技术领域technical field
本申请涉及网络信息安全的技术领域,特别是涉及一种病毒APK的识别方法,以及,一种病毒APK的识别装置。The present application relates to the technical field of network information security, in particular to a virus APK identification method and a virus APK identification device.
背景技术Background technique
Android是一种以Linux为基础的开放源码操作系统,主要使用于手机等移动终端,目前尚未有统一中文名称。Android平台由操作系统、中间件、用户界面和应用软件组成。Android is an open source operating system based on Linux, mainly used in mobile terminals such as mobile phones, and there is no unified Chinese name yet. Android platform consists of operating system, middleware, user interface and application software.
APK是Android application package file的缩写,即Android安装包,也可以理解为Android终端上安装的应用软件。APK是类似Symbian Sis或Sisx的文件格式。通过将APK文件直接传到Android模拟器或Android终端中执行即可安装。apk文件和sis一样,把android sdk编译的工程打包成一个安装程序文件,格式为apk。APK文件其实是zip格式,但后缀名被修改为apk,通过UnZip解压后,可以看到Dex文件,Dex是DalvikVM executes的全称,即Android Dalvik执行程序,并非标准的Java字节码而是Dalvik字节码。Android在运行一个程序时首先需要UnZip,然后类似Symbian那样直接运行,和Windows Mobile中的PE文件有区别。APK is the abbreviation of Android application package file, that is, the Android installation package, and can also be understood as the application software installed on the Android terminal. APK is a file format similar to Symbian Sis or Sisx. It can be installed by directly transferring the APK file to the Android emulator or Android terminal for execution. The apk file is the same as the sis, and the project compiled by the android sdk is packaged into an installer file in the format of apk. The APK file is actually in zip format, but the suffix is changed to apk. After decompressing through UnZip, you can see the Dex file. Dex is the full name of DalvikVM executes, which is the Android Dalvik execution program. It is not a standard Java bytecode but a Dalvik word. section code. When Android runs a program, it first needs UnZip, and then it runs directly like Symbian, which is different from the PE file in Windows Mobile.
具体而言,APK文件的结构如下表所示:Specifically, the structure of the APK file is shown in the following table:
在具体应用时,APK可以通过数据线或者无线数据传输的方式导入移动终端,或者,直接通过market(工具软件,如安卓市场)、网页等方式下载安装。随着Android终端的普及和发展,各种各样的APK应运而生,这其中就包括了病毒APK,例如,一些APK通过诸如短信定制付费服务、拨打付费电话、备份用户手机中的敏感数据至特定服务器等恶意行为来损害用户的权益。In a specific application, the APK can be imported into a mobile terminal through a data line or wireless data transmission, or directly downloaded and installed through a market (tool software, such as an Android market), a webpage, or the like. With the popularity and development of Android terminals, various APKs have emerged, including virus APKs. Malicious behaviors such as specific servers to damage the rights and interests of users.
目前,已经出现了一些专门针对移动终端的安全软件(如手机杀毒软件)来对这些病毒APK进行查杀。这些现有的安全软件查杀病毒APK的方法主要有以下两种:At present, some security software (such as mobile phone antivirus software) specially for mobile terminals have appeared to check and kill these virus APKs. The methods for these existing security software to check and kill virus APK mainly contain the following two types:
第一种是通过APK文件的HASH、签名、Package名字来对病毒APK进行识别,其原理是通过对APK使用HASH算法提取KEY,之后即可依据此KEY去识别病毒APK,或者,通过病毒APK制作者的APK数字签名、包名等对其进行识别。The first is to identify the virus APK through the HASH, signature, and Package name of the APK file. The principle is to extract the KEY by using the HASH algorithm on the APK, and then identify the virus APK based on this KEY, or create a virus APK The APK digital signature, package name, etc. of the author can be used to identify it.
然而,上述现有的基于APK文件的HASH进行识别的方式,很容易通过重新混淆、或者,在APK文件中添加新的资源文件乃至修改代码等方式,使通过HASH算法提取KEY发生改变,进而导致无法识别;上述现有的基于签名的识别方式可以通过更换签名的方式绕过;上述现有的基于Package名字来识别的方式也可通过修改包名的方式来绕过。而且更改混淆方式,修改APK文件(添加删除资源,代码等)或者更换签名对病毒制造者而言都很容易,所以病毒制造者很轻易地就可以制造新的病毒变种从而绕过安全软件的识别。However, the above-mentioned existing identification method based on the HASH of the APK file is easy to change the KEY extracted by the HASH algorithm by re-confusing, or adding a new resource file or modifying the code in the APK file, which leads to Unrecognizable; the above-mentioned existing signature-based identification method can be bypassed by changing the signature; the above-mentioned existing package name-based identification method can also be bypassed by modifying the package name. Moreover, changing the obfuscation method, modifying the APK file (adding and deleting resources, codes, etc.) or changing the signature is easy for virus creators, so virus creators can easily create new virus variants to bypass the identification of security software .
第二种是通过APK文件中的classes.dex中的类名对其进行识别,其原理是通过分析classes.dex中的类然后从中提取出若干个类的名字作为病毒特征码,之后即可解析病毒APK的classes.dex文件,看其中是否包含特定的类名来对其进行识别。The second is to identify it through the class names in classes.dex in the APK file. The principle is to analyze the classes in classes.dex and then extract the names of several classes as virus signatures, which can then be parsed The classes.dex file of the virus APK to see if it contains a specific class name to identify it.
然而,这种通过扫描类名来进行识别的方式,一方面因为仅仅检查类名从而容易误报,另一方面也很容易被病毒制造者通过混淆或者直接修改类名而绕过。However, this method of identifying by scanning class names, on the one hand, is prone to false positives because it only checks class names, and on the other hand, it is also easy to be bypassed by virus makers by confusing or directly modifying class names.
因此,目前需要本领域技术人员解决的一个技术问题就是,提供一种病毒APK的识别机制,用以快速、准确、有效地识别出病毒APK及其变种,提高APK应用的安全性。Therefore, a technical problem that needs to be solved by those skilled in the art is to provide a virus APK identification mechanism to quickly, accurately and effectively identify virus APK and its variants, and improve the security of APK applications.
发明内容Contents of the invention
本申请提供一种病毒APK的识别方法,用以快速、准确、有效地识别出病毒APK及其变种,提高APK应用的安全性。The present application provides a virus APK identification method, which is used to quickly, accurately and effectively identify the virus APK and its variants, and improve the security of APK applications.
本申请还提供了一种病毒APK的识别装置,用以保证上述方法在实际中的应用及实现。The present application also provides a virus APK identification device to ensure the practical application and realization of the above method.
为了解决上述问题,本申请公开了一种病毒APK的识别方法,包括:In order to solve the above problems, the application discloses a method for identifying a virus APK, including:
预置病毒数据库,所述病毒数据库中包括病毒特征码及对应的权重值;A virus database is preset, and the virus database includes a virus signature code and a corresponding weight value;
检测目标Android安装包APK的指定文件中是否包含病毒特征码,若是,则统计所述病毒特征码对应的权重值之和;Detect whether the specified file of the target Android installation package APK contains a virus signature, if so, count the sum of the weight values corresponding to the virus signature;
若所述权重值之和大于等于某病毒判定阈值,则判定所述目标Android安装包APK中存在相应类型的病毒。If the sum of the weight values is greater than or equal to a certain virus determination threshold, it is determined that a corresponding type of virus exists in the target Android installation package APK.
优选地,所述的方法,还包括:Preferably, the method also includes:
生成所述目标Android安装包APK中存在该类型病毒的提示信息。A prompt message indicating that the type of virus exists in the target Android installation package APK is generated.
优选地,所述的方法,还包括:Preferably, the method also includes:
若所述权重值之和小于某病毒判定阈值,则判定所述目标Android安装包APK为病毒APK。If the sum of the weight values is less than a certain virus determination threshold, it is determined that the target Android installation package APK is a virus APK.
优选地,所述的方法,还包括:Preferably, the method also includes:
生成所述目标Android安装包APK为病毒APK的提示信息。Generate a prompt message that the target Android installation package APK is a virus APK.
优选地,所述的方法,还包括:Preferably, the method also includes:
调用安全软件接口,针对所述目标Android安装包APK进行病毒查杀。The security software interface is called to scan and kill viruses for the target Android installation package APK.
优选地,所述指定文件包括可执行文件,所述预置病毒数据库的步骤包括:Preferably, the specified file includes an executable file, and the step of presetting the virus database includes:
扫描源Android安装包APK中的可执行文件;Scan the executable files in the source Android installation package APK;
提取所述可执行文件中的特定数据,判断所述特定数据是否包含病毒信息,其中,所述特定数据包括可执行文件的头部信息、可执行文件常量池中的常量,和/或,可执行文件中的操作指令;extracting specific data in the executable file, and judging whether the specific data contains virus information, wherein the specific data includes header information of the executable file, constants in the constant pool of the executable file, and/or, Execute the operation instructions in the file;
若是,则根据所述特定数据生成病毒特征码;If so, generate a virus signature code according to the specific data;
为所述病毒特征码分配权重值;assigning a weight value for the virus signature;
将所述病毒特征码及对应的权重值保存至病毒数据库中。Save the virus signature code and the corresponding weight value in the virus database.
优选地,所述可执行文件包括Dex文件,所述Dex文件包括classes.dex文件,扩展名为.jar的文件,以及,Dex格式的文件。Preferably, the executable file includes a Dex file, and the Dex file includes a classes.dex file, a file with an extension of .jar, and a file in Dex format.
优选地,所述病毒特征码包括:头部信息特征码、常量特征码、操作数特征码、指令特征码、指令特征码序列、类名函数名特征码;所述可执行文件中的操作指令包括操作码和操作数两部分;Preferably, the virus signatures include: header information signatures, constant signatures, operand signatures, instruction signatures, instruction signature sequences, class name function name signatures; operation instructions in the executable file Including opcode and operand two parts;
所述头部信息特征码、常量特征码、操作数特征码、类名函数名特征码根据包含病毒信息的头部信息、常量、操作数和类名函数名直接生成;The header information feature code, constant feature code, operand feature code, and class name function name feature code are directly generated according to the header information, constants, operands, and class name function names containing virus information;
所述指令特征码、指令特征码序列根据包含病毒信息的操作指令直接生成,或者,根据包含病毒信息的操作码和操作数的字符串或通配符生成;The instruction signature and instruction signature sequence are directly generated according to the operation instruction containing virus information, or generated according to the string or wildcard of the operation code and operand containing virus information;
所述将病毒特征码及对应的权重值保存至病毒数据库中的步骤包括:The steps of saving the virus signature code and the corresponding weight value in the virus database include:
将所述头部信息特征码、常量特征码、操作数特征码、指令特征码、指令特征码序列、类名函数名特征码,以及,对应的权重值分别保存在数据库中不同的存储区域;The header information feature code, constant feature code, operand feature code, instruction feature code, instruction feature code sequence, class name function name feature code, and corresponding weight values are stored in different storage areas in the database;
或者,or,
将所述头部信息特征码、常量特征码、操作数特征码、指令特征码、指令特征码序列、类名函数名特征码,以及,对应的权重值保存在数据库中,并分别标记分类标签。Save the header information feature code, constant feature code, operand feature code, instruction feature code, instruction feature code sequence, class name function name feature code, and the corresponding weight value in the database, and mark the classification labels respectively .
优选地,所述检测目标Android安装包APK中的指定文件中是否包含所述病毒特征码的步骤包括:Preferably, the step of whether the specified file in the detection target Android installation package APK contains the virus signature comprises:
定位目标Android安装包APK中可执行文件的头部信息,将所述头部信息与病毒数据库中的头部信息特征码进行匹配,若匹配,则判定目标Android安装包APK中的指定文件中包含病毒特征码;Locate the header information of the executable file in the target Android installation package APK, and match the header information with the header information signature in the virus database. If it matches, then determine that the specified file in the target Android installation package APK contains Virus signature;
和/或,and / or,
定位目标Android安装包APK中可执行文件常量池中的常量,将所述常量与病毒数据库中的常量特征码进行匹配,若匹配,则判定目标Android安装包APK中的指定文件中包含病毒特征码;Locate the constants in the executable file constant pool in the target Android installation package APK, and match the constants with the constant signatures in the virus database. If they match, then determine that the specified file in the target Android installation package APK contains virus signatures ;
和/或,and / or,
定位目标Android安装包APK中可执行文件操作指令中的操作数,将所述操作数与病毒数据库中的操作数特征码进行匹配,若匹配,则判定目标Android安装包APK中的指定文件中包含病毒特征码;Locate the operand in the executable file operation instruction in the target Android installation package APK, match the operand with the operand feature code in the virus database, if it matches, then determine that the specified file in the target Android installation package APK contains Virus signature;
和/或,and / or,
定位目标Android安装包APK中可执行文件操作指令中的操作码,将所述操作码与病毒数据库中的指令特征码进行匹配,若匹配,则判定目标Android安装包APK中的指定文件中包含病毒特征码;Locate the operation code in the executable file operation instruction in the target Android installation package APK, and match the operation code with the instruction feature code in the virus database. If it matches, then determine that the specified file in the target Android installation package APK contains a virus feature code;
和/或,and / or,
定位目标Android安装包APK中可执行文件操作指令中的操作码,将所述操作码与病毒数据库中的指令特征码序列进行匹配,若匹配,则判定目标Android安装包APK中的指定文件中包含病毒特征码;Locate the operation code in the executable file operation instruction in the target Android installation package APK, and match the operation code with the instruction signature sequence in the virus database. If it matches, then determine that the specified file in the target Android installation package APK contains Virus signature;
和/或,and / or,
定位目标Android安装包APK中可执行文件常量池中的常量以及操作指令中的操作数所调用的类名和/或函数名,将所述类名和/或函数名与病毒数据库中的类名函数名特征码进行匹配,若匹配,则判定目标Android安装包APK中的指定文件中包含病毒特征码。Locate the class name and/or function name called by the constant in the executable file constant pool in the target Android installation package APK and the operand in the operation instruction, and compare the class name and/or function name with the class name and function name in the virus database If it matches, it is determined that the specified file in the target Android installation package APK contains the virus signature.
