Nothing Special   »   [go: up one dir, main page]

CN103761475B - Method and device for detecting malicious code in intelligent terminal - Google Patents

Method and device for detecting malicious code in intelligent terminal Download PDF

Info

Publication number
CN103761475B
CN103761475B CN201310746029.XA CN201310746029A CN103761475B CN 103761475 B CN103761475 B CN 103761475B CN 201310746029 A CN201310746029 A CN 201310746029A CN 103761475 B CN103761475 B CN 103761475B
Authority
CN
China
Prior art keywords
function
virtual machine
decompiling
execution file
machine execution
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201310746029.XA
Other languages
Chinese (zh)
Other versions
CN103761475A (en
Inventor
杨康
陈卓
唐海
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Qihoo Technology Co Ltd
Original Assignee
Beijing Qihoo Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Qihoo Technology Co Ltd filed Critical Beijing Qihoo Technology Co Ltd
Priority to CN201310746029.XA priority Critical patent/CN103761475B/en
Publication of CN103761475A publication Critical patent/CN103761475A/en
Priority to PCT/CN2014/083908 priority patent/WO2015101042A1/en
Priority to US15/108,927 priority patent/US9792433B2/en
Priority to PCT/CN2014/090032 priority patent/WO2015101096A1/en
Application granted granted Critical
Publication of CN103761475B publication Critical patent/CN103761475B/en
Priority to US15/714,721 priority patent/US10114946B2/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Virology (AREA)
  • Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)
  • Telephone Function (AREA)

Abstract

The invention discloses a method and a device for detecting a malicious code in an intelligent terminal. The method comprises the steps of obtaining a virtual machine execution file of an application program from an application program layer of an intelligent terminal operation system; performing decompilation on the virtual machine execution file to obtain a decompiled function information structure; resolving the decompiled function information structure and extracting a function call sequence from the decompiled function information structure; utilizing a preset malicious code feature library, performing matching of the function call sequence and conforming that the virtual machine execution file of the application program includes the malicious code if the matching succeeds. By applying the method and the device, the malicious code including situation of the application program can be analyzed and confirmed through the virtual machine execution file of the application program, so that a tampered application program or malicious software can be searched and killed, and the safety of the intelligent terminal can be ensured.

Description

The method and device of malicious code in detection intelligent terminal
Technical field
The present invention relates to intelligent terminal's security technology area, and in particular to the side of malicious code in a kind of detection intelligent terminal Method and device.
Background technology
With development in science and technology, intelligent terminal has increasing function.For example, the mobile phone of people from traditional GSM, TDMA digital mobile phones turned to possess can process multimedia resource, to provide web page browsing, videoconference, ecommerce etc. various The smart mobile phone of information service.However, the individual that the increasingly various mobile phone malicious code of kind is attacked and situation is increasingly serious Problem of data safety is also following, and it is bitter that increasing mobile phone viruses endure it to the fullest extent by smart phone user.
The content of the invention
In view of the above problems, it is proposed that the present invention so as to provide one kind overcome the problems referred to above or at least in part solve on State the method and device of malicious code in the detection intelligent terminal of problem.
According to one aspect of the present invention, there is provided a kind of method of malicious code in detection intelligent terminal, including:From intelligence The application layer of terminal operating system, obtains the virtual machine execution file of application program;The virtual machine execution file is entered Row decompiling, obtains the function information structure of decompiling;The function information structure of the decompiling is parsed, the anti-volume is extracted Function calling sequence in the function information structure translated;Using the malicious code feature database for pre-setting, to the function call Sequence is matched, if the match is successful, it is determined that the virtual machine execution file of the application program includes malicious code.
Preferably, also include:By the function information structure for parsing the decompiling, virtual machine memonic symbol sequence is obtained; Extract from the virtual machine memonic symbol sequence and obtain the function calling sequence.
Preferably, the function calling sequence is multiple;Methods described also includes:By analysis perform in order it is many The instruction of individual function calling sequence, determines the function of the function.
