminal runs in a simulator environment.
  3. 根据权利要求1所述的方法,其特征在于,在所述确定所述目标终端运行于模拟器环境之前,所述方法还包括:The method according to claim 1, wherein before the determining that the target terminal runs in an simulator environment, the method further comprises:
    获取所述目标终端的中央处理器CPU的生产商标识;Acquiring a manufacturer identifier of a central processing unit CPU of the target terminal;
    检测所述CPU的生产商标识是否与预置的白名单中的生产商标识相同;Detecting whether the manufacturer ID of the CPU is the same as the manufacturer ID in a preset white list;
    所述当所述路由器的名称与所述第一黑名单内的任一路由器名称相同,且所述MAC地址处于所述MAC地址集合时,确定所述目标终端运行于模拟器环境,包括:When the name of the router is the same as the name of any router in the first blacklist, and the MAC address is in the MAC address set, determining that the target terminal is running in a simulator environment includes:
    当所述路由器的名称与所述第一黑名单内的任一路由器名称相同,所述MAC地址处于所述MAC地址集合,且所述CPU的生产商标识与所述白名单内的所有生产商标识均不相同时,确定所述目标终端运行于模拟器环境。When the name of the router is the same as the name of any router in the first blacklist, the MAC address is in the MAC address set, and the manufacturer identification of the CPU is the same as all manufacturers in the whitelist When the identifiers are different, it is determined that the target terminal is running in a simulator environment.
  4. 根据权利要求1所述的方法,其特征在于,在所述确定所述目标终端运行于模拟器环境之前,所述方法还包括:The method according to claim 1, wherein before the determining that the target terminal runs in an simulator environment, the method further comprises:
    检测所述目标终端的设备信息是否满足预设规则,其中,所述目标终端的设备信息满足所述预设规则包括:Detecting whether the device information of the target terminal satisfies a preset rule, wherein the device information of the target terminal satisfies the preset rule includes:
    所述目标终端中未配置有预设模块,所述预设模块包括蓝牙模块、温度传感器、光线传感器中的一个或多个;和/或,The target terminal is not configured with a preset module, and the preset module includes one or more of a Bluetooth module, a temperature sensor, and a light sensor; and / or,
    所述目标终端的内存空间值小于预设内存阈值;和/或,A memory space value of the target terminal is less than a preset memory threshold; and / or,
    所述目标终端安装的应用的第一数目小于预设的第一数目阈值;和/或,The first number of applications installed by the target terminal is less than a preset first number threshold; and / or,
    所述目标终端存储的文件的第二数目小于预设的第二数目阈值;和/或,The second number of files stored by the target terminal is less than a preset second number threshold; and / or,
    所述目标终端使用的网络制式与预设的网络制式列表中的所有网络制式均不相同;和/ 或,The network standard used by the target terminal is different from all the network standards in the preset network standard list; and / or,
    所述目标终端的系统中存在预设路径和名称的系统文件;和/或,A system file of a preset path and name exists in the system of the target terminal; and / or,
    所述目标终端的运行状态为root状态;A running state of the target terminal is a root state;
    所述当所述路由器的名称与所述第一黑名单内的任一路由器名称相同,且所述MAC地址处于所述MAC地址集合时,确定所述目标终端运行于模拟器环境,包括:When the name of the router is the same as the name of any router in the first blacklist, and the MAC address is in the MAC address set, determining that the target terminal is running in a simulator environment includes:
    当所述路由器的名称与所述第一黑名单内的任一路由器名称相同,所述MAC地址处于所述MAC地址集合,且所述目标终端的设备信息满足所述预设规则时,确定所述目标终端运行于模拟器环境。When the name of the router is the same as the name of any router in the first blacklist, the MAC address is in the MAC address set, and the device information of the target terminal satisfies the preset rule, The target terminal runs in a simulator environment.
  5. 根据权利要求1-4任一项所述的方法,其特征在于,在所述检测所述路由器的名称是否与预置的第一黑名单内的路由器名称相同,以及所述MAC地址是否处于预置的第二黑名单内的MAC地址集合之前,所述方法还包括:The method according to any one of claims 1-4, wherein in the detecting whether the name of the router is the same as a router name in a preset first blacklist, and whether the MAC address is in a preset Before setting the set of MAC addresses in the second blacklist, the method further includes:
    获取所述路由器信息对应的目标函数的flag值,并根据所述flag值确定所述目标函数是否被hook;Acquiring a flag value of an objective function corresponding to the router information, and determining whether the objective function is hooked according to the flag value;