优选地,所述指定文件还包括文本文件,所述预置病毒数据库的步骤还包括:Preferably, the specified file also includes a text file, and the step of presetting the virus database also includes:
提取所述文本文件中的linux命令,判断所述linux命令是否包含病毒信息;Extract the linux command in the text file, and judge whether the linux command contains virus information;
若是,则根据所述linux命令生成病毒特征码。If so, generate a virus signature code according to the linux command.
优选地,所述病毒特征码还包括linux命令特征码,所述检测目标Android安装包APK中的指定文件中是否包含病毒特征码的步骤还包括:Preferably, the virus signature also includes a linux command signature, and the step of detecting whether a specified file in the target Android installation package APK contains a virus signature also includes:
定位目标Android安装包APK中的文本文件,将所述文本文件中的linux命令与病毒数据库中的linux命令特征码进行匹配,若匹配,则判定目标Android安装包APK中的指定文件中包含病毒特征码。Locate the text file in the target Android installation package APK, match the linux command in the text file with the linux command signature in the virus database, if matched, then determine that the specified file in the target Android installation package APK contains virus signatures code.
优选地,所述可执行文件中常量池中的常量包括字符串strings、类型types、域fields和方法methods中的常量;所述可执行文件的头部信息中包括摘要信息checksum和/或签名信息Signature。Preferably, the constants in the constant pool in the executable file include constants in strings, type types, domain fields and methods; the header information of the executable file includes digest information checksum and/or signature information Signature.
本申请实施例还公开了一种病毒APK的识别装置,包括:The embodiment of the present application also discloses a virus APK identification device, including:
病毒数据库生成模块,用于预置病毒数据库,所述病毒数据库中包括病毒特征码及对应的权重值;Virus database generating module, used to preset virus database, including virus signature code and corresponding weight value in the virus database;
病毒检测模块,用于检测目标Android安装包APK中的指定文件中是否包含所述病毒特征码;若是,则调用病毒权重值统计模块;Virus detection module is used to detect whether the specified file in the target Android installation package APK contains the virus signature; if so, then call the virus weight value statistics module;
病毒权重值统计模块,用于统计所述病毒特征码对应的权重值之和;Virus weight value statistics module, used for counting the sum of the weight values corresponding to the virus signature code;
阈值判断模块,用于判断所述权重值之和是否大于等于某病毒判定阈值;若是,则调用病毒判定模块;A threshold judging module, used to judge whether the sum of the weight values is greater than or equal to a certain virus judging threshold; if so, call the virus judging module;
病毒判定模块,用于判定所述目标Android安装包APK中存在相应类型的病毒。A virus determination module, configured to determine that a corresponding type of virus exists in the target Android installation package APK.
优选地,所述的装置,还包括:Preferably, said device also includes:
第一提示信息生成模块,与所述病毒判定模块连接,用于生成所述目标Android安装包APK中存在该类型病毒的提示信息。The first prompt information generation module is connected with the virus determination module and is used to generate prompt information that the type of virus exists in the target Android installation package APK.
优选地,所述的装置,还包括:Preferably, said device also includes:
病毒识别模块,用于在所述权重值之和小于某病毒判定阈值时,判定所述目标Android安装包APK为病毒APK。A virus identification module, configured to determine that the target Android installation package APK is a virus APK when the sum of the weight values is less than a certain virus determination threshold.
优选地,所述的装置,还包括:Preferably, said device also includes:
第二提示信息生成模块,与所述病毒识别模块连接,用于生成所述目标Android安装包APK为病毒APK的提示信息。The second prompt information generation module is connected with the virus identification module and is used to generate prompt information that the target Android installation package APK is a virus APK.
优选地,所述的装置,还包括:Preferably, said device also includes:
病毒查杀模块,用于调用安全软件接口,针对所述目标Android安装包APK进行病毒查杀。The virus checking and killing module is used for invoking the security software interface to perform virus checking and killing for the target Android installation package APK.
优选地,所述指定文件包括可执行文件,所述病毒数据库生成模块包括:Preferably, the specified file includes an executable file, and the virus database generation module includes:
源文件扫描子模块,用于扫描源Android安装包APK中的可执行文件;The source file scanning submodule is used to scan executable files in the source Android installation package APK;
特定数据提取子模块,用于提取所述可执行文件中的特定数据,判断所述特定数据是否包含病毒信息,其中,所述特定数据包括可执行文件的头部信息、可执行文件常量池中的常量,和/或,可执行文件中的操作指令;The specific data extraction sub-module is used to extract specific data in the executable file, and judge whether the specific data contains virus information, wherein the specific data includes header information of the executable file, executable file constant pool constants, and/or, operational instructions in the executable;
第一特征码生成子模块,用于在所述特定数据包含病毒信息时,根据所述特定数据生成病毒特征码;The first signature generation submodule is used to generate a virus signature according to the specific data when the specific data contains virus information;
权重值分配模块,用于为所述病毒特征码分配权重值;A weight value assignment module, configured to assign a weight value for the virus signature;
特征码保存子模块,用于将所述病毒特征码及对应的权重值保存至病毒数据库中。The signature saving submodule is used to save the virus signature and the corresponding weight value in the virus database.
优选地,所述可执行文件包括Dex文件,所述Dex文件包括classes.dex文件,扩展名为.jar的文件,以及,Dex格式的文件。Preferably, the executable file includes a Dex file, and the Dex file includes a classes.dex file, a file with an extension of .jar, and a file in Dex format.
优选地,所述病毒特征码包括:头部信息特征码、常量特征码、操作数特征码、指令特征码、指令特征码序列、类名函数名特征码;所述可执行文件中的操作指令包括操作码和操作数两部分;Preferably, the virus signatures include: header information signatures, constant signatures, operand signatures, instruction signatures, instruction signature sequences, class name function name signatures; operation instructions in the executable file Including opcode and operand two parts;
所述头部信息特征码、常量特征码、操作数特征码、类名函数名特征码根据包含病毒信息的头部信息、常量、操作数和类名函数名直接生成;The header information feature code, constant feature code, operand feature code, and class name function name feature code are directly generated according to the header information, constants, operands, and class name function names containing virus information;
所述指令特征码、指令特征码序列根据包含病毒信息的操作指令直接生成,或者,根据包含病毒信息的操作码和操作数的字符串或通配符生成;The instruction signature and instruction signature sequence are directly generated according to the operation instruction containing virus information, or generated according to the string or wildcard of the operation code and operand containing virus information;
所述特征码保存子模块进一步包括:The feature code preservation submodule further includes:
分区保存单元,用于将所述头部信息特征码、常量特征码、操作数特征码、指令特征码、指令特征码序列、类名函数名特征码,以及,对应的权重值分别保存在数据库中不同的存储区域;Partition storage unit, used to save the header information feature code, constant feature code, operand feature code, instruction feature code, instruction feature code sequence, class name function name feature code, and corresponding weight values in the database different storage areas in
或者,or,
标签保存单元,用于将所述头部信息特征码、常量特征码、操作数特征码、指令特征码、指令特征码序列、类名函数名特征码,以及,对应的权重值保存在数据库中,并分别标记分类标签。The label storage unit is used to save the header information feature code, constant feature code, operand feature code, instruction feature code, instruction feature code sequence, class name function name feature code, and the corresponding weight value in the database , and mark the classification labels respectively.
优选地,所述病毒检测模块包括:Preferably, the virus detection module includes:
第一检测子模块,用于定位目标Android安装包APK中可执行文件的头部信息,将所述头部信息与病毒数据库中的头部信息特征码进行匹配,若匹配,则判定目标Android安装包APK中的指定文件中包含病毒特征码;The first detection submodule is used to locate the header information of the executable file in the target Android installation package APK, and matches the header information with the header information feature code in the virus database. If it matches, then determine the target Android installation The specified file in the package APK contains virus signatures;
和/或,and / or,
第二检测子模块,用于定位目标Android安装包APK中可执行文件常量池中的常量,将所述常量与病毒数据库中的常量特征码进行匹配,若匹配,则判定目标Android安装包APK中的指定文件中包含病毒特征码;The second detection submodule is used to locate the constant in the executable file constant pool in the target Android installation package APK, and matches the constant with the constant feature code in the virus database. If it matches, then determine in the target Android installation package APK The specified file contains virus signatures;
和/或,and / or,
第三检测子模块,用于定位目标Android安装包APK中可执行文件操作指令中的操作数,将所述操作数与病毒数据库中的操作数特征码进行匹配,若匹配,则判定目标Android安装包APK中的指定文件中包含病毒特征码;The third detection submodule is used to locate the operand in the executable file operation instruction in the target Android installation package APK, and matches the operand with the operand feature code in the virus database. If it matches, then determine the target Android installation The specified file in the package APK contains virus signatures;
和/或,and / or,
第四检测子模块,用于定位目标Android安装包APK中可执行文件操作指令中的操作码,将所述操作码与病毒数据库中的指令特征码进行匹配,若匹配,则判定目标Android安装包APK中的指定文件中包含病毒特征码;The fourth detection submodule is used to locate the operation code in the executable file operation instruction in the target Android installation package APK, and matches the operation code with the instruction feature code in the virus database. If it matches, then determine the target Android installation package The specified file in the APK contains virus signatures;
和/或,and / or,
第五检测子模块,用于定位目标Android安装包APK中可执行文件操作指令中的操作码,将所述操作码与病毒数据库中的指令特征码序列进行匹配,若匹配,则判定目标Android安装包APK中的指定文件中包含病毒特征码;The fifth detection submodule is used to locate the operation code in the executable file operation instruction in the target Android installation package APK, and matches the operation code with the instruction feature code sequence in the virus database. If it matches, it is determined that the target Android is installed The specified file in the package APK contains virus signatures;
和/或,and / or,
第六检测子模块,用于定位目标Android安装包APK中可执行文件常量池中的常量以及操作指令中的操作数所调用的类名和/或函数名,将所述类名和/或函数名与病毒数据库中的类名函数名特征码进行匹配,若匹配,则判定目标Android安装包APK中的指定文件中包含病毒特征码。The sixth detection submodule is used to locate the class name and/or function name called by the constant in the executable file constant pool in the target Android installation package APK and the operand in the operation instruction, and compare the class name and/or function name with The class name function name signature in the virus database is matched, and if it matches, it is determined that the specified file in the target Android installation package APK contains the virus signature.
优选地,所述指定文件还包括文本文件,所述病毒数据库生成模块还包括:Preferably, the specified file also includes a text file, and the virus database generation module also includes:
linux命令提取子模块,用于提取所述文本文件中的linux命令,判断所述linux命令是否包含病毒信息;The linux command extraction submodule is used to extract the linux command in the text file, and judges whether the linux command contains virus information;
第二特征码生成子模块,用于在所述linux命令包含病毒信息时,根据所述linux命令生成病毒特征码。The second signature generation submodule is configured to generate a virus signature according to the linux command when the linux command contains virus information.
优选地,所述病毒特征码还包括linux命令特征码,所述病毒检测模块还包括:Preferably, the virus signature code also includes a linux command signature code, and the virus detection module also includes:
第七检测子模块,用于定位目标Android安装包APK中的文本文件,将所述文本文件中的linux命令与病毒数据库中的linux命令特征码进行匹配,若匹配,则判定目标Android安装包APK中的指定文件中包含病毒特征码。The seventh detection submodule is used to locate the text file in the target Android installation package APK, and matches the linux command in the text file with the linux command signature in the virus database. If it matches, then determine the target Android installation package APK The specified file in contains virus signatures.
与现有技术相比,本申请具有以下优点:Compared with the prior art, the present application has the following advantages:
本申请通过扫描分析源APK文件中的指定文件,如可执行文件、文本文件等,针对包含病毒信息的指令、常量或头部信息按预置规则生成相应的病毒特征码,并针对各病毒特征码分配权重值,汇编成病毒数据库;之后病毒APK识别的过程中,检测目标APK文件中的指定文件,判断该指定文件中是否存在相应的病毒特征码,若存在则累计所述病毒特征码的权重值,若大于等于某病毒判定阈值,则判定所述目标APK中存在相应类型的病毒。应用本申请实施例,无论病毒制造者如何通过修改混淆方式、增加资源、修改代码(改变类名、函数名等)、更换签名、包名等方式来制作病毒变种其病毒APK的特征码都不会变,从而本申请可以快速、准确、有效地识别出病毒APK及其变种,而且有针对性的更改程序逻辑以及特定字符串(恶意号码、恶意网址)来制作病毒变种相对病毒制造者而言是比较麻烦、耗时的,从而这种方式也能有效的提高病毒制作者制作病毒变种的难度,提高APK应用的安全性。This application scans and analyzes specified files in the source APK file, such as executable files, text files, etc., and generates corresponding virus signature codes according to preset rules for instructions, constants, or header information containing virus information, and for each virus signature Code distribution weight value, compiled into a virus database; then in the process of virus APK identification, detect the specified file in the target APK file, judge whether there is a corresponding virus signature in the specified file, and if it exists, accumulate the number of the virus signature If the weight value is greater than or equal to a certain virus determination threshold, it is determined that a corresponding type of virus exists in the target APK. Applying the embodiment of this application, no matter how the virus maker makes the signature code of the virus variant APK by modifying the obfuscation method, adding resources, modifying the code (changing the class name, function name, etc.), changing the signature, package name, etc. will change, so that the application can quickly, accurately and effectively identify the virus APK and its variants, and change the program logic and specific character strings (malicious numbers, malicious URLs) in a targeted manner to make virus variants. It is relatively troublesome and time-consuming, so this method can also effectively improve the difficulty for virus creators to make virus variants and improve the security of APK applications.