Preferably, the instruction that the plurality of function calling sequence is performed in order includes:Decryption character string, establishment message Signature example, the sub- pin of acquisition character string, Hash encryption.
Preferably, it is described using the malicious code feature database for pre-setting, matching bag is carried out to the function calling sequence Include:Using the malicious code feature database for pre-setting, functional similarity degree matching is carried out to the function calling sequence, and/or, it is right The function calling sequence carries out Function feature fuzzy matching.
Preferably, the function with certain function for the plurality of function calling sequence being constituted is used as target characteristic;Institute State using the malicious code feature database for pre-setting, carrying out matching to the function calling sequence includes:Using what is pre-set Malicious code feature database, functional similarity degree matching is carried out to the target characteristic, and/or, line function is entered to the target characteristic Feature Fuzzy is matched.
Preferably, the virtual machine execution file is carried out sample characteristics killing, based on virtual machine killing, heuristic look into Kill, and/or, similar sample clustering.
Preferably, it is described that decompiling is carried out to the virtual machine execution file, obtain the function information structure bag of decompiling Include:Virtual machine execution file is parsed according to virtual machine execution file form, obtains the function information structure of each class; According to the field in the function information structure, position and the size of the function of the virtual machine execution file are determined, obtain The function information structure of the decompiling.
Preferably, the field in the structure according to function information, determines the function of the virtual machine execution file Position and size include:The function information structure is parsed, the byte of the function position of instruction virtual machine execution file is obtained The list length field of the function size of yardage group field and instruction virtual machine execution file;According to the bytecode array word Section and the list length field, determine position and the size of the function of the virtual machine execution file.
Preferably, it is described that decompiling is carried out to the virtual machine execution file, obtain the function information structure bag of decompiling Include:It is Virtual Machine bytecodes by the virtual machine execution file decompiling using virtual machine execution file decompiling instrument.
Preferably, the application layer from intelligent terminal operation system, the virtual machine for obtaining application program performs text Part includes:From the application layer of intelligent terminal operation system, the installation kit of the application program is found;Parse the installation Bag, obtains the virtual machine execution file of the application program.
Preferably, the operating system refers to Android system.
According to another aspect of the present invention, there is provided the device of malicious code in a kind of detection intelligent terminal, including:File Acquiring unit, for from the application layer of intelligent terminal operation system, obtaining the virtual machine execution file of application program;It is anti-to compile Unit is translated, for carrying out decompiling to the virtual machine execution file, the function information structure of decompiling is obtained;Extraction unit, For parsing the function information structure of the decompiling, the function call sequence in the function information structure of the decompiling is extracted Row;Detector unit, for using the malicious code feature database for pre-setting, matching to the function calling sequence, if The match is successful, it is determined that the virtual machine execution file of the application program includes malicious code.
Preferably, also include:Resolution unit, for by the function information structure of the parsing decompiling, obtaining virtual Machine memonic symbol sequence;The extraction unit is to extract to obtain the function calling sequence from the virtual machine memonic symbol sequence 's.
Preferably, the function calling sequence is multiple;Described device also includes:Function performance determining unit, for leading to The instruction of multiple function calling sequences that analysis is performed in order is crossed, the function of the function is determined.
Preferably, the instruction bag that multiple function calling sequences that the function performance determining unit determines are performed in order Include:Decryption character string, establishment information signature example, the sub- pin of acquisition character string, Hash encryption.
Preferably, the detector unit to the function specifically for using the malicious code feature database for pre-setting, adjusting Functional similarity degree matching is carried out with sequence, and/or, Function feature fuzzy matching is carried out to the function calling sequence.
Preferably, the detector unit to target characteristic specifically for using the malicious code feature database for pre-setting, entering Line function similarity mode, and/or, Function feature fuzzy matching is carried out to the target characteristic, wherein, the target characteristic is Refer to the function with certain function that the plurality of function calling sequence is constituted.