    当确定所述目标函数被hook时,从所述目标函数的内存中获取所述目标函数对应的目标函数指针;When it is determined that the objective function is hooked, obtaining an objective function pointer corresponding to the objective function from the memory of the objective function;
    根据预先存储的各函数指针和函数的对应关系,确定出所述目标函数指针对应的原始函数,并根据所述原始函数确定出原始路由器信息;Determining the original function corresponding to the target function pointer according to the corresponding relationship between the function pointers and functions stored in advance, and determining the original router information according to the original function;
    所述检测所述路由器的名称是否与预置的第一黑名单内的路由器名称相同,以及所述MAC地址是否处于预置的第二黑名单内的MAC地址集合,包括:The detecting whether the name of the router is the same as the router name in the preset first blacklist, and whether the MAC address is in a set of MAC addresses in the preset second blacklist includes:
    检测所述原始路由器信息包括的路由器的名称是否与预置的第一黑名单内的路由器名称相同,以及所述原始路由器信息包括的MAC地址是否处于预置的第二黑名单内的MAC地址集合。Detecting whether the name of the router included in the original router information is the same as the name of the router in the preset first blacklist, and whether the MAC address included in the original router information is in a set of MAC addresses in the preset second blacklist .
  6. 根据权利要求5所述的方法,其特征在于,所述根据所述flag值确定所述目标函数是否被hook,包括:The method according to claim 5, wherein the determining whether the objective function is hooked according to the flag value comprises:
    将所述flag值中的预设位置处的字符与预设的固定字符进行比较,所述预设位置处的字符的字符数与所述固定字符的字符数相同;Comparing a character at a preset position in the flag value with a preset fixed character, and the number of characters of the character at the preset position is the same as the number of characters of the fixed character;
    当比较得到所述预设位置处的字符与所述固定字符不同时,确定所述目标函数被hook。When the character at the preset position is different from the fixed character, it is determined that the objective function is hooked.
  7. 根据权利要求5所述的方法,其特征在于,所述根据所述flag值确定所述目标函数是否被hook,包括:The method according to claim 5, wherein the determining whether the objective function is hooked according to the flag value comprises:
    按照预设的逻辑算法对所述flag值进行逻辑运算,以得到运算结果值,其中,所述逻辑算法是根据预设字符串和系统中的原生函数执行时的跳转地址确定的;Perform logical operation on the flag value according to a preset logical algorithm to obtain an operation result value, wherein the logical algorithm is determined according to a preset string and a jump address when a native function in the system is executed;
    当所述运算结果值为正整数时,确定所述目标函数被hook。When the operation result value is a positive integer, it is determined that the objective function is hooked.
  8. 一种识别设备,其特征在于,包括:获取单元和识别单元;An identification device, comprising: an obtaining unit and an identification unit;
    所述获取单元,用于获取目标终端连接的无线保真Wi-Fi热点的路由器信息,所述路由器信息包括路由器的名称和媒体访问控制MAC地址;The obtaining unit is configured to obtain router information of a wireless fidelity Wi-Fi hotspot connected to a target terminal, where the router information includes a router name and a media access control MAC address;
    所述识别单元,用于检测所述路由器的名称是否与预置的第一黑名单内的路由器名称相同,以及所述MAC地址是否处于预置的第二黑名单内的MAC地址集合;The identification unit is configured to detect whether the name of the router is the same as the router name in the preset first blacklist, and whether the MAC address is in a set of MAC addresses in the preset second blacklist;
    所述识别单元,还用于当所述路由器的名称与所述第一黑名单内的任一路由器名称相 同,且所述MAC地址处于所述MAC地址集合时,确定所述目标终端运行于模拟器环境。The identification unit is further configured to determine that the target terminal is running in a simulation when the name of the router is the same as the name of any router in the first blacklist, and the MAC address is in the MAC address set. Device environment.
  9. 根据权利要求8所述的识别设备,其特征在于,The identification device according to claim 8, characterized in that:
    所述获取单元,还用于获取所述目标终端的机型信息,所述机型信息包括所述目标终端的型号和/或品牌;The obtaining unit is further configured to obtain model information of the target terminal, where the model information includes a model and / or a brand of the target terminal;