再者,本申请能通过不同病毒类型阈值的比对进一步判定APK的病毒类型,从而便于更有针对性地对病毒APK进行后续处理,进一步提高APK识别的准确性。Furthermore, the present application can further determine the virus type of the APK by comparing the threshold values of different virus types, so as to facilitate more targeted follow-up processing of the virus APK and further improve the accuracy of APK identification.
附图说明Description of drawings
图1是本申请的一种病毒APK的识别方法实施例1的流程图;Fig. 1 is the flowchart of the identification method embodiment 1 of a kind of virus APK of the present application;
图2是本申请的一种病毒APK的识别方法实施例2的流程图;Fig. 2 is the flowchart of the identification method embodiment 2 of a kind of virus APK of the present application;
图3是本申请的一种病毒APK的识别装置实施例的结构框图。Fig. 3 is a structural block diagram of an embodiment of a device for identifying a virus APK of the present application.
具体实施方式Detailed ways
为使本申请的上述目的、特征和优点能够更加明显易懂,下面结合附图和具体实施方式对本申请作进一步详细的说明。In order to make the above objects, features and advantages of the present application more obvious and comprehensible, the present application will be further described in detail below in conjunction with the accompanying drawings and specific implementation methods.
本申请实施例的核心构思之一在于,通过扫描分析源APK文件中的指定文件,如可执行文件、文本文件等,针对包含病毒信息的指令、常量或头部信息按预置规则生成相应的病毒特征码,并针对各病毒特征码分配权重值,汇编成病毒数据库;之后病毒APK识别的过程中,检测目标APK文件中的指定文件,判断该指定文件中是否存在相应的病毒特征码,若存在则累计所述病毒特征码的权重值,若大于等于某病毒判定阈值,则判定所述目标APK中存在相应类型的病毒。One of the core ideas of the embodiment of the present application is to scan and analyze specified files in the source APK file, such as executable files, text files, etc., to generate corresponding Virus signature codes, and assign weights for each virus signature code, and compile them into a virus database; in the process of virus APK identification, detect the specified file in the target APK file, and judge whether there is a corresponding virus signature code in the specified file. If it exists, the weight value of the virus signature code is accumulated, and if it is greater than or equal to a certain virus determination threshold, it is determined that a corresponding type of virus exists in the target APK.
参考图1,示出了本申请的一种病毒APK的识别方法实施例1的步骤流程图,具体可以包括如下步骤:Referring to Fig. 1, it shows a flow chart of the steps of Embodiment 1 of a method for identifying a virus APK of the present application, which may specifically include the following steps:
步骤101、预置病毒数据库,所述病毒数据库中包括病毒特征码及对应的权重值;Step 101, preset virus database, which includes virus signature code and corresponding weight value;
在本申请的一种优选实施例中,所述指定文件包括可执行文件,可以通过如下子步骤预置所述病毒数据库:In a preferred embodiment of the present application, the specified file includes an executable file, and the virus database can be preset through the following sub-steps:
子步骤S11、扫描源Android安装包APK中的可执行文件;Substep S11, scanning the executable file in the source Android installation package APK;
子步骤S12、提取所述可执行文件中的特定数据,判断所述特定数据是否包含病毒信息,其中,所述特定数据包括可执行文件的头部信息、可执行文件常量池中的常量,和/或,可执行文件中的操作指令;Sub-step S12, extracting specific data in the executable file, and judging whether the specific data contains virus information, wherein the specific data includes header information of the executable file, constants in the constant pool of the executable file, and /or, the operation instructions in the executable file;
子步骤S13、若是,则根据所述特定数据生成病毒特征码;Sub-step S13, if yes, generate a virus signature according to the specific data;
子步骤S14、为所述病毒特征码分配权重值;Sub-step S14, assigning a weight value to the virus signature;
子步骤S15、将所述病毒特征码及对应的权重值保存至病毒数据库中。Sub-step S15, saving the virus signature code and the corresponding weight value in the virus database.
例如,病毒数据库中包括的病毒特征码及对应的权重值如下表1所示:For example, the virus signature codes and corresponding weight values included in the virus database are shown in Table 1 below:
表1:Table 1:
对于APK而言,所述可执行文件可以包括Dex文件,Dex文件主要是APK中的classes.dex文件,即Dalvik Executable(Dalvik虚拟机可执行文件)。公知的是,Dalvik是用于Android平台的Java虚拟机。Dalvik虚拟机(Dalvik VM)是Android移动设备平台的核心组成部分之一。它可以支持已转换为.dex(即Dalvik Executable)格式的Java应用程序的运行,.dex格式是专为Dalvik设计的一种压缩格式,适合内存和处理器速度有限的系统。Dalvik经过优化,允许在有限的内存中同时运行多个虚拟机的实例,并且每一个Dalvik应用作为一个独立的Linux进程执行。独立的进程可以防止在虚拟机崩溃的时候所有程序都被关闭。For the APK, the executable file may include a Dex file, and the Dex file is mainly the classes.dex file in the APK, that is, Dalvik Executable (Dalvik virtual machine executable file). It is well known that Dalvik is a Java virtual machine for the Android platform. The Dalvik virtual machine (Dalvik VM) is one of the core components of the Android mobile device platform. It can support the operation of Java applications that have been converted to .dex (ie Dalvik Executable) format. The .dex format is a compressed format specially designed for Dalvik and is suitable for systems with limited memory and processor speed. Dalvik is optimized to allow multiple virtual machine instances to run simultaneously in limited memory, and each Dalvik application is executed as an independent Linux process. Separate processes prevent all programs from being shut down when the virtual machine crashes.
更为优选的是,所述可执行文件还可以包括扩展名为.jar的文件。Android安装包中的JAR文件其实就是Dex文件,只不过其扩展名为.jar,对于APK中除classes.dex之外的其他文件,只要判定其为Dex文件即可决定是否进行扫描。More preferably, the executable file may also include a file with an extension of .jar. The JAR file in the Android installation package is actually a Dex file, but its extension is .jar. For other files in the APK except classes.dex, you only need to determine whether it is a Dex file to decide whether to scan.
在实际应用中,所述Dex文件还可以包括其它Dex格式的文件。In practical applications, the Dex file may also include files in other Dex formats.
在本申请的一种优选实施例中,所述可执行文件中的特定数据可以按如下顺序来提取:In a preferred embodiment of the present application, the specific data in the executable file can be extracted in the following order:
1)可执行文件常量池中的常量;1) Constants in the executable constant pool;
具体而言,所述指定文件中常量池中的常量可以包括字符串strings、类型types、域fields和方法methods中的常量,所述可执行文件常量池中的常量,可以通过以下子步骤判断是否包含病毒信息:Specifically, the constants in the constant pool in the specified file may include constants in strings, types, fields and methods, and the constants in the constant pool of the executable file may be determined by the following sub-steps Contains virus information:
子步骤S21、判断所述字符串strings中的常量是否包含预定义的恶意网址信息、恶意文件名或恶意号码信息等恶意信息;Sub-step S21, judging whether the constants in the character strings contain malicious information such as predefined malicious URL information, malicious file name or malicious number information;
和/或,and / or,
子步骤S22、判断所述类型types、域fields和方法methods中的常量是否调用自定义的类名、自定义的函数名或Android系统SDK类名、Android系统函数名。Sub-step S22, judging whether the constants in the types, fields and methods call the self-defined class names, self-defined function names, or Android system SDK class names, and Android system function names.
在具体应用中,可以直接将所述常量中的病毒信息作为病毒特征码,在实施例中生成的病毒特征码包括常量特征码、类名函数名特征码。In a specific application, the virus information in the constant may be directly used as a virus signature, and the virus signature generated in the embodiment includes a constant signature, a class name and a function name signature.
例如,某个APK的classes.dex文件中的常量池中包含如下字符串:For example, the constant pool in the classes.dex file of an APK contains the following strings:
com.noshufou.android.sucom.noshufou.android.su
/system/app/com.google.update.apk/system/app/com.google.update.apk
在判定其为病毒信息后,可直接将其作为病毒特征码并分配对应的权重值后保存至病毒数据库中。After it is determined to be virus information, it can be directly used as a virus signature code and assigned a corresponding weight value to save it in the virus database.
例如,某个APK的classes.dex文件中的常量池中包含如下method:For example, the constant pool in the classes.dex file of an APK contains the following method:
Lcom/android/main/SmsReceiver;Lcom/android/main/SmsReceiver;
Lcom/android/main/ActionReceiver;Lcom/android/main/ActionReceiver;
在判定其为病毒信息后,可直接将其作为病毒特征码并分配对应的权重值后保存至病毒数据库中。After it is determined to be virus information, it can be directly used as a virus signature code and assigned a corresponding weight value to save it in the virus database.
例如,某个APK的classes.dex文件中的常量池中包含如下type:For example, the constant pool in the classes.dex file of an APK contains the following types:
Lcom/androidkernel/flash/Main$1;Lcom/androidkernel/flash/Main$1;
在判定其为病毒信息后,可直接将其作为病毒特征码并分配对应的权重值后保存至病毒数据库中。After it is determined to be virus information, it can be directly used as a virus signature code and assigned a corresponding weight value to save it in the virus database.
例如,某个APK的classes.dex文件中的常量池中包含如下field:For example, the constant pool in the classes.dex file of an APK contains the following fields:
Lcom/androidkernel/flash/b/br$1;.this$0:Lcom/androidkernel/flash/b/br;Lcom/androidkernel/flash/b/br$1;.this$0:Lcom/androidkernel/flash/b/br;
在判定其为病毒信息后,可直接将其作为病毒特征码并分配对应的权重值后保存至病毒数据库中。After it is determined to be virus information, it can be directly used as a virus signature code and assigned a corresponding weight value to save it in the virus database.
2)可执行文件中的操作指令;2) Operation instructions in the executable file;
Dalvik VM是基于寄存器设计的,程序中使用的数据如strings,types,fields和methods保存在专门的数据存储区(常量池)中,在程序当中通过对应的索引来引用,而字符文字常量则直接保存在instructions(操作指令)中,其操作码(opcode)分为两类:The Dalvik VM is designed based on registers. The data used in the program, such as strings, types, fields and methods, are stored in a special data storage area (constant pool), and are referenced by the corresponding index in the program, while the character literal constants are directly Stored in instructions (operation instructions), its operation code (opcode) is divided into two categories:
一类将指定的数据放入寄存器,如参见如下例1至例4:One class puts the specified data into the register, as shown in the following examples 1 to 4:
例1:example 1:
1303 6100 |0000:const/16v3,#int 97//#611303 6100 | 0000:const/16v3, #int 97//#61
将整数97放入寄存器v3中。Put the integer 97 into register v3.
例2:Example 2:
1700 0000 0040 |0049:const-wide/32 v0,#float 2.000000 //#400000001700 0000 0040 | 0049:const-wide/32 v0, #float 2.000000 //#40000000
将浮点数2.000000放入寄存器v0中。Put the floating point number 2.000000 into register v0.
例3:Example 3:
1a00 7d00 |000b:const-string v0,"%.2fMB"//1a00 7d00 |000b:const-string v0,"%.2fMB"//
string007dstring007d
将字符串"%.2fMB"放入寄存器v0中。Put the string "%.2fMB" into register v0.
例4:Example 4:
1c03 6e04 |0015: const-class v3,1c03 6e04 |0015: const-class v3,
Lcom/qihoo360/mobilesafe/service/NetTrafficService;//type046eLcom/qihoo360/mobilesafe/service/NetTrafficService; //type046e
将类com.qihoo360.mobilesafe.service.NetTrafficService放入寄存器v3中。Put the class com.qihoo360.mobilesafe.service.NetTrafficService into register v3.
另外一类则基于寄存器进行操作,如参见如下例5至例10:The other type operates based on registers, as shown in Examples 5 to 10 below:
例5:Example 5:
3100 0305 |0042:cmp-long v0,3100 0305 |0042:cmp-long v0,
v3,v5v3, v5
比较寄存器v3和v5中的long值,将比较结果存入寄存器v0。Compare the long values in registers v3 and v5, and store the comparison result in register v0.
例6:Example 6:
3221 0400 |001a:if-eq v1,v2, 001e//+00043221 0400 |001a:if-eq v1, v2, 001e//+0004
条件if,根据v1和v2是否相等来决定执行流程。The condition if determines the execution flow according to whether v1 and v2 are equal.