Preferably, the detector unit is carried out sample characteristics killing, is looked into based on virtual machine to the virtual machine execution file Kill, heuristic killing, and/or, similar sample clustering.
Preferably, the decompiling unit is specifically for according to virtual machine execution file form to virtual machine execution file Parsed, obtained the function information structure of each class;According to the field in the function information structure, the void is determined Plan machine performs the position of the function of file and size, obtains the function information structure of the decompiling.
Preferably, the decompiling unit, parses the function information structure, obtains indicating virtual machine execution file The list length field of the bytecode array field of function position and the function size of instruction virtual machine execution file;According to institute Bytecode array field and the list length field are stated, the position of the function of the virtual machine execution file and big is determined It is little.
Preferably, it is described to decompiling unit specifically for using virtual machine execution file decompiling instrument, by the void Plan machine performs file reverse and is compiled as Virtual Machine bytecodes.
Preferably, the acquiring unit is specifically for from the application layer of intelligent terminal operation system, finding described The installation kit of application program;The installation kit is parsed, the virtual machine execution file of the application program is obtained.
Preferably, the operating system refers to Android system.
It can be seen that, the embodiment of the present invention obtains function calling sequence by the format analysis to dex files and decompiling, leads to Cross feature based on function calling sequence, carry out being matched with malicious code feature database, so that it is determined that whether dex files Comprising malicious code.Additionally, by function calling sequence, the function of determining function can be analyzed, therefore, it can a series of letters The code of number calling sequence carries out being matched with malicious code feature database, so that it is determined that dex files as a target characteristic Whether malicious code is included.
Using the present invention program, by the dex files of application program, can analyze and determine the application program whether comprising malice Code, it is possible thereby to application program to being tampered or killing be carried out to Malware, protects the safety of intelligent terminal.
Described above is only the general introduction of technical solution of the present invention, in order to better understand the technological means of the present invention, And can be practiced according to the content of description, and in order to allow the above and other objects of the present invention, feature and advantage can Become apparent, below especially exemplified by the specific embodiment of the present invention.
Description of the drawings
By the detailed description for reading hereafter preferred implementation, various other advantages and benefit is common for this area Technical staff will be clear from understanding.Accompanying drawing is only used for illustrating the purpose of preferred implementation, and is not considered as to the present invention Restriction.And in whole accompanying drawing, it is denoted by the same reference numerals identical part.In the accompanying drawings:
Fig. 1 shows the flow chart of the method for malicious code in detection intelligent terminal according to an embodiment of the invention; And
Fig. 2 shows the structural representation of the device of malicious code in detection intelligent terminal according to an embodiment of the invention Figure.
Specific embodiment
The exemplary embodiment of the disclosure is more fully described below with reference to accompanying drawings.Although showing the disclosure in accompanying drawing Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure and should not be by embodiments set forth here Limited.On the contrary, there is provided these embodiments are able to be best understood from the disclosure, and can be by the scope of the present disclosure Complete conveys to those skilled in the art.
With ARIXTRA(Android)As a example by operating system, including application layer(App layers)With system framework layer (Framework layers), then it is not covered as other layer of present invention being possible to include is divided from function.Wherein, generally App layers can be understood as upper strata, be responsible for and the interface of user mutual, for example, application maintenance and recognize when clicking on the page Different types of click on content is so as to showing different context menu etc..Generally framework layers as intermediate layer, this layer Major responsibility be, the user's request that app layers are obtained, such as start with program, clickthrough, click on and preserve picture etc, Forward toward lower floor and go;The content that lower floor is handled well, or by message, or upper strata is distributed to by middle-agent's class, User is shown.
Dalvik is the Java Virtual Machine for Android platform.Dalvik is through optimization, it is allowed in limited internal memory The example of multiple virtual machines, and each Dalvik are run simultaneously using as an independent Linux processes execution.It is independent Process all programs when virtual machine crashes can be prevented all to be closed.Dalvik virtual machine can be supported to have been converted into dex(Dalvik Executable)The operation of the java application of form, dex forms are the one kind for aiming at Dalvik designs Compressed format, is adapted to the limited system of internal memory and processor speed.