    所述识别单元,还用于检测所述机型信息是否与预置的第三黑名单内的终端机型信息相同,所述第三黑名单中包括至少一组终端机型信息;The identification unit is further configured to detect whether the model information is the same as the terminal model information in a preset third blacklist, where the third blacklist includes at least one set of terminal model information;
    所述识别单元,具体用于当所述路由器的名称与所述第一黑名单内的任一路由器名称相同,所述MAC地址处于所述MAC地址集合,且所述机型信息与所述第三黑名单内的任一组终端机型信息相同时,确定所述目标终端运行于模拟器环境。The identifying unit is specifically configured to: when the name of the router is the same as the name of any router in the first blacklist, the MAC address is in the MAC address set, and the model information is the same as the first When the information of any set of terminal models in the three blacklists is the same, it is determined that the target terminal is running in the simulator environment.
  10. 根据权利要求8所述的识别设备,其特征在于,The identification device according to claim 8, characterized in that:
    所述获取单元,还用于获取所述目标终端的中央处理器CPU的生产商标识;The obtaining unit is further configured to obtain a manufacturer identifier of a central processing unit CPU of the target terminal;
    所述识别单元,还用于检测所述CPU的生产商标识是否与预置的白名单中的生产商标识相同;The identification unit is further configured to detect whether a manufacturer ID of the CPU is the same as a manufacturer ID in a preset white list;
    所述识别单元,具体用于当所述路由器的名称与所述第一黑名单内的任一路由器名称相同,所述MAC地址处于所述MAC地址集合,且所述CPU的生产商标识与所述白名单内的所有生产商标识均不相同时,确定所述目标终端运行于模拟器环境。The identification unit is specifically configured to: when the name of the router is the same as the name of any router in the first blacklist, the MAC address is in the MAC address set, and the manufacturer ID of the CPU When all the manufacturer IDs in the whitelist are different, it is determined that the target terminal is running in the simulator environment.
  11. 根据权利要求8所述的识别设备,其特征在于,The identification device according to claim 8, characterized in that:
    所述识别单元,还用于检测所述目标终端的设备信息是否满足预设规则,其中,所述目标终端的设备信息满足所述预设规则包括:The identification unit is further configured to detect whether device information of the target terminal meets a preset rule, where the device information of the target terminal satisfies the preset rule includes:
    所述目标终端中未配置有预设模块,所述预设模块包括蓝牙模块、温度传感器、光线传感器中的一个或多个;和/或,The target terminal is not configured with a preset module, and the preset module includes one or more of a Bluetooth module, a temperature sensor, and a light sensor; and / or,
    所述目标终端的内存空间值小于预设内存阈值;和/或,A memory space value of the target terminal is less than a preset memory threshold; and / or,
    所述目标终端安装的应用的第一数目小于预设的第一数目阈值;和/或,The first number of applications installed by the target terminal is less than a preset first number threshold; and / or,
    所述目标终端存储的文件的第二数目小于预设的第二数目阈值;和/或,The second number of files stored by the target terminal is less than a preset second number threshold; and / or,
    所述目标终端使用的网络制式与预设的网络制式列表中的所有网络制式均不相同;和/或,The network standard used by the target terminal is different from all the network standards in the preset network standard list; and / or,
    所述目标终端的系统中存在预设路径和名称的系统文件;和/或,A system file of a preset path and name exists in the system of the target terminal; and / or,
    所述目标终端的运行状态为root状态;A running state of the target terminal is a root state;
    所述识别单元,具体用于当所述路由器的名称与所述第一黑名单内的任一路由器名称相同,所述MAC地址处于所述MAC地址集合,且所述目标终端的设备信息满足所述预设规则时,确定所述目标终端运行于模拟器环境。The identification unit is specifically configured to: when the name of the router is the same as the name of any router in the first blacklist, the MAC address is in the MAC address set, and the device information of the target terminal satisfies all requirements When the preset rule is described, it is determined that the target terminal runs in a simulator environment.
  12. 根据权利要求8-11任一项所述的识别设备,其特征在于,所述识别设备还包括:hook检测单元和还原单元;The identification device according to any one of claims 8-11, wherein the identification device further comprises: a hook detection unit and a reduction unit;
    所述获取单元,还用于获取所述路由器信息对应的目标函数的flag值;The acquiring unit is further configured to acquire a flag value of an objective function corresponding to the router information;