例7:Example 7:
3800 1500 |001e:if-eqz v0, 0033//+00153800 1500 |001e:if-eqz v0, 0033//+0015
条件if,判断v0是否等于0来决定执行流程。The condition if determines whether v0 is equal to 0 to determine the execution process.
例8:Example 8:
6e10 0e29 0500 |0006:invoke-virtual{v5},Ljava/io/File;.length:()J//method290e6e10 0e29 0500 |0006:invoke-virtual{v5},Ljava/io/File;.length:()J//method290e
调用File的length()函数。Call the length() function of File.
例9:Example 9:
7010 042a 0800 |011d: invoke-direct {v8},7010 042a 0800 |011d: invoke-direct {v8},
Ljava/lang/StringBuilder;.<init>:()V//method2a04Ljava/lang/StringBuilder;.<init>:()V//method2a04
调用StringBuilder的init函数。Call the init function of StringBuilder.
例10:Example 10:
b021 |0035:add-int/2addr v1,v2b021 |0035:add-int/2addr v1, v2
将v1+v2的结果保存在v1中。Save the result of v1+v2 in v1.
APK中的classes.dex文件和JAR文件中的用户类名,函数名,字符串会受到混淆或者修改而发生改变,但Dalvik VM的指令以及对Android系统SDK提供的类的调用不会受到用户类名,函数名,变量名等被混淆或者修改的影响,因此可以通过一组有序的特定指令来识别APK。因为Dalvik VM是基于寄存器的,因此其指令本身只能操作寄存器,字符文字常量,数据存储区,而寄存器地址是可变的,因此识别时要模糊匹配也即通过识别指令中的固定部分——opcode及其相关的字符文字常量参数或者数据存储区中的strings,types,fields和methods等,当然也可以直接使用指令及其操作数本身作为病毒特征码。The classes.dex file in the APK and the user class name, function name, and string in the JAR file will be changed by obfuscation or modification, but the instructions of the Dalvik VM and the calls to the classes provided by the Android system SDK will not be affected by the user class. Names, function names, variable names, etc. are obfuscated or modified, so the APK can be identified by an ordered set of specific instructions. Because Dalvik VM is based on registers, its instructions can only operate registers, character literal constants, and data storage areas, and register addresses are variable, so fuzzy matching is required for identification, that is, by identifying fixed parts of instructions—— Opcode and its related character constant parameters or strings, types, fields and methods in the data storage area, of course, can also directly use the instruction and its operand itself as the virus signature.
在本申请的一种优选实施例中,可以通过如下子步骤判断所述操作指令是否包含病毒信息:In a preferred embodiment of the present application, it may be determined whether the operation instruction contains virus information through the following sub-steps:
子步骤S31、判断所述操作数中是否包含预定义的非法操作数;Sub-step S31, judging whether the operand contains a predefined illegal operand;
和/或,and / or,
子步骤S32、判断所述操作码和操作数的组合是否符合预定义的非法搭配规则。Sub-step S32, judging whether the combination of the operation code and the operand conforms to the predefined illegal collocation rule.
在本申请的一种优选实施例中,可以通过如下子步骤根据所述操作指令生成病毒特征码:In a preferred embodiment of the present application, the virus signature code can be generated according to the operation instruction through the following sub-steps:
子步骤S41、将所述操作指令本身作为病毒特征码;Sub-step S41, using the operation instruction itself as a virus signature;
和/或,and / or,
子步骤S42、将所述操作指令的操作码,以及,操作数的字符串或通配符作为病毒特征码。In sub-step S42, the operation code of the operation instruction and the character string or wildcard of the operand are used as the virus signature.
应用本实施例生成的病毒特征码包括操作数特征码、指令特征码、指令特征码序列。The virus signature code generated by applying this embodiment includes an operand signature code, an instruction signature code, and a sequence of instruction signature codes.
特征码生成方案一:Feature code generation scheme 1:
直接使用APK中的classes.dex文件和JAR文件中的特定指令集本身作为病毒特征码。Directly use the classes.dex file in the APK and the specific instruction set itself in the JAR file as the virus signature.
例如,上述例1的特征码可以为1303 6100,例2的特征码可以为17000000 0040,例3的特征码可以为1a00 7d00,例4的特征码可以为1c036e04,例5的特征码可以为3100 0305,例6的特征码可以为3221 0400,例7的特征码可以为3800 1500,例8的特征码可以为6e10 0e29 0500,例9的特征码可以为7010 042a 0800,例10的特征码可以为b021。For example, the feature code of example 1 above can be 1303 6100, the feature code of example 2 can be 17000000 0040, the feature code of example 3 can be 1a00 7d00, the feature code of example 4 can be 1c036e04, and the feature code of example 5 can be 3100 0305, the feature code of example 6 can be 3221 0400, the feature code of example 7 can be 3800 1500, the feature code of example 8 can be 6e10 0e29 0500, the feature code of example 9 can be 7010 042a 0800, the feature code of example 10 can be for b021.
特征码生成方案二:Feature code generation scheme two:
使用APK中的classes.dex文件和JAR文件中的特定opcode及其操作数的字符串或通配符作为病毒特征码。Use the classes.dex file in the APK and the specific opcode and its operand string or wildcard in the JAR file as the virus signature.
例如,上述例1的特征码可以为13$*(其中*代表模糊匹配,下同,需要说明的是,此处的“*”仅用作举例,实际中可以使用任意字符),例2的特征码可以为17$*,例3的特征码可以为1a$,例4的特征码可以为1c$Lcom/qihoo360/mobilesafe/service/NetTrafficService,例5的特征码可以为31$*,例6的特征码可以为32$*,例7的特征码可以为38$*,例8的特征码可以为6e$Ljava/io/File;.length:(),例9的特征码可以为70$Ljava/lang/StringBuilder;.<init>,例10的特征码可以为b0$*。For example, the feature code of the above-mentioned example 1 can be 13$* (where * represents fuzzy matching, the same below, it should be noted that the "*" here is only used as an example, and any character can be used in practice), the example 2 The feature code can be 17$*, the feature code of example 3 can be 1a$, the feature code of example 4 can be 1c$Lcom/qihoo360/mobilesafe/service/NetTrafficService, the feature code of example 5 can be 31$*, example 6 The feature code of Example 7 can be 32$*, the feature code of Example 7 can be 38$*, the feature code of Example 8 can be 6e$Ljava/io/File;.length:(), and the feature code of Example 9 can be 70$ Ljava/lang/StringBuilder;.<init>, the feature code of example 10 can be b0$*.
特征码选择方案三:Feature code option three:
混合使用上述方案一和方案二。即将上述APK中的classes.dex中的特定指令集本身,以及,APK中的classes.dex中的特定opcode及其操作数的字符串或通配符全部作为病毒特征码。Use a mix of options one and two above. That is, the specific instruction set itself in the classes.dex in the above APK, and the specific opcode in the classes.dex in the APK and the character strings or wildcards of its operands are all used as virus signatures.
需要说明的是,在本申请实施例中,采用$为分隔符,在实际中还可采用任意其他字符作为分隔符;在本申请实施例中,采用*作为通配符,在实际中还可采用任意其他字符作为通配符。It should be noted that, in the embodiment of this application, $ is used as a separator, and any other character can also be used as a separator in practice; in the embodiment of this application, * is used as a wildcard, and any character can be used in practice Other characters act as wildcards.
为使本领域技术人员更好地理解上述特征码生成的过程,以下通过一个具体示例进行说明。In order to enable those skilled in the art to better understand the process of generating the above signature, a specific example is used below to illustrate.
针对提取classes.dex中的常量池(string、type、field和meth)当中的常量提取的特征码如下:例如,某病毒在其字符串常量池当中包括以下特征字符串:The feature codes extracted for constants in the constant pool (string, type, field, and meth) in classes.dex are as follows: For example, a virus includes the following feature strings in its string constant pool:
zjphonecall.txt和zjsms.txt,在这2个文件中包括了恶意电话号码以及特服短信号码则可提取其作为病毒特征码。zjphonecall.txt and zjsms.txt, if these two files include malicious phone numbers and special service SMS numbers, they can be extracted as virus signatures.
针对反汇编classes.dex提取的特征码如下:The signatures extracted for the disassembled classes.dex are as follows:
例如,病毒X卧底.apk中包含以下指令用以备份用户隐私数据至http://www.mybackup.me,按照其出现的先后顺序列举如下:For example, Virus X Undercover.apk contains the following instructions to back up user privacy data to http://www.mybackup.me, listed as follows in order of appearance:
2200 f600 |0000:new-instance v0, Ljava/lang/StringBuilder;2200 f600 | 0000:new-instance v0, Ljava/lang/StringBuilder;
//type00f6//type00f6
提取其病毒特征码为:2200f600或22$Ljava/lang/StringBuilderExtract its virus signature code as: 2200f600 or 22$Ljava/lang/StringBuilder
7010 9804 0000 |0002: invoke-direct {v0},7010 9804 0000 |0002: invoke-direct {v0},
Ljava/lang/StringBuilder;.<init>:( )V//method0498Ljava/lang/StringBuilder;.<init>:( )V//method0498
提取其病毒特征码为:701098040000或Extract its virus signature code as: 701098040000 or
70$Ljava/lang/StringBuilder;.<init>70$Ljava/lang/StringBuilder;.<init>
1a01 5506 |0005:const-string v1,"http://www.mybackup.me"//string06551a01 5506 |0005:const-string v1, "http://www.mybackup.me"//string0655
提取其病毒特征码为:701098040000或1a$http://www.mybackup.meExtract its virus signature code as: 701098040000 or 1a$http://www.mybackup.me
6e20 9e04 1000 |0007:invoke-virtual{v0,v1},6e20 9e04 1000 | 0007: invoke-virtual{v0, v1},
Ljava/lang/StringBuilder;.append:(Ljava/lang/String;)Ljava/lang/StringBuilder;.append:(Ljava/lang/String;)
Ljava/lang/StringBuilder;//method049eLjava/lang/StringBuilder;//method049e
提取其病毒特征码为:6e209e041000或6e$Ljava/lang/StringBuilder;.appendExtract its virus signature code as: 6e209e041000 or 6e$Ljava/lang/StringBuilder;.append
3902 0900 |0005:if-nez v2,000e//+00093902 0900 |0005:if-nez v2, 000e//+0009
提取其病毒特征码为:39020900或39$*Extract its virus signature code as: 39020900 or 39$*
0c02 |0003:move-result-object v20c02 |0003:move-result-object v2
提取其病毒特征码为:0c02或0c$*Extract its virus signature code as: 0c02 or 0c$*
最终获得的特征码为:The final feature code obtained is:
特征码选择方案一:Feature code option 1:
2200f6007010980400007010980400006e209e041000390209000c022200f6007010980400007010980400006e209e041000390209000c02
特征码选择方案二:Feature code option 2:
22$Ljava/lang/StringBuilder$70$Ljava/lang/StringBuilder;.<init>$1a$http://www.mybackup.me$6e$Ljava/lang/StringBuilder;.append$39$*$0c$*22$Ljava/lang/StringBuilder$70$Ljava/lang/StringBuilder;.<init>$1a$http://www.mybackup.me$6e$Ljava/lang/StringBuilder;.append$39$*$0c$*
特征码选择方案三:Feature code option three:
22$Ljava/lang/StringBuilder$701098040000$1a$http://www.mybackup.me$6e$Ljava/lang/StringBuilder;.append$39$*$0c0222$Ljava/lang/StringBuilder$701098040000$1a$http://www.mybackup.me$6e$Ljava/lang/StringBuilder;.append$39$*$0c02
又如,某个APK的classes.dex文件中的Instructions(操作指令)如下所示:As another example, the Instructions (operation instructions) in the classes.dex file of an APK are as follows:
1a0c bb08 |009b:const-string v12,"tiger"//string08bb1a0c bb08 |009b:const-string v12,"tiger"//string08bb
1a0d 1e03 |009d:const-string v13,"P5"//string031e1a0d 1e03 |009d:const-string v13,"P5"//string031e
7120 1404 dc00 |009f:invoke-static{v12,v13},7120 1404 dc00 |009f:invoke-static{v12,v13},
Lcom/androidkernel/flash/util/LogUtil;.i:Lcom/androidkernel/flash/util/LogUtil;.i:
(Ljava/lang/String;Ljava/lang/String;)V//method0414(Ljava/lang/String;Ljava/lang/String;)V//method0414
2205 9700 |00a2:new-instance2205 9700 |00a2:new-instance
v5,Lcom/androidkernel/flash/http/base/DlStruct;//type0097v5, Lcom/androidkernel/flash/http/base/DlStruct; //type0097
7010 1603 0500 |00a4:invoke-direct{v5},7010 1603 0500 |00a4:invoke-direct{v5},
Lcom/androidkernel/flash/http/base/DlStruct;.<init>:( )V//method0316Lcom/androidkernel/flash/http/base/DlStruct;.<init>:( )V//method0316
1a0c 7200 |00a7:const-string v12,"AA"//string00721a0c 7200 |00a7:const-string v12,"AA"//string0072
7020 f402 ce00 |00a9:invoke-direct{v14,v12},7020 f402 ce00 |00a9:invoke-direct{v14, v12},
Lcom/androidkernel/flash/helper/Tiger;.getUrl:(Ljava/lang/String;)Lcom/androidkernel/flash/helper/Tiger;.getUrl:(Ljava/lang/String;)
Ljava/lang/String;//method02f4Ljava/lang/String;//method02f4
0c0b |00ac:move-result-object v110c0b |00ac:move-result-object v11
当判定上述操作码和操作数的搭配符合预定义的非法搭配规则,或者,判定上述操作数中包含预定义的非法操作数时,可按如下方式生成特征码:When it is determined that the combination of the above-mentioned opcode and operand conforms to the predefined illegal matching rules, or when it is determined that the above-mentioned operand contains the predefined illegal operand, the signature code can be generated as follows:
方式一:method one:
1a0cbb081a0d1e0371201404dc00220597007010160305001a0c72007020f402ce000c0b1a0cbb081a0d1e0371201404dc00220597007010160305001a0c72007020f402ce000c0b
方式二:Method 2:
1a$tiger$1a$P5$71$Lcom/androidkernel/flash/util/LogUtil;.i:(Ljava/lang/String;Ljava/lang/String;)V$22$Lcom/androidkernel/flash/http/base/DlStruct;$70$Lcom/androidkernel/flash/http/base/DlStruct;.<init>:( )V$1a$AA$70$Lcom/androidkernel/flash/helper/Tiger;.getUrl:(Ljava/lang/String;)Ljava/lang/String;$0c$*1a$tiger$1a$P5$71$Lcom/androidkernel/flash/util/LogUtil;.i:(Ljava/lang/String;Ljava/lang/String;)V$22$Lcom/androidkernel/flash/http/base/DlStruct ;$70$Lcom/androidkernel/flash/http/base/DlStruct;.<init>:( )V$1a$AA$70$Lcom/androidkernel/flash/helper/Tiger;.getUrl:(Ljava/lang/String;) Ljava/lang/String;$0c$*
方式三:Method 3:
1a0cbb08$1a$P5$71201404dc00$22$*$70$Lcom/androidkernel/flash/http/base/DlStruct;.<init>:( )V$1a$AA$70$Lcom/androidkernel/flash/helper/Tiger;.getUrl:(Ljava/lang/String;)Ljava/lang/String;$0c$*1a0cbb08$1a$P5$71201404dc00$22$*$70$Lcom/androidkernel/flash/http/base/DlStruct;.<init>:( )V$1a$AA$70$Lcom/androidkernel/flash/helper/Tiger;.getUrl :(Ljava/lang/String;)Ljava/lang/String;$0c$*
3)可执行文件的头部信息。3) The header information of the executable file.