It can be seen that, in android system, dex files can be directly in Dalvik virtual machine(Dalvik VM)Middle loading The virtual machine execution file of operation.By ADT(Android Development Tools), through complicated compiling, can be Java source codes are converted to dex files.Dex files are to be directed to the result that embedded system optimizes, the instruction of Dalvik virtual machine Code is not the Java Virtual Machine order code of standard, and is the use of oneself exclusive a set of instruction set.Share in dex files Many class name, constant character strings, make that its volume is smaller, and operational efficiency is also higher.
The present inventor has found in research process, through the parsing to dex files, in can knowing dex files The function of function, thus, it is possible to judge dex files whether comprising malicious code accordingly(It is soft including dex files inherently malice Part, or dex files are situations such as be tampered).
Referring to Fig. 1, the stream of the method for malicious code in detection intelligent terminal according to an embodiment of the invention is shown Cheng Tu.
The method of malicious code is comprised the following steps in detection intelligent terminal.
S101:From the application layer of intelligent terminal operation system, the virtual machine execution file of application program is obtained, for example Obtain the dex files of application program;
As it was previously stated, Android operation system includes application layer(App layers)With system framework layer(framework Layer), present invention focuses on the research and improvement to app layers.But, it will be appreciated by those skilled in the art that when Android starts When, Dalvik VM monitor all of program(APK file)And framework, and create a dependency tree for them. DalvikVM by this dependency tree come for each program optimization code and be stored in Dalvik caching(dalvik- cache)In.So, all programs operationally can all use the code for optimizing.When a program(Or framework storehouse)Occur Change, Dalvik VM re-optimization code and will be deposited again in the buffer.It is to deposit in cache/dalvik-cache The dex files of the Program Generating on system are put, and data/dalvik-cache is then that the dex that storage data/app is generated is literary Part.It is, present invention focuses on the analysis carried out to the dex files that data/app is generated and process, it should be appreciated that, For the dex files of the Program Generating on system, the theory of the present invention is equally applicable with operation.
Mode with regard to obtaining dex files, can be by parsing APK(Android Package, Android installation kit) Obtain.APK file is in fact a compressed package of zip forms, but suffix name is modified to apk, after UnZip is decompressed, just Dex files can be obtained.
S102:Decompiling is carried out to dex files, the function information structure of decompiling is obtained;
Decompiling is carried out to dex files(Or be referred to as:Dis-assembling)There are various ways.
First kind of way is that dex files are parsed according to dex file formats, obtains the function information knot of each class Structure body;According to the field in function information structure, position and the size of the function of dex files are determined, obtain the letter of decompiling Number message structure.Wherein, by analytical function information structure, the bytecode array of the function position of instruction dex files is obtained Field and indicate dex files function size list length field, so that it is determined that the position of the function of dex files and big It is little.
For example, according to dex file formats, dex files are parsed, finds each class and obtain function information body.Such as function letter Breath structure is comprising such as the field in table 1.
Table 1
Wherein, insns_size the and insns fields in each function information structure, represent respectively the function size And position.It is possible to according to the two fields of insns_size and insns, decompiling goes out the message structure of function.It is anti-to compile The message structure translated is made up of Dalvik VM bytecodes, and rear extended meeting is discussed in detail.
The second way is, using dex file decompiling instruments, dex file reverses to be compiled as into Virtual Machine bytecodes.
Such as front introduction, Dalvik virtual machine operation is Dalvik bytecodes, and it is with a dex(Dalvik Executable)Executable file form is present, and Dalvik virtual machine performs code by explaining dex files.Have one at present A little instruments, can be by DEX file dis-assembling into Dalvik assembly codes.This kind of dex files decompiling instrument includes:baksmali、 Dedexer1.26、dexdump、dexinspecto03-12-12r、IDA Pro、androguard、dex2jar、010Editor Deng.