    所述hook检测单元,用于根据所述flag值确定所述目标函数是否被hook;The hook detection unit is configured to determine whether the objective function is hooked according to the flag value;
    所述获取单元,还用于当确定所述目标函数被hook时,从所述目标函数的内存中获取所述目标函数对应的目标函数指针;The obtaining unit is further configured to obtain an objective function pointer corresponding to the objective function from the memory of the objective function when it is determined that the objective function is hooked;
    所述还原单元,用于根据预先存储的各函数指针和函数的对应关系,确定出所述目标 函数指针对应的原始函数,并根据所述原始函数确定出原始路由器信息;The restoration unit is configured to determine an original function corresponding to the target function pointer according to a corresponding relationship between function pointers and functions stored in advance, and determine original router information according to the original function;
    所述识别单元,具体用于检测所述原始路由器信息包括的路由器的名称是否与预置的第一黑名单内的路由器名称相同,以及所述原始路由器信息包括的MAC地址是否处于预置的第二黑名单内的MAC地址集合。The identification unit is specifically configured to detect whether the name of the router included in the original router information is the same as the router name in the preset first blacklist, and whether the MAC address included in the original router information is in the preset first MAC address set in the second blacklist.
  13. 根据权利要求12所述的识别设备,其特征在于,The identification device according to claim 12, characterized in that:
    所述hook检测单元,具体用于将所述flag值中的预设位置处的字符与预设的固定字符进行比较,所述预设位置处的字符的字符数与所述固定字符的字符数相同;当比较得到所述预设位置处的字符与所述固定字符不同时,确定所述目标函数被hook。The hook detection unit is specifically configured to compare a character at a preset position in the flag value with a preset fixed character, and the number of characters of the character at the preset position and the number of characters of the fixed character The same; when the character at the preset position is different from the fixed character, it is determined that the objective function is hooked.
  14. 根据权利要求12所述的识别设备,其特征在于,The identification device according to claim 12, characterized in that:
    所述hook检测单元,具体用于按照预设的逻辑算法对所述flag值进行逻辑运算,以得到运算结果值,其中,所述逻辑算法是根据预设字符串和系统中的原生函数执行时的跳转地址确定的;当所述运算结果值为正整数时,确定所述目标函数被hook。The hook detection unit is specifically configured to perform a logical operation on the flag value according to a preset logical algorithm to obtain an operation result value, wherein the logical algorithm is executed according to a preset string and a native function in the system. The jump address is determined; when the value of the operation result is a positive integer, it is determined that the objective function is hooked.
  15. 一种识别设备,其特征在于,包括处理器和存储器,所述处理器和存储器相互连接,其中,所述存储器用于存储计算机程序,所述计算机程序包括程序指令,所述处理器被配置用于调用所述程序指令,执行以下步骤:An identification device, comprising a processor and a memory, wherein the processor and the memory are connected to each other, wherein the memory is used to store a computer program, the computer program includes program instructions, and the processor is configured to use When calling the program instruction, the following steps are performed:
    获取目标终端连接的无线保真Wi-Fi热点的路由器信息,所述路由器信息包括路由器的名称和媒体访问控制MAC地址;检测所述路由器的名称是否与预置的第一黑名单内的路由器名称相同,以及所述MAC地址是否处于预置的第二黑名单内的MAC地址集合;当所述路由器的名称与所述第一黑名单内的任一路由器名称相同,且所述MAC地址处于所述MAC地址集合时,确定所述目标终端运行于模拟器环境。Obtaining router information of a wireless fidelity Wi-Fi hotspot connected to a target terminal, the router information including a router name and a media access control MAC address; detecting whether the name of the router matches a router name in a preset first blacklist Are the same, and whether the MAC address is in a preset second blacklist MAC address set; when the name of the router is the same as the name of any router in the first blacklist, and the MAC address is in the When the MAC address set is described, it is determined that the target terminal runs in a simulator environment.