在具体实现中,所述可执行文件的头部信息中包括摘要信息checksum和/或签名信息Signature,在这种情况下,可以通过判断所述摘要信息checksum和/或签名信息Signature中是否包含预定义的非法字符串,来确定所述头部信息中是否包含病毒信息。In a specific implementation, the header information of the executable file includes summary information checksum and/or signature information Signature. In this case, it can be judged whether the summary information checksum and/or signature information Signature Defined illegal character strings to determine whether virus information is included in the header information.
在具体应用中,也可以直接将所述摘要信息checksum和/或签名信息Signature作为病毒特征码。即在本实施例中,所述病毒特征码包括头部信息特征码。In a specific application, the summary information checksum and/or the signature information Signature may also be directly used as the virus signature. That is, in this embodiment, the virus signature includes a header information signature.
例如,APK中的classes.dex文件头部信息header的checksum为:11f26cac;Signature为:2911621AD071F675ADF0F590C3F1AFB5443BEBBE,在判定其为木马病毒后,直接将11f26cac和2911621AD071F675ADF0F590C3F1AFB5443BEBBE提取为病毒特征码,并将所述病毒特征码保存至数据库中。For example, the checksum of the header information header of the classes.dex file in the APK is: 11f26cac; the Signature is: 2911621AD071F675ADF0F590C3F1AFB5443BEBBE. After determining that it is a Trojan horse virus, directly extract 11f26cac and 2911621AD071F675ADF0F590C3F1AFBE5443BEB from the virus signature code. Save to the database.
作为本申请实施例具体应用的一种示例,所述将病毒特征码保存至病毒数据库中的步骤可以包括如下子步骤:As an example of the specific application of the embodiment of the present application, the step of saving the virus signature code into the virus database may include the following sub-steps:
子步骤S51、将所述头部信息特征码、常量特征码、操作数特征码、指令特征码、指令特征码序列、类名函数名特征码,以及,上述各特征码对应的权重值分别保存在数据库中不同的存储区域;Sub-step S51, save the header information feature code, constant feature code, operand feature code, instruction feature code, instruction feature code sequence, class name function name feature code, and the weight values corresponding to the above feature codes respectively different storage areas in the database;
或者,or,
子步骤S52、将所述头部信息特征码、常量特征码、操作数特征码、指令特征码、指令特征码序列、类名函数名特征码,以及,上述各特征码对应的权重值保存在数据库中,并分别标记分类标签。Sub-step S52, saving the header information feature code, constant feature code, operand feature code, instruction feature code, instruction feature code sequence, class name function name feature code, and the weight values corresponding to the above feature codes in database, and mark the classification labels respectively.
当然,上述保存病毒特征码的方式仅仅用作示例,本领域技术人员根据实际情况采用任一种保存方式都是可行的,本申请对此无需加以限制。Certainly, the above-mentioned way of saving the virus signature code is only used as an example, and it is feasible for those skilled in the art to adopt any way of saving according to the actual situation, and this application does not need to limit it.
步骤102、检测目标Android安装包APK中的指定文件中是否包含所述病毒特征码,所述指定文件包括可执行文件;Step 102, detecting whether the specified file in the target Android installation package APK contains the virus signature, and the specified file includes an executable file;
作为本申请实施例具体应用的一种示例,所述病毒特征码可以包括:头部信息特征码、常量特征码、操作数特征码、指令特征码、指令特征码序列、类名函数名特征码;在这种情况下,所述步骤102具体可以包括如下子步骤:As an example of the specific application of the embodiment of the present application, the virus signature may include: header information signature, constant signature, operand signature, instruction signature, instruction signature sequence, class name function name signature ; In this case, the step 102 may specifically include the following sub-steps:
子步骤S41、定位目标Android安装包APK中可执行文件的头部信息,将所述头部信息与病毒数据库中的头部信息特征码进行匹配,若匹配,则判定目标Android安装包APK中的指定文件中包含病毒特征码;Substep S41, locate the header information of the executable file in the target Android installation package APK, match the header information with the header information feature code in the virus database, if matched, then determine the header information in the target Android installation package APK The specified file contains virus signatures;
和/或,and / or,
子步骤S42、定位目标Android安装包APK中可执行文件常量池中的常量,将所述常量与病毒数据库中的常量特征码进行匹配,若匹配,则判定目标Android安装包APK中的指定文件中包含病毒特征码;Substep S42, locate the constant in the executable file constant pool in the target Android installation package APK, and match the constant with the constant feature code in the virus database, if matched, then determine that in the specified file in the target Android installation package APK Contains virus signatures;
和/或,and / or,
子步骤S43、定位目标Android安装包APK中可执行文件操作指令中的操作数,将所述操作数与病毒数据库中的操作数特征码进行匹配,若匹配,则判定目标Android安装包APK中的指定文件中包含病毒特征码;Substep S43, locate the operand in the executable file operation instruction in the Android installation package APK of the target, match the operand signature code with the operand in the virus database, if match, then determine the operand in the Android installation package APK of the target The specified file contains virus signatures;
和/或,and / or,
子步骤S44、定位目标Android安装包APK中可执行文件操作指令中的操作码,将所述操作码与病毒数据库中的指令特征码进行匹配,若匹配,则判定目标Android安装包APK中的指定文件中包含病毒特征码;Substep S44, locate the operation code in the executable file operation instruction in the target Android installation package APK, match the instruction feature code in the described operation code and the virus database, if match, then determine the specified in the target Android installation package APK The file contains virus signatures;
和/或,and / or,
子步骤S45、定位目标Android安装包APK中可执行文件操作指令中的操作码,将所述操作码与病毒数据库中的指令特征码序列进行匹配,若匹配,则判定目标Android安装包APK中的指定文件中包含病毒特征码;Substep S45, locate the operation code in the executable file operation instruction in the Android installation package APK of the target, match the instruction feature code sequence in the operation code and the virus database, if matched, then determine the operation code in the Android installation package APK of the target The specified file contains virus signatures;
和/或,and / or,
子步骤S46、定位目标Android安装包APK中可执行文件常量池中的常量以及操作指令中的操作数所调用的类名和/或函数名,将所述类名和/或函数名与病毒数据库中的类名函数名特征码进行匹配,若匹配,则判定目标Android安装包APK中的指定文件中包含病毒特征码。Substep S46, locate the class name and/or function name called by the constant in the executable file constant pool in the target Android installation package APK and the operand in the operation instruction, and compare the class name and/or function name with the virus database Class name and function name signatures are matched, and if they match, it is determined that the specified file in the target Android installation package APK contains virus signatures.
在具体实现中,可以按如下方式进行匹配:In a specific implementation, matching can be performed as follows:
方式一:直接逐字节按序扫描。Method 1: directly scan byte by byte sequentially.
方式二:病毒特征码序列按序扫描,只需病毒特征码指令按序出现即可,无需连续出现。Method 2: Virus signature sequences are scanned sequentially, as long as the virus signature instructions appear in sequence, and do not need to appear consecutively.
方式三:只需存在所有或部分特征码指令即可。Method 3: It only needs to exist all or part of the feature code instructions.
当然,上述检测及匹配的方式仅仅用作示例,本领域技术人员根据实际情况采用任一种检测及匹配病毒特征码的方式均是可行的,本申请对此无需加以限制。Of course, the above detection and matching methods are only used as examples, and it is feasible for those skilled in the art to adopt any detection and matching virus signature method according to the actual situation, and the present application does not need to limit this.
步骤103、若是,则统计所述病毒特征码对应的权重值之和;Step 103, if yes, count the sum of the weight values corresponding to the virus signature code;
例如,扫描分析某APK发现其包含以下病毒特征码:For example, scanning and analyzing an APK found that it contains the following virus signatures:
/system/bin/su com.qihoo360.mobilesafe 1066185829/system/bin/su com.qihoo360.mobilesafe 1066185829
参照以上示例中的表1,可以得知,其中/system/bin/su的权重值为0.2,com.qihoo360.mobilesafe的权重值为0.3,1066185829的权重值为0.5,则统计该病毒特征码对应的权重值之和为1。Referring to Table 1 in the above example, it can be known that the weight value of /system/bin/su is 0.2, the weight value of com.qihoo360.mobilesafe is 0.3, and the weight value of 1066185829 is 0.5. The sum of the weight values is 1.
步骤104、若所述权重值之和大于等于某病毒判定阈值,则判定所述目标Android安装包APK中存在相应类型的病毒。Step 104, if the sum of the weight values is greater than or equal to a certain virus determination threshold, then determine that a corresponding type of virus exists in the target Android installation package APK.
例如,若预先配置木马病毒判定阈值为1,上例中病毒特征码对应的权重值之和等于该阈值,于是判定该目标APK中存在木马。For example, if the pre-configured Trojan horse virus determination threshold is 1, the sum of the weight values corresponding to the virus signatures in the above example is equal to the threshold, so it is determined that there is a Trojan horse in the target APK.
在具体实现中,本申请实施例还可以包括如下步骤:In a specific implementation, the embodiment of the present application may also include the following steps:
生成所述目标Android安装包APK中存在该类型病毒的提示信息。A prompt message indicating that the type of virus exists in the target Android installation package APK is generated.
进一步而言,在实际中,还可以调用安全软件接口,针对所述目标Android安装包APK进行病毒查杀。Furthermore, in practice, the security software interface may also be called to perform virus scanning and killing on the target Android installation package APK.
为使本领域技术人员更好地理解本申请,以下通过几个具体示例进行说明。In order to enable those skilled in the art to better understand the present application, several specific examples are used below to illustrate.
例一:Example 1:
1)定位至目标APK中的classes.dex或者JAR的操作指令instruction开始的地方(以下简称之为代码段);1) Locate to the place where the classes.dex in the target APK or the operation instruction instruction of the JAR begins (hereinafter referred to as the code segment);
2)从病毒数据库中的病毒特征码序列中根据分隔符提取第一个instruction;2) Extract the first instruction according to the delimiter from the virus signature sequence in the virus database;
3)从代码段中提取第一个instruction;3) Extract the first instruction from the code segment;
4)两者进行比较,若相同则从特征码序列中根据分隔符提取下一个instruction,若不同则从代码段中提取下一个instruction;4) Compare the two, if they are the same, extract the next instruction from the signature sequence according to the delimiter, and if they are different, extract the next instruction from the code segment;
5)以此类推逐指令进行匹配,直至抵达代码段的末尾,若匹配过程中完全匹配则报告发现病毒;5) Match by command by analogy until the end of the code segment is reached. If there is a complete match during the matching process, a virus will be reported;
6)提取相应病毒特征码对应的权重值,统计所述权重值之和;6) Extracting the weight value corresponding to the corresponding virus signature code, and counting the sum of the weight value;
7)若所述权重值之和大于等木马病毒判定阈值,则判定目标APK中存在木马病毒,报告用户,并调用安全软件进行查杀。7) If the sum of the weight values is greater than the Trojan horse virus determination threshold, it is determined that there is a Trojan horse virus in the target APK, the user is reported, and security software is invoked to check and kill.