It can be seen that, by the decompiling to dex files, all function information structures of decompiling can be obtained.Wherein, function Message structure performs code comprising function, is by virtual machine instruction sequence and virtual machine memonic symbol sequence in the embodiment of the present invention Constitute, such as the examples below, by the job sequence and the memonic symbol Sequence composition function information of Dalvik VM of Dalvik VM Structure.
For example, the function information structure that decompiling obtains is carried out to dex files according to one embodiment of the invention as follows:
It can be seen that, dex files are decompiled into the job sequence of Dalvik VM and the memonic symbol sequence of Dalvik VM.
S103:The function information structure of parsing decompiling, extracts the function call in the function information structure of decompiling Sequence;
As above example, in the function information structure that decompiling is obtained, front 2 numerals of the every a line in machine code field It is job sequence(Upper example left side is by circle part), and the corresponding part of job sequence is memonic symbol(Upper example right side, partly quilt Circle, does not all select).Memonic symbol is primarily to facilitate user to exchange and written in code.
As above example, dex files are through the job sequence that decompiling can be obtained by function: “125438710c6e0c6e0a3854546e0c6e546e0c6e0c38720a391238546e54710e012854136e”.Help Note accords with sequence:“const/4iget-object if-eqz invoke-static move-result-object invoke-virtual move-result-object invoke-virtual move-result if-eqz iget- object iget-object invoke-virtual move-result-object invoke-virtual iget- object invoke-virtual move-result-object invoke-virtual move-result-object if-eqz invoke-interface move-result if-nez const/4if-eqz iget-object invoke- virtual iget-object invoke-static return-void move goto iget-object const/ 16invoke-virtual”。
Next, can extract from above-mentioned memonic symbol sequence obtaining function calling sequence.Function calling sequence refers to have The code of semantic function, the code with functions such as character string decryption, establishment examples for for example describing below.
The part of previous example frame choosing is associated functional calls.
These are called and are extracted, by call order sequence by component function calling sequence, the calling sequence base of function Originally the behavior of this function is described.
As above example:
1:“Lcom/mzhengDS;.DecryptString:Ljava/lang/String”
By code analysis, one character string of function decryption can be learnt.
2:
“invoke-static{v0},Ljava/security/MessageDigest;.getInstance:Ljava/ security/Me ssageDigest”
By code analysis, one information signature example of program creation can be learnt, can guess that possibly preparation makes With the similar hash algorithm such as md5sha to the character string encryption after 1 process interface.
3:“invoke-virtual{v6},Ljava/lang/String;.getBytes:[B”
The pointer of character string is obtained, can guess that character string is probably the character string after process 1 is decrypted, and acquisition pointer can Can be in order that being encrypted to character string with the example of process 2.
4:“invoke-virtual{v0,v1},Ljava/security/MessageDigest;.update:V”;
“invoke-virtual{v0},Ljava/security/MessageDigest;.digest:[B”
This 2 function calls confirm above-mentioned judgement, according to function name it is known that this is to be hash to data to add It is close.
Can be seen that from this example above just can determine this function by the calling sequence of function with fundamental analysis Function.
S104:Using the malicious code feature database for pre-setting, function calling sequence is matched, if matched into Work(, it is determined that the dex files of application program include malicious code.
Malicious code(Malicious Code)Refer to and propagated by storage medium or network, in certification without permission In the case of destroy operating system integrity, steal in system be not disclosed secret information journey logic bomb.By taking mobile phone as an example, handss Machine malicious code refers to the malicious code for handheld devices such as mobile phone, PDA.Mobile phone malicious code can be simply divided into multiple Type malicious code processed and non-replicating malicious code.Wherein replication form malicious code mainly includes virus(Virus), anthelmintic (Worm), non-replicating malicious code is mainly including backdoor Trojan(Trojan Horse), rogue software (Rogue Software), Malicious mobile Code(Malicious Mobile Code)And Rootkit programs etc..