  16. 根据权利要求15所述的识别设备,其特征在于,所述处理器在调用所述程序指令执行所述确定所述目标终端运行于模拟器环境之前,还用于执行以下步骤:获取所述目标终端的机型信息,所述机型信息包括所述目标终端的型号和/或品牌;检测所述机型信息是否与预置的第三黑名单内的终端机型信息相同,所述第三黑名单中包括至少一组终端机型信息;The identification device according to claim 15, wherein before the processor calls the program instruction to execute the determination that the target terminal is running in a simulator environment, the processor is further configured to perform the following step: obtaining the target Terminal model information, the model information including the model and / or brand of the target terminal; detecting whether the model information is the same as the terminal model information in a preset third blacklist, and the third The blacklist includes at least one set of terminal model information;
    处理器在调用所述程序指令执行所述当所述路由器的名称与所述第一黑名单内的任一路由器名称相同,且所述MAC地址处于所述MAC地址集合时,确定所述目标终端运行于模拟器环境时,具体执行以下步骤:当所述路由器的名称与所述第一黑名单内的任一路由器名称相同,所述MAC地址处于所述MAC地址集合,且所述机型信息与所述第三黑名单内的任一组终端机型信息相同时,确定所述目标终端运行于模拟器环境。When the processor calls the program instruction to execute the target terminal when the name of the router is the same as the name of any router in the first blacklist and the MAC address is in the MAC address set When running in the simulator environment, the following steps are specifically performed: when the name of the router is the same as the name of any router in the first blacklist, the MAC address is in the MAC address set, and the model information When the information of the terminal model is the same as that of any set of terminal models in the third blacklist, it is determined that the target terminal runs in a simulator environment.
  17. 根据权利要求15所述的识别设备,其特征在于,所述处理器在调用所述程序指令执行所述确定所述目标终端运行于模拟器环境之前,还用于执行以下步骤:The identification device according to claim 15, wherein the processor is further configured to execute the following steps before calling the program instruction to execute the determining that the target terminal is running in an simulator environment:
    获取所述目标终端的中央处理器CPU的生产商标识;检测所述CPU的生产商标识是否与预置的白名单中的生产商标识相同;Acquiring the manufacturer identifier of the central processing unit CPU of the target terminal; detecting whether the manufacturer identifier of the CPU is the same as the manufacturer identifier in a preset white list;
    所述处理器在调用所述程序指令执行所述当所述路由器的名称与所述第一黑名单内的任一路由器名称相同,且所述MAC地址处于所述MAC地址集合时,确定所述目标终端运行于模拟器环境时,具体执行以下步骤:Determining, by the processor, when the name of the router is the same as any router name in the first blacklist when the program instruction is called, and the MAC address is in the MAC address set, determining the When the target terminal is running in the simulator environment, perform the following steps:
    当所述路由器的名称与所述第一黑名单内的任一路由器名称相同,所述MAC地址处 于所述MAC地址集合,且所述CPU的生产商标识与所述白名单内的所有生产商标识均不相同时,确定所述目标终端运行于模拟器环境。When the name of the router is the same as the name of any router in the first blacklist, the MAC address is in the MAC address set, and the manufacturer identification of the CPU is the same as all manufacturers in the whitelist When the identifiers are different, it is determined that the target terminal is running in a simulator environment.
  18. 根据权利要求15所述的识别设备,其特征在于,所述处理器在调用所述程序指令执行所述确定所述目标终端运行于模拟器环境之前,还用于执行以下步骤:The identification device according to claim 15, wherein the processor is further configured to execute the following steps before calling the program instruction to execute the determining that the target terminal is running in an simulator environment:
    检测所述目标终端的设备信息是否满足预设规则,其中,所述目标终端的设备信息满足所述预设规则包括:所述目标终端中未配置有预设模块,所述预设模块包括蓝牙模块、温度传感器、光线传感器中的一个或多个;和/或,所述目标终端的内存空间值小于预设内存阈值;和/或,所述目标终端安装的应用的第一数目小于预设的第一数目阈值;和/或,所述目标终端存储的文件的第二数目小于预设的第二数目阈值;和/或,所述目标终端使用的网络制式与预设的网络制式列表中的所有网络制式均不相同;和/或,所述目标终端的系统中存在预设路径和名称的系统文件;和/或,所述目标终端的运行状态为root状态;Detecting whether the device information of the target terminal satisfies a preset rule, wherein the device information of the target terminal satisfies the preset rule includes: the target terminal is not configured with a preset module, and the preset module includes Bluetooth One or more of a module, a temperature sensor, and a light sensor; and / or, a memory space value of the target terminal is less than a preset memory threshold; and / or, a first number of applications installed by the target terminal is less than a preset And / or, the second number of files stored by the target terminal is less than a preset second number threshold; and / or, the network standard used by the target terminal and the preset network standard list are All network standards are different; and / or, a system file with a preset path and name exists in the system of the target terminal; and / or, the running state of the target terminal is root;