例二:Example two:
1)从病毒数据库的病毒特征码中提取相应的特征字符串(可能为一个或多个)。1) Extract corresponding characteristic strings (possibly one or more) from the virus characteristic codes in the virus database.
2)查找字符串常量池中是否存在相应的特征字符串;2) Find whether there is a corresponding characteristic string in the string constant pool;
3)若存在,则报告发现病毒APK;3) If it exists, report the discovery of the virus APK;
4)提取相应病毒特征码字符串对应的权重值,统计所述权重值之和;4) Extracting the weight value corresponding to the corresponding virus signature string, and counting the sum of the weight value;
5)若所述权重值之和大于等木马病毒判定阈值,则判定目标APK中存在木马病毒,报告用户,并调用安全软件进行查杀。5) If the sum of the weight values is greater than the Trojan horse virus determination threshold, it is determined that there is a Trojan horse virus in the target APK, the user is reported, and the security software is invoked to check and kill.
例三:Example three:
1)从病毒特征码中提取相应的特征字符串(可能为一个或多个),特征函数名(可能为一个或多个);1) extract corresponding characteristic character string (may be one or more), characteristic function name (may be one or more) from virus characteristic code;
2)查找字符串常量池以及函数常量池中是否存在相应的特征字符串、特征函数名。其他string、type、field和meth pool的组合扫描依此类推;2) Find whether there are corresponding characteristic strings and characteristic function names in the string constant pool and the function constant pool. Combination scanning of other string, type, field and meth pool and so on;
3)若存在,则报告发现病毒APK;3) If it exists, report the discovery of the virus APK;
4)提取相应病毒特征码字符串对应的权重值,统计所述权重值之和;4) Extracting the weight value corresponding to the corresponding virus signature string, and counting the sum of the weight value;
5)若所述权重值之和大于等木马病毒判定阈值,则判定目标APK中存在木马病毒,报告用户,并调用安全软件进行查杀。5) If the sum of the weight values is greater than the Trojan horse virus determination threshold, it is determined that there is a Trojan horse virus in the target APK, the user is reported, and the security software is invoked to check and kill.
本领域技术人员易于理解的是,上述操作指令、常量池和头部信息的扫描并无先后顺序的限制,本领域技术人员根据实际情况任意设定上述三者的扫描顺序都是可行的,本申请对此无需加以限制。It is easy for those skilled in the art to understand that there is no sequence restriction on the scanning of the above operation instructions, constant pool and header information, and it is feasible for those skilled in the art to arbitrarily set the scanning order of the above three according to the actual situation. Applications need not be limited to this.
本申请实施例还适用于APK中嵌套APK的情形,即当APK中还包含其它APK时,同样可应用本申请实施例,对APK及其嵌套APK中的可执行文件、文本文件等进行解析和病毒提取,例如,在某个1.APK中嵌入了一个root.apk用以获取root权限,应用本申请实施例,除从1.APK提取病毒特征码,还会从root.apk中提取病毒特征码。本领域技术人员易于想到的是,对于多重嵌套APK的情形,本申请实施例亦同样适用,本申请在此不作限制。The embodiment of the present application is also applicable to the situation where the APK is nested in the APK, that is, when the APK also contains other APKs, the embodiment of the present application can also be applied to the executable file, text file, etc. in the APK and its nested APK. Analysis and virus extraction, for example, a root.apk is embedded in a certain 1.APK to obtain root privileges, applying the embodiment of this application, in addition to extracting virus signatures from 1.APK, it will also be extracted from root.apk Virus signature. It is easy for those skilled in the art to think that the embodiment of the present application is also applicable to the situation of multiple nested APKs, and the present application does not make a limitation here.
参考图2,示出了本申请的一种病毒APK的识别方法实施例2的步骤流程图,具体可以包括如下步骤:Referring to FIG. 2 , it shows a flow chart of the steps of embodiment 2 of a method for identifying a virus APK of the present application, which may specifically include the following steps:
步骤201、预置病毒数据库,所述病毒数据库中包括病毒特征码及对应的权重值;Step 201, preset virus database, which includes virus signature code and corresponding weight value;
在本申请的一种优选实施例中,所述步骤201可以包括如下子步骤:In a preferred embodiment of the present application, the step 201 may include the following sub-steps:
子步骤S51、扫描源Android安装包APK中的指定文件,所述指定文件包括可执行文件和/或文本文件;Substep S51, scanning the specified file in the source Android installation package APK, the specified file includes an executable file and/or a text file;
子步骤S52、提取所述可执行文件中的特定数据,判断所述特定数据是否包含病毒信息,其中,所述特定数据包括可执行文件的头部信息、可执行文件常量池中的常量,和/或,可执行文件中的操作指令;Sub-step S52, extracting specific data in the executable file, and judging whether the specific data contains virus information, wherein the specific data includes header information of the executable file, constants in the constant pool of the executable file, and /or, the operation instructions in the executable file;
子步骤S53、若是,则根据所述特定数据生成病毒特征码;Sub-step S53, if yes, generate a virus signature according to the specific data;
子步骤S54、提取所述文本文件中的linux命令,判断所述linux命令是否包含病毒信息;Substep S54, extract the linux command in the text file, and judge whether the linux command contains virus information;
子步骤S55、若是,则根据所述linux命令生成病毒特征码;Substep S55, if so, generate virus signature code according to the linux command;
子步骤S56、为所述病毒特征码分配权重值;Sub-step S56, assigning a weight value to the virus signature;
子步骤S57、将所述病毒特征码及对应的权重值保存至病毒数据库中。Sub-step S57, saving the virus signature code and the corresponding weight value in the virus database.
在具体实现中,可以通过判断所述linux命令是否符合预置的恶意linux命令确定所述linux命令是否包含病毒信息,还可以将所述包含病毒信息的linux命令直接作为病毒特征码。在本实施例中,所述病毒特征码还包括linux命令特征码。In a specific implementation, whether the linux command contains virus information can be determined by judging whether the linux command conforms to a preset malicious linux command, and the linux command containing virus information can also be directly used as a virus signature. In this embodiment, the virus signature also includes a linux command signature.
例如,从APK中的文本文件中提取相应的linux命令如下:For example, extract the corresponding linux commands from the text files in the APK as follows:
在判定上述linux命令符合预置的恶意linux命令时,将上述命令作为病毒特征码并分配权重值后写入病毒数据库中。When it is judged that the above-mentioned linux command conforms to the preset malicious linux command, the above-mentioned command is written into the virus database after being assigned a weight value as a virus signature code.
步骤202、检测目标Android安装包APK中的指定文件中是否包含所述病毒特征码,所述指定文件包括可执行文件和文本文件;若是,则执行步骤203;若否,则执行步骤207Step 202, whether the specified file in the detection target Android installation package APK contains the virus signature, and the specified file includes an executable file and a text file; if so, then perform step 203; if not, then perform step 207
在本申请的一种优选实施例中,所述步骤202可以包括如下子步骤:In a preferred embodiment of the present application, the step 202 may include the following sub-steps:
定位目标Android安装包APK中的文本文件,将所述文本文件中的linux命令与病毒数据库中的linux命令特征码进行匹配,若匹配,则判定目标Android安装包APK中的指定文件中包含病毒特征码。Locate the text file in the target Android installation package APK, match the linux command in the text file with the linux command signature in the virus database, if matched, then determine that the specified file in the target Android installation package APK contains virus signatures code.
步骤203、统计所述病毒特征码对应的权重值之和;Step 203, counting the sum of the weight values corresponding to the virus signature codes;
步骤204、判断所述权重值之和是否大于等于某病毒判定阈值,若是,则执行步骤205;若否,则执行步骤206;Step 204, judging whether the sum of the weight values is greater than or equal to a certain virus judgment threshold, if so, then perform step 205; if not, then perform step 206;
步骤205、判定所述目标Android安装包APK中存在相应类型的病毒,成所述目标Android安装包APK中存在该类型病毒的提示信息;Step 205, determine that there is a corresponding type of virus in the target Android installation package APK, and generate a prompt message indicating that this type of virus exists in the target Android installation package APK;
步骤206、判定所述目标Android安装包APK为病毒APK,生成所述目标Android安装包APK为病毒APK的提示信息;Step 206, determining that the target Android installation package APK is a virus APK, and generating a prompt message that the target Android installation package APK is a virus APK;
步骤207,判定所述目标Android安装包APK为正常APK。Step 207, determining that the target Android installation package APK is a normal APK.
例如:扫描分析某APK发现其包含以下病毒特征码:For example: Scanning and analyzing an APK finds that it contains the following virus signatures:
/system/bin/su com.qihoo360.mobilesafe 1066185829/system/bin/su com.qihoo360.mobilesafe 1066185829
参照上述表1,计算所述病毒特征码的权重和为1,确定其等于木马病毒判定阈值1,于是向用户报告发现木马,生成提示信息如下:With reference to above-mentioned table 1, calculate the weight of described virus characteristic code and be 1, determine that it is equal to Trojan horse virus judgment threshold 1, then report to user and find Trojan horse, generate prompt information as follows:
发现木马,可获取root权限,之后可绕过系统安全机制从而执行恶意行为。并可侦测系统是否存在杀毒软件,从而进行规避。可向号码1066185829发送扣费短信或拨打吸费电话。If a Trojan horse is found, root privileges can be obtained, and then the system security mechanism can be bypassed to perform malicious actions. And it can detect whether there is anti-virus software in the system, so as to avoid it. You can send a deduction SMS to the number 1066185829 or make a phone call.
或如:扫描分析某APK发现其包含以下病毒特征码:Or for example: scan and analyze an APK and find that it contains the following virus signatures:
/system/bin/su/system/bin/su
参照上述表1,计算其权重值为0.2,确定其小于木马病毒判定阈值1,则向用户报告警告,生成提示信息如下:Referring to the above Table 1, calculate its weight value as 0.2, and determine that it is less than the Trojan horse virus judgment threshold 1, then report a warning to the user, and generate the prompt information as follows:
警告当前应用可获取root权限,之后有可能绕过系统安全机制从而执行恶意行为。Warn that the current application can obtain root privileges, and then may bypass system security mechanisms to perform malicious actions.
在本申请实施例中,所述某病毒判定阈值可以根据不同的病毒类型进行设置,还可以根据实际情况在云端动态调整,本申请对此不作限制。In the embodiment of the present application, the certain virus determination threshold can be set according to different virus types, and can also be dynamically adjusted in the cloud according to the actual situation, which is not limited in the present application.
本申请实施例还可适用于客户端软件及云查杀的过程中,即上述病毒APK识别的过程可以在客户端完成,也可以在服务器端或云端完成,本申请对此不作限制。The embodiment of the present application is also applicable to the process of client software and cloud scanning and killing, that is, the above-mentioned virus APK identification process can be completed on the client, or on the server or cloud, which is not limited in this application.
以下提供本申请实施例的应用场景:The application scenarios of the embodiments of this application are provided as follows:
场景一:依据用户的病毒扫描启动操作,首先检查APK是否变更以及是否缓存过扫描结果,若APK未变更并且缓存过扫描结果则直接输出扫描结果,反之则进行黑名单扫描,若在其中发现APK存在,则输出扫描结果发现病毒APK并增加至缓存,若未发现则进行白名单扫描,若在其中发现APK存在,则输出扫描结果安全并增加至缓存,若未发现则采用病毒数据库进行病毒特征码扫描,并输出扫描结果以及增加至缓存。Scenario 1: Start the operation based on the user's virus scan. First, check whether the APK has changed and whether the scan result has been cached. If the APK has not changed and the scan result has been cached, the scan result will be output directly. Otherwise, the blacklist scan will be performed. If the APK is found in it If it exists, the output scan result finds a virus APK and adds it to the cache. If no virus is found, a whitelist scan is performed. If the APK is found in it, the output scan result is safe and added to the cache. If not found, the virus database is used for virus signatures. Scan the code, output the scanning result and add it to the cache.
场景二:用户新装APK,杀毒程序收到新装APK消息,开始对用户新装的APK进行扫描,首先进行黑名单扫描,若在其中发现APK存在,则输出扫描结果发现病毒并增加至缓存,若未发现则进行白名单扫描,若在其中发现APK存在,则输出扫描结果安全并增加至缓存,若未发现则采用病毒数据库进行病毒特征码扫描,并输出扫描结果以及增加至缓存。Scenario 2: The user installs a new APK, and the antivirus program receives the message of the newly installed APK, and starts to scan the newly installed APK. If it is found, it will scan the white list. If APK is found in it, the output scan result is safe and added to the cache. If not found, the virus database is used to scan the virus signature, and the scan result is output and added to the cache.
本领域技术人员易于理解的是,应用本申请实施例,也可以通过直接检测文本文件中是否包含病毒特征码来判定当前APK是否为病毒APK,为节约篇幅,本申请对此方案不作赘述。It is easy for those skilled in the art to understand that, by applying the embodiment of the present application, it is also possible to directly detect whether the text file contains a virus signature to determine whether the current APK is a virus APK. To save space, this application does not repeat this solution.
本申请通过扫描分析源APK文件中的指定文件,如可执行文件、文本文件等,针对包含病毒信息的指令、常量或头部信息按预置规则生成相应的病毒特征码,并汇编成病毒数据库;之后病毒APK识别的过程中,检测目标APK文件中的指定文件,判断该指定文件中是否包含所述病毒数据库中的病毒特征码,从而确定目标APK是否为病毒APK。应用本申请实施例,无论病毒制造者如何通过修改混淆方式、增加资源、修改代码(改变类名、函数名等)、更换签名、包名等方式来制作病毒变种其病毒APK的特征码都不会变,从而本申请可以快速、准确、有效地识别出病毒APK及其变种,而且有针对性的更改程序逻辑以及特定字符串(恶意号码、恶意网址)来制作病毒变种相对病毒制造者而言是比较麻烦、耗时的,从而这种方式也能有效的提高病毒制作者制作病毒变种的难度,提高APK应用的安全性。This application scans and analyzes specified files in the source APK file, such as executable files, text files, etc., generates corresponding virus signatures according to preset rules for instructions, constants or header information containing virus information, and compiles them into a virus database Afterwards, in the process of virus APK identification, detect the specified file in the target APK file, and judge whether the specified file contains the virus signature code in the virus database, so as to determine whether the target APK is a virus APK. Applying the embodiment of this application, no matter how the virus maker makes the signature code of the virus variant APK by modifying the obfuscation method, adding resources, modifying the code (changing the class name, function name, etc.), changing the signature, package name, etc. will change, so that the application can quickly, accurately and effectively identify the virus APK and its variants, and change the program logic and specific character strings (malicious numbers, malicious URLs) in a targeted manner to make virus variants. It is relatively troublesome and time-consuming, so this method can also effectively improve the difficulty for virus creators to make virus variants and improve the security of APK applications.
需要说明的是,本申请实施例不仅适用于各种Android终端,即使用Android平台(操作系统)的终端,包括计算机、PC、笔记本电脑、手机、平板电脑等等;还适用于在其他计算机系统(例如Windows、Linux)之上使用的病毒特征码提取方案。It should be noted that the embodiments of the present application are not only applicable to various Android terminals, that is, terminals using the Android platform (operating system), including computers, PCs, notebook computers, mobile phones, tablet computers, etc.; Virus signature extraction scheme used on (such as Windows, Linux).
对于方法实施例,为了简单描述,故将其都表述为一系列的动作组合,但是本领域技术人员应该知悉,本申请并不受所描述的动作顺序的限制,因为依据本申请,某些步骤可以采用其他顺序或者同时进行。其次,本领域技术人员也应该知悉,说明书中所描述的实施例均属于优选实施例,所涉及的动作和模块并不一定是本申请所必须的。For the method embodiment, for the sake of simple description, it is expressed as a series of action combinations, but those skilled in the art should know that the application is not limited by the described action sequence, because according to the application, certain steps Other sequences or concurrently may be used. Secondly, those skilled in the art should also know that the embodiments described in the specification belong to preferred embodiments, and the actions and modules involved are not necessarily required by this application.
参考图3,其示出了本申请的一种病毒APK的识别装置实施例的结构框图,具体可以包括以下模块:Referring to FIG. 3 , it shows a structural block diagram of an embodiment of a virus APK identification device of the present application, which may specifically include the following modules:
病毒数据库生成模块301,用于预置病毒数据库,所述病毒数据库中包括病毒特征码及对应的权重值;Virus database generating module 301, used to preset virus database, including virus signature code and corresponding weight value in the virus database;
病毒检测模块302,用于检测目标Android安装包APK中的指定文件中是否包含所述病毒特征码;若是,则调用病毒权重值统计模块303;Virus detection module 302 is used to detect whether the specified file in the target Android installation package APK contains the virus signature; if so, then call the virus weight value statistical module 303;
病毒权重值统计模块303,用于统计所述病毒特征码对应的权重值之和;Virus weight value statistics module 303, used for counting the sum of the weight values corresponding to the virus signature code;
阈值判断模块304,用于判断所述权重值之和是否大于等于某病毒判定阈值;若是,则调用病毒判定模块305;Threshold judging module 304, for judging whether the sum of the weight values is greater than or equal to a certain virus judging threshold; if so, calling virus judging module 305;
病毒判定模块305,用于判定所述目标Android安装包APK中存在相应类型的病毒。A virus determination module 305, configured to determine that a corresponding type of virus exists in the target Android installation package APK.
在本申请的一种优选实施例中,还可以包括如下模块:In a preferred embodiment of the application, the following modules may also be included:
病毒识别模块306,用于在所述权重值之和小于某病毒判定阈值时,判定所述目标Android安装包APK为病毒APK。The virus identification module 306 is configured to determine that the target Android installation package APK is a virus APK when the sum of the weight values is less than a certain virus determination threshold.
在具体实现中,本申请实施例还可以包括如下模块:In a specific implementation, the embodiment of the present application may also include the following modules:
第一提示信息生成模块307,与所述病毒判定模块305连接,用于生成所述目标Android安装包APK中存在该类型病毒的提示信息。The first prompt information generation module 307 is connected with the virus determination module 305, and is used to generate prompt information that the type of virus exists in the target Android installation package APK.
第二提示信息生成模块308,与所述病毒识别模块306连接,用于生成所述目标Android安装包APK为病毒APK的提示信息。The second prompt information generation module 308 is connected with the virus identification module 306 and is used to generate prompt information that the target Android installation package APK is a virus APK.
更为优选的是,本申请实施例还可以包括如下模块:More preferably, the embodiment of the present application may also include the following modules:
病毒查杀模块,用于调用安全软件接口,针对所述目标Android安装包APK进行病毒查杀。The virus checking and killing module is used for invoking the security software interface to perform virus checking and killing for the target Android installation package APK.
在本申请的一种优选实施例中,所述指定文件可以包括可执行文件,所述病毒数据库生成模块301可以包括如下子模块:In a preferred embodiment of the present application, the specified file may include an executable file, and the virus database generation module 301 may include the following submodules:
源文件扫描子模块,用于扫描源Android安装包APK中的指定文件,所述指定文件包括可执行文件;The source file scan submodule is used to scan specified files in the source Android installation package APK, and the specified files include executable files;
特定数据提取子模块,用于提取所述可执行文件中的特定数据,判断所述特定数据是否包含病毒信息,其中,所述特定数据包括可执行文件的头部信息、可执行文件常量池中的常量,和/或,可执行文件中的操作指令;The specific data extraction sub-module is used to extract specific data in the executable file, and judge whether the specific data contains virus information, wherein the specific data includes header information of the executable file, executable file constant pool constants, and/or, operational instructions in the executable;
第一特征码生成子模块,用于在所述特定数据包含病毒信息时,根据所述特定数据生成病毒特征码;The first signature generation submodule is used to generate a virus signature according to the specific data when the specific data contains virus information;
权重值分配模块,用于为所述病毒特征码分配权重值;A weight value assignment module, configured to assign a weight value for the virus signature;
特征码保存子模块,用于将所述病毒特征码及对应的权重值保存至病毒数据库中。The signature saving submodule is used to save the virus signature and the corresponding weight value in the virus database.
作为本申请实施例具体应用的一种示例,所述特征码保存子模块可以进一步包括以下单元:As an example of the specific application of the embodiment of the present application, the feature code saving submodule may further include the following units:
分区保存单元,用于将所述头部信息特征码、常量特征码、操作数特征码、指令特征码、指令特征码序列、类名函数名特征码及对应的权重值分别保存在数据库中不同的存储区域;The partition storage unit is used to save the header information feature code, constant feature code, operand feature code, instruction feature code, instruction feature code sequence, class name function name feature code and corresponding weight values in the database respectively. storage area;
或者,or,
标签保存单元,用于将所述头部信息特征码、常量特征码、操作数特征码、指令特征码、指令特征码序列、类名函数名特征码及对应的权重值保存在数据库中,并分别标记分类标签。The label storage unit is used to save the header information feature code, constant feature code, operand feature code, instruction feature code, instruction feature code sequence, class name function name feature code and corresponding weight value in the database, and Label the classification labels separately.
在具体应用中,所述可执行文件可以包括Dex文件,所述Dex文件可以包括classes.dex文件,扩展名为.jar的文件,以及,Dex格式的文件。In a specific application, the executable file may include a Dex file, and the Dex file may include a classes.dex file, a file with an extension of .jar, and a file in Dex format.
在本申请的一种优选实施例中,所述病毒特征码可以包括:头部信息特征码、常量特征码、操作数特征码、指令特征码、指令特征码序列、类名函数名特征码;所述可执行文件中的操作指令包括操作码和操作数两部分;In a preferred embodiment of the present application, the virus signature may include: header information signature, constant signature, operand signature, instruction signature, instruction signature sequence, class name and function name signature; The operation instructions in the executable file include two parts: operation code and operand;
在这种情况下,所述病毒检测模块302可以包括如下子模块:In this case, the virus detection module 302 may include the following submodules:
第一检测子模块,用于定位目标Android安装包APK中可执行文件的头部信息,将所述头部信息与病毒数据库中的头部信息特征码进行匹配,若匹配,则判定目标Android安装包APK中的指定文件中包含病毒特征码;The first detection submodule is used to locate the header information of the executable file in the target Android installation package APK, and matches the header information with the header information feature code in the virus database. If it matches, then determine the target Android installation The specified file in the package APK contains virus signatures;
和/或,and / or,
第二检测子模块,用于定位目标Android安装包APK中可执行文件常量池中的常量,将所述常量与病毒数据库中的常量特征码进行匹配,若匹配,则判定目标Android安装包APK中的指定文件中包含病毒特征码;The second detection submodule is used to locate the constant in the executable file constant pool in the target Android installation package APK, and matches the constant with the constant feature code in the virus database. If it matches, then determine in the target Android installation package APK The specified file contains virus signatures;
和/或,and / or,
第三检测子模块,用于定位目标Android安装包APK中可执行文件操作指令中的操作数,将所述操作数与病毒数据库中的操作数特征码进行匹配,若匹配,则判定目标Android安装包APK中的指定文件中包含病毒特征码;The third detection submodule is used to locate the operand in the executable file operation instruction in the target Android installation package APK, and matches the operand with the operand feature code in the virus database. If it matches, then determine the target Android installation The specified file in the package APK contains virus signatures;
和/或,and / or,
第四检测子模块,用于定位目标Android安装包APK中可执行文件操作指令中的操作码,将所述操作码与病毒数据库中的指令特征码进行匹配,若匹配,则判定目标Android安装包APK中的指定文件中包含病毒特征码;The fourth detection submodule is used to locate the operation code in the executable file operation instruction in the target Android installation package APK, and matches the operation code with the instruction feature code in the virus database. If it matches, then determine the target Android installation package The specified file in the APK contains virus signatures;
和/或,and / or,
第五检测子模块,用于定位目标Android安装包APK中可执行文件操作指令中的操作码,将所述操作码与病毒数据库中的指令特征码序列进行匹配,若匹配,则判定目标Android安装包APK中的指定文件中包含病毒特征码;The fifth detection submodule is used to locate the operation code in the executable file operation instruction in the target Android installation package APK, and matches the operation code with the instruction feature code sequence in the virus database. If it matches, it is determined that the target Android is installed The specified file in the package APK contains virus signatures;
和/或,and / or,
第六检测子模块,用于定位目标Android安装包APK中可执行文件常量池中的常量以及操作指令中的操作数所调用的类名和/或函数名,将所述类名和/或函数名与病毒数据库中的类名函数名特征码进行匹配,若匹配,则判定目标Android安装包APK中的指定文件中包含病毒特征码。The sixth detection submodule is used to locate the class name and/or function name called by the constant in the executable file constant pool in the target Android installation package APK and the operand in the operation instruction, and compare the class name and/or function name with The class name function name signature in the virus database is matched, and if it matches, it is determined that the specified file in the target Android installation package APK contains the virus signature.
在具体实现中,所述头部信息特征码、常量特征码、操作数特征码、类名函数名特征码可以根据包含病毒信息的头部信息、常量、操作数和类名函数名直接生成;In a specific implementation, the header information feature code, constant feature code, operand feature code, and class name function name feature code can be directly generated according to the header information, constants, operands, and class name function names containing virus information;
所述指令特征码、指令特征码序列可以根据包含病毒信息的操作指令直接生成,或者,可以根据包含病毒信息的操作码和操作数的字符串或通配符生成。The instruction feature code and instruction feature code sequence can be directly generated according to the operation instruction containing virus information, or can be generated according to the operation code and operand string or wildcard containing virus information.
在本申请的一种优选实施例中,所述指定文件还可以包括文本文件,在这种情况下,所述病毒数据库生成模块301还可以包括如下子模块:In a preferred embodiment of the present application, the specified file can also include a text file, in this case, the virus database generation module 301 can also include the following submodules:
linux命令提取子模块,用于提取所述文本文件中的linux命令,判断所述linux命令是否包含病毒信息;The linux command extraction submodule is used to extract the linux command in the text file, and judges whether the linux command contains virus information;
第二特征码生成子模块,用于在所述linux命令包含病毒信息时,根据所述linux命令生成病毒特征码。The second signature generation submodule is configured to generate a virus signature according to the linux command when the linux command contains virus information.
相应的,所述病毒特征码还可以包括linux命令特征码,所述病毒检测模块302还可以包括如下子模块:Correspondingly, the virus signature can also include a linux command signature, and the virus detection module 302 can also include the following submodules:
第七检测子模块,用于定位目标Android安装包APK中的文本文件,将所述文本文件中的linux命令与病毒数据库中的linux命令特征码进行匹配,若匹配,则判定目标Android安装包APK中的指定文件中包含病毒特征码。The seventh detection submodule is used to locate the text file in the target Android installation package APK, and matches the linux command in the text file with the linux command signature in the virus database. If it matches, then determine the target Android installation package APK The specified file in contains virus signatures.