    所述处理器在调用所述程序指令执行所述当所述路由器的名称与所述第一黑名单内的任一路由器名称相同,且所述MAC地址处于所述MAC地址集合时,确定所述目标终端运行于模拟器环境,具体执行以下步骤:当所述路由器的名称与所述第一黑名单内的任一路由器名称相同,所述MAC地址处于所述MAC地址集合,且所述目标终端的设备信息满足所述预设规则时,确定所述目标终端运行于模拟器环境。Determining, by the processor, when the name of the router is the same as any router name in the first blacklist when the program instruction is called, and the MAC address is in the MAC address set, determining the The target terminal runs in the simulator environment and specifically performs the following steps: when the name of the router is the same as the name of any router in the first blacklist, the MAC address is in the MAC address set, and the target terminal When the device information meets the preset rule, it is determined that the target terminal is running in a simulator environment.
  19. 根据权利要求15-18任一项所述的识别设备,其特征在于,所述处理器在调用所述程序指令执行所述检测所述路由器的名称是否与预置的第一黑名单内的路由器名称相同,以及所述MAC地址是否处于预置的第二黑名单内的MAC地址集合之前,还用于执行以下步骤:The identification device according to any one of claims 15 to 18, wherein the processor invokes the program instruction to execute the detecting whether the name of the router matches a router in a preset first blacklist It is also used to perform the following steps before the same MAC address and whether the MAC address is in the preset MAC address set in the second blacklist:
    获取所述路由器信息对应的目标函数的flag值,并根据所述flag值确定所述目标函数是否被hook;当确定所述目标函数被hook时,从所述目标函数的内存中获取所述目标函数对应的目标函数指针;根据预先存储的各函数指针和函数的对应关系,确定出所述目标函数指针对应的原始函数,并根据所述原始函数确定出原始路由器信息;Obtain a flag value of an objective function corresponding to the router information, and determine whether the objective function is hooked according to the flag value; when it is determined that the objective function is hooked, obtain the objective from the memory of the objective function A target function pointer corresponding to a function; determining an original function corresponding to the target function pointer according to a corresponding relationship between each function pointer and a function stored in advance, and determining original router information according to the original function;
    所述处理器在调用所述程序指令执行所述检测所述路由器的名称是否与预置的第一黑名单内的路由器名称相同,以及所述MAC地址是否处于预置的第二黑名单内的MAC地址集合时,具体执行以下步骤:检测所述原始路由器信息包括的路由器的名称是否与预置的第一黑名单内的路由器名称相同,以及所述原始路由器信息包括的MAC地址是否处于预置的第二黑名单内的MAC地址集合。When the processor invokes the program instruction to perform the detection, whether the name of the router is the same as the router name in the preset first blacklist, and whether the MAC address is in the preset second blacklist. When the MAC address is collected, the following steps are specifically performed: detecting whether the router name included in the original router information is the same as the router name in the preset first blacklist, and whether the MAC address included in the original router information is in the preset MAC address set in the second blacklist.
  20. 一种计算机可读存储介质,其特征在于,所述计算机可读存储介质存储有计算机程序,所述计算机程序包括程序指令,所述程序指令当被处理器执行时使所述处理器执行如权利要求1-7任一项所述的方法。A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program, the computer program includes program instructions, and when the program instructions are executed by a processor, the processor executes The method according to any one of 1-7 is required.
PCT/CN2018/107748 2018-07-27 2018-09-26 Simulator identification method, identification device, and computer readable medium WO2020019485A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201810855586.8 2018-07-27
CN201810855586.8A CN109062667B (en) 2018-07-27 2018-07-27 Simulator identification method, simulator identification equipment and computer readable medium

Publications (1)

Publication Number Publication Date
WO2020019485A1 true WO2020019485A1 (en) 2020-01-30

Family

ID=64831519

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/107748 WO2020019485A1 (en) 2018-07-27 2018-09-26 Simulator identification method, identification device, and computer readable medium

Country Status (2)

Country Link
CN (1) CN109062667B (en)
WO (1) WO2020019485A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112905301A (en) * 2021-03-04 2021-06-04 中国科学院信息工程研究所 Detection method and device for Android simulator

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109902500B (en) * 2019-03-11 2021-02-26 北京城市网邻信息技术有限公司 Method and system for realizing service call data security through link library
CN110248372B (en) * 2019-04-25 2023-04-11 深圳壹账通智能科技有限公司 Simulator detection method and device, storage medium and computer equipment
CN110532774A (en) * 2019-07-24 2019-12-03 阿里巴巴集团控股有限公司 Hook inspection method, device, server and readable storage medium storing program for executing
CN110427758B (en) * 2019-08-08 2021-06-01 北京智游网安科技有限公司 Position spoofing detection method, intelligent terminal and storage medium
CN110619210A (en) * 2019-08-27 2019-12-27 苏宁云计算有限公司 Simulator detection method and system
CN113282304B (en) * 2021-05-14 2022-04-29 杭州云深科技有限公司 System for identifying virtual machine based on app installation list

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8811607B2 (en) * 2011-06-22 2014-08-19 International Business Machines Corporation Processing context information
CN105162799A (en) * 2015-09-24 2015-12-16 北京奇虎科技有限公司 Method for checking whether client is legal mobile terminal or not and server
CN107729121A (en) * 2017-09-30 2018-02-23 北京梆梆安全科技有限公司 Simulator detection method and device
CN107729750A (en) * 2017-09-30 2018-02-23 北京梆梆安全科技有限公司 With reference to configuration information and the Android simulator detection method and device of ardware feature
CN108156268A (en) * 2016-12-05 2018-06-12 腾讯科技(深圳)有限公司 Acquisition methods and server, the terminal device of device identification