在具体应用中,所述可执行文件中常量池中的常量可以包括字符串strings、类型types、域fields和方法methods中的常量;所述可执行文件的头部信息中可以包括摘要信息checksum和/或签名信息Signature。In a specific application, the constants in the constant pool in the executable file may include constants in strings, type types, domain fields and methods; the header information of the executable file may include summary information checksum and /or signature information Signature.
由于所述装置实施例基本相应于前述图1和图2所示的方法实施例,故本实施例的描述中未详尽之处,可以参见前述实施例中的相关说明,在此就不赘述了。Since the device embodiment basically corresponds to the method embodiment shown in Figure 1 and Figure 2 above, for details not described in this embodiment, you can refer to the relevant description in the previous embodiment, and will not go into details here .
本领域内的技术人员应明白,本申请的实施例可提供为方法、系统、或计算机程序产品。因此,本申请可采用完全硬件实施例、完全软件实施例、或结合软件和硬件方面的实施例的形式。而且,本申请可采用在一个或多个其中包含有计算机可用程序代码的计算机可用存储介质(包括但不限于磁盘存储器、CD-ROM、光学存储器等)上实施的计算机程序产品的形式。Those skilled in the art should understand that the embodiments of the present application may be provided as methods, systems, or computer program products. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.
本申请是参照根据本申请实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The present application is described with reference to flowcharts and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the present application. It should be understood that each procedure and/or block in the flowchart and/or block diagram, and a combination of procedures and/or blocks in the flowchart and/or block diagram can be realized by computer program instructions. These computer program instructions may be provided to a general purpose computer, special purpose computer, embedded processor, or processor of other programmable data processing equipment to produce a machine such that the instructions executed by the processor of the computer or other programmable data processing equipment produce a An apparatus for realizing the functions specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing apparatus to operate in a specific manner, such that the instructions stored in the computer-readable memory produce an article of manufacture comprising instruction means, the instructions The device realizes the function specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded onto a computer or other programmable data processing device, causing a series of operational steps to be performed on the computer or other programmable device to produce a computer-implemented process, thereby The instructions provide steps for implementing the functions specified in the flow chart or blocks of the flowchart and/or the block or blocks of the block diagrams.
尽管已描述了本申请的优选实施例,但本领域内的技术人员一旦得知了基本创造性概念,则可对这些实施例做出另外的变更和修改。所以,所附权利要求意欲解释为包括优选实施例以及落入本申请范围的所有变更和修改。While preferred embodiments of the present application have been described, additional changes and modifications to these embodiments can be made by those skilled in the art once the basic inventive concept is appreciated. Therefore, the appended claims are intended to be construed to cover the preferred embodiment and all changes and modifications which fall within the scope of the application.
最后,还需要说明的是,在本文中,诸如第一和第二等之类的关系术语仅仅用来将一个实体或者操作与另一个实体或操作区分开来,而不一定要求或者暗示这些实体或操作之间存在任何这种实际的关系或者顺序。而且,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者设备不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、物品或者设备所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括所述要素的过程、方法、物品或者设备中还存在另外的相同要素。Finally, it should also be noted that in this text, relational terms such as first and second etc. are only used to distinguish one entity or operation from another, and do not necessarily require or imply that these entities or operations, any such actual relationship or order exists. Furthermore, the term "comprises", "comprises" or any other variation thereof is intended to cover a non-exclusive inclusion such that a process, method, article, or apparatus comprising a set of elements includes not only those elements, but also includes elements not expressly listed. other elements of or also include elements inherent in such a process, method, article, or device. Without further limitations, an element defined by the phrase "comprising a ..." does not exclude the presence of additional identical elements in the process, method, article or apparatus comprising said element.
以上对本申请所提供的一种病毒APK的识别方法,以及,一种病毒APK的识别装置进行了详细介绍,本文中应用了具体个例对本申请的原理及实施方式进行了阐述,以上实施例的说明只是用于帮助理解本申请的方法及其核心思想;同时,对于本领域的一般技术人员,依据本申请的思想,在具体实施方式及应用范围上均会有改变之处,综上所述,本说明书内容不应理解为对本申请的限制。The method for identifying a virus APK provided by this application and the device for identifying a virus APK have been introduced in detail above. In this paper, specific examples have been used to illustrate the principle and implementation of the application. The above examples The description is only used to help understand the method of the present application and its core idea; at the same time, for those of ordinary skill in the art, according to the idea of the present application, there will be changes in the specific implementation and application scope, in summary , the contents of this specification should not be construed as limiting the application.
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210137453.XACN102708320B (en) | 2012-05-04 | 2012-05-04 | A virus APK identification method and device |
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210137453.XACN102708320B (en) | 2012-05-04 | 2012-05-04 | A virus APK identification method and device |
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510146264.2ADivisionCN104715200A (en) | 2012-05-04 | 2012-05-04 | Method and device for identifying viral APK (Android application package file) |
| Publication Number | Publication Date |
|---|---|
| CN102708320A CN102708320A (en) | 2012-10-03 |
| CN102708320Btrue CN102708320B (en) | 2015-05-06 |
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210137453.XAActiveCN102708320B (en) | 2012-05-04 | 2012-05-04 | A virus APK identification method and device |
| Country | Link |
|---|---|
| CN (1) | CN102708320B (en) |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2014089744A1 (en)* | 2012-12-10 | 2014-06-19 | 华为技术有限公司 | Method and apparatus for detecting malicious code |
| CN103226583B (en)* | 2013-04-08 | 2017-07-28 | 北京奇虎科技有限公司 | A kind of method and apparatus of ad plug-in identification |
| CN104346568A (en)* | 2013-07-26 | 2015-02-11 | 贝壳网际(北京)安全技术有限公司 | Method and device for identifying malicious application program and mobile device |
| CN104679495B (en)* | 2013-12-02 | 2018-04-27 | 北京猎豹移动科技有限公司 | software identification method and device |
| CN104850782B (en)* | 2014-02-18 | 2019-05-14 | 腾讯科技(深圳)有限公司 | Match the method and device of virus characteristic |
| CN103810428B (en)* | 2014-02-24 | 2017-05-24 | 珠海市君天电子科技有限公司 | Method and device for detecting macro virus |
| CN104899009A (en)* | 2014-03-03 | 2015-09-09 | 可牛网络技术(北京)有限公司 | Identification method and device of Android application |
| CN105488407A (en)* | 2014-12-31 | 2016-04-13 | 哈尔滨安天科技股份有限公司 | Grey sample identification method and system |
| CN106162648A (en)* | 2015-04-17 | 2016-11-23 | 上海墨贝网络科技有限公司 | A kind of behavioral value method, server and system applying installation kit |
| CN105046113B (en)* | 2015-06-10 | 2018-01-05 | 国家计算机网络与信息安全管理中心 | Android software based on randomness test reinforces detection method |
| CN106844476A (en)* | 2016-12-23 | 2017-06-13 | 上海上讯信息技术股份有限公司 | A kind of method and apparatus for recognizing file format and correspondence integrality |
| CN106845233B (en)* | 2016-12-30 | 2019-09-17 | 北京瑞星网安技术股份有限公司 | UEFI safety detection method and system |
| CN108898019A (en)* | 2018-08-17 | 2018-11-27 | 广州瀚华建筑设计有限公司 | CAD checking and killing virus method, system, computer equipment and readable storage medium storing program for executing |
| CN110719271A (en)* | 2019-09-26 | 2020-01-21 | 杭州安恒信息技术股份有限公司 | Combined defense method for bypass flow detection equipment and terminal protection equipment |
| CN110851832A (en)* | 2019-11-12 | 2020-02-28 | 广东明创软件科技有限公司 | Virus false alarm prevention method, device, terminal equipment and storage medium |
| CN111368298B (en)* | 2020-02-27 | 2023-07-21 | 腾讯科技(深圳)有限公司 | Virus file identification method, device, equipment and storage medium |
| CN111783095A (en)* | 2020-07-28 | 2020-10-16 | 支付宝(杭州)信息技术有限公司 | Method and device for identifying malicious code of applet and electronic equipment |
| CN112364349A (en)* | 2020-11-30 | 2021-02-12 | 江苏极鼎网络科技有限公司 | Cell-phone APP intellectual detection system equipment |
| CN113805892B (en)* | 2021-09-17 | 2024-04-05 | 杭州云深科技有限公司 | Abnormal APK identification method, electronic equipment and readable storage medium |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1567118A (en)* | 2004-03-29 | 2005-01-19 | 四川大学 | Computer viruses detection and identification system and method |
| CN101924762A (en)* | 2010-08-18 | 2010-12-22 | 奇智软件(北京)有限公司 | Active defense method based on cloud security |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100444075C (en)* | 2005-11-08 | 2008-12-17 | 北京网秦天下科技有限公司 | Virus feature extraction and detection system and method for mobile/smart terminals |
| CN100437614C (en)* | 2005-11-16 | 2008-11-26 | 白杰 | Method for identifying unknown virus programe and clearing method thereof |
| US8984628B2 (en)* | 2008-10-21 | 2015-03-17 | Lookout, Inc. | System and method for adverse mobile application identification |
| CN102254113A (en)* | 2011-06-27 | 2011-11-23 | 深圳市安之天信息技术有限公司 | Method and system for detecting and intercepting malicious code of mobile terminal |
| CN102346829B (en)* | 2011-09-22 | 2013-09-18 | 重庆大学 | Virus detection method based on ensemble classification |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1567118A (en)* | 2004-03-29 | 2005-01-19 | 四川大学 | Computer viruses detection and identification system and method |
| CN101924762A (en)* | 2010-08-18 | 2010-12-22 | 奇智软件(北京)有限公司 | Active defense method based on cloud security |
| Publication number | Publication date |
|---|---|
| CN102708320A (en) | 2012-10-03 |
| Publication | Publication Date | Title |
|---|---|---|
| CN102708320B (en) | A virus APK identification method and device | |
| CN102663286B (en) | A virus APK identification method and device | |
| CN102663285B (en) | Extracting method and extracting device for APK (android package) virus characteristic code | |
| US10114946B2 (en) | Method and device for detecting malicious code in an intelligent terminal | |
| US10592676B2 (en) | Application security service | |
| US8352484B1 (en) | Systems and methods for hashing executable files | |
| RU2614557C2 (en) | System and method for detecting malicious files on mobile devices | |
| US9525706B2 (en) | Apparatus and method for diagnosing malicious applications | |
| US11916937B2 (en) | System and method for information gain for malware detection | |
| CN104715199A (en) | Method and device for identifying viral APK (Android application package file) | |
| US20140090054A1 (en) | System and Method for Detecting Anomalies in Electronic Documents | |
| CN102789502B (en) | Method and device for scanning website | |
| WO2015101044A1 (en) | Method and device for feature extraction | |
| CN106709336A (en) | Method and apparatus for identifying malware | |
| CN103761475A (en) | Method and device for detecting malicious code in intelligent terminal | |
| CN106803040B (en) | Virus characteristic code processing method and device | |
| CN104462971B (en) | The method and apparatus that malicious application is recognized according to application program stated features | |
| WO2015101043A1 (en) | Method and device for detecting malicious code in smart terminal | |
| CN104318161A (en) | Virus detection method and device for Android samples | |
| CN112231697A (en) | Third-party SDK behavior detection method, device, medium and electronic equipment | |
| CN104317599A (en) | Method and device for detecting whether installation package is packaged repeatedly or not | |
| CN103793649A (en) | Method and device for cloud-based safety scanning of files | |
| CN103559447A (en) | Detection method, detection device and detection system based on virus sample characteristics | |
| CN104715200A (en) | Method and device for identifying viral APK (Android application package file) | |
| CN111752570A (en) | Compiling method, device, terminal and computer readable storage medium |
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| ASS | Succession or assignment of patent right | Owner name:BEIJING QIHU TECHNOLOGY CO., LTD. Free format text:FORMER OWNER: QIZHI SOFTWARE (BEIJING) CO., LTD. Effective date:20121025 Owner name:QIZHI SOFTWARE (BEIJING) CO., LTD. Effective date:20121025 | |
| C10 | Entry into substantive examination | ||
| C41 | Transfer of patent application or patent right or utility model | ||
| COR | Change of bibliographic data | Free format text:CORRECT: ADDRESS; FROM: 100016 CHAOYANG, BEIJING TO: 100088 XICHENG, BEIJING | |
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right | Effective date of registration:20121025 Address after:100088 Beijing city Xicheng District xinjiekouwai Street 28, block D room 112 (Desheng Park) Applicant after:BEIJING QIHOO TECHNOLOGY Co.,Ltd. Applicant after:Qizhi software (Beijing) Co.,Ltd. Address before:The 4 layer 100016 unit of Beijing city Chaoyang District Jiuxianqiao Road No. 14 Building C Applicant before:Qizhi software (Beijing) Co.,Ltd. | |
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right | Effective date of registration:20220801 Address after:Room 801, 8th floor, No. 104, floors 1-19, building 2, yard 6, Jiuxianqiao Road, Chaoyang District, Beijing 100015 Patentee after:BEIJING QIHOO TECHNOLOGY Co.,Ltd. Address before:100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee before:BEIJING QIHOO TECHNOLOGY Co.,Ltd. Patentee before:Qizhi software (Beijing) Co.,Ltd. |