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104134041A (en) * 2014-07-31 2014-11-05 北京奇虎科技有限公司 Anti-detecting method and device of terminal simulator system
CN105162768B (en) * 2015-07-31 2018-12-07 腾讯科技(深圳)有限公司 The method and device of detection fishing Wi-Fi Hotspot
CN107729749A (en) * 2017-09-30 2018-02-23 北京梆梆安全科技有限公司 With reference to system information and the Android simulator detection method and device of ardware feature
CN107633170A (en) * 2017-09-30 2018-01-26 北京梆梆安全科技有限公司 A kind of Android simulator detection method and device of combination ardware feature and sensor
CN108021805A (en) * 2017-12-18 2018-05-11 上海众人网络安全技术有限公司 Detect method, apparatus, equipment and the storage medium of Android application program running environment

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8811607B2 (en) * 2011-06-22 2014-08-19 International Business Machines Corporation Processing context information
CN105162799A (en) * 2015-09-24 2015-12-16 北京奇虎科技有限公司 Method for checking whether client is legal mobile terminal or not and server
CN108156268A (en) * 2016-12-05 2018-06-12 腾讯科技(深圳)有限公司 Acquisition methods and server, the terminal device of device identification
CN107729121A (en) * 2017-09-30 2018-02-23 北京梆梆安全科技有限公司 Simulator detection method and device
CN107729750A (en) * 2017-09-30 2018-02-23 北京梆梆安全科技有限公司 With reference to configuration information and the Android simulator detection method and device of ardware feature

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112905301A (en) * 2021-03-04 2021-06-04 中国科学院信息工程研究所 Detection method and device for Android simulator

Also Published As

Publication number Publication date
CN109062667A (en) 2018-12-21
CN109062667B (en) 2023-04-18

Similar Documents

Publication Publication Date Title
WO2020019484A1 (en) Simulator recognition method, recognition device, and computer readable medium
WO2020019483A1 (en) Emulator identification method, identification device, and computer readable medium
WO2020019485A1 (en) Simulator identification method, identification device, and computer readable medium
US11126717B2 (en) Techniques for identifying computer virus variant
US10073916B2 (en) Method and system for facilitating terminal identifiers
CN109492378A (en) A kind of auth method based on EIC equipment identification code, server and medium
CN109561085B (en) Identity verification method based on equipment identification code, server and medium
CN103440456B (en) The method and device that a kind of application security is assessed
CN110417778B (en) Access request processing method and device
US9798981B2 (en) Determining malware based on signal tokens
US10986103B2 (en) Signal tokens indicative of malware
WO2020019482A1 (en) Function hook detection method, function hook detection device, and computer-readable medium
CN105357204B (en) Method and device for generating terminal identification information
CN109815697B (en) Method and device for processing false alarm behavior
US10019577B2 (en) Hardware hardened advanced threat protection
CN109815702B (en) Software behavior safety detection method, device and equipment
CN113448681B (en) Registration method, equipment and storage medium of virtual machine monitor public key
US20160092313A1 (en) Application Copy Counting Using Snapshot Backups For Licensing
WO2016127037A1 (en) Method and device for identifying computer virus variants
WO2015182418A1 (en) Dynamically loaded code analysis device, dynamically loaded code analysis method, and dynamically loaded code analysis program
CN107368337B (en) Application downloading method and device and terminal equipment
KR101382549B1 (en) Method for pre-qualificating social network service contents in mobile environment
CN108810230B (en) Method, device and equipment for acquiring incoming call prompt information
CN108256320B (en) Dynamic detection method, device, equipment and storage medium for differential domain
CN116302086A (en) Application processing method and device, electronic equipment and readable storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18927988

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18927988

Country of ref document: EP

Kind code of ref document: A1