Mobile phone malicious code guard technology is protected for malicious code.Mobile phone malicious code protection method includes many Kind.For example, eigenvalue scan mode, it needs study in advance to set up malicious code feature database, preserves in malicious code feature database Eigenvalue can be that one section of continuous fixed character string, or several sections of centres are inserted with the discontinuous of other uncertain characters Character string determine feature string therein;In scanning, the eigenvalue or feature string in feature based storehouse goes detection to treat side file Or internal memory, it is found that occurrence then can determine that target infection malicious code.For another example malicious code, based on virtual machine technique is prevented Shield.Such protectiving scheme is mainly for polymorphic and changeable viruses.So-called virtual machine refers to have completely firmly by software simulation Part systemic-function, the complete computer operated in a completely isolated environment.The program is also referred to as software simulation method, It is a kind of software analyzer, the operation with analysis program is simulated with software approach.Its essence is that one is simulated in internal memory Little closed routine performing environment, it is all to treat that killing file is all virtually executed wherein.Killed virus using virtual machine technique When, first by or eigenvalue scanning technique, when find target have encryption malicious code feature when, can just start void Plan machine module allows encrypted code voluntarily to decode, after decoding, it is possible to carry out killing using traditional eigenvalue scan mode.Again Such as, inspirational education mode.Inspirational education scheme is mainly for the continuous mutation of malicious code and in order to strengthen to unknown The research of malicious code.It is so-called it is " heuristic " be derived from artificial intelligence, refer to " ability of self-discovery " or " fortune by some way or Method removes the knowledge and skills for judging things ".The inspirational education of malicious code refers to that scanning software can be utilized from experience The rule of extraction, virus is found by the structure of analysis program with its behavior.Because malicious code will reach infection and break Bad purpose, common behavior can all have certain feature, such as unconventional reading and writing of files, terminate itself, unconventional incision zero Ring etc..Therefore can judge whether a program is malicious code according to the combination for scanning specific behavior or various behaviors. Further, it is also possible to similar sample clustering is carried out to target program, for example with the similar sample that K mean cluster algorithm determines to analysis Originally clustered.
No matter which kind of protection method, its core all includes two parts, and first is the rational malicious code feature database of tissue, the Two is efficient scanning algorithm(Also referred to as matching algorithm).Matching algorithm is generally divided into Single Pattern Matching Algorithms and multi-mode matching Two kinds of algorithm.Single Pattern Matching Algorithms include BF (Brute-Force) algorithm, KMP(Knuth-Morris-Pratt)Algorithm, BM (Boyer-Moore)Algorithm and QS(Quick Search)Algorithm etc..Multi-pattern matching algorithm includes classical multi-mode matching DFSA algorithms and the multi-pattern matching algorithm based on ordered binary tree.In addition, can also by matching algorithm be divided into fuzzy matching algorithm, Similarity matching algorithm.By taking BF algorithms as an example, it is a kind of Single Pattern Matching Algorithms of simple, intuitive, belongs to fuzzy matching algorithm. Its basic thought is:The first character s1 in main string is compared with the first character t1 in pattern t first, if phase Deng then continuing to compare subsequent character one by one;Otherwise, just second character s2 and t1 in s be compared, the like, directly Each character is equal with a continuation character sequence in s successively in t(The match is successful), return first in the character string Position of the individual character in main string;Or can not find the character string equal with t in s(It fails to match), return 0.Again with KMP As a example by algorithm, it is a kind of algorithm of improved pattern match, and it is exactly for the improvement of its maximum of BF algorithms:In Land use models The information of implicit " part matches ", the i pointers in the case where mismatch condition occur next time, when being compared in main string for making(Refer to To mismatch character)Need not recall, and by the j pointers in pattern(The position that sensing is compared next time)One " is slided " backward to the greatest extent Possible remote distance proceeds.This slip K is asked by next functions.KMP algorithms can be described as:Assume with pointer i and j difference Increase 1;If si is not equal to tj, i is constant, and j falls back on next(j)Position is compared again, is so moved in circles, until finding in main string The word string equal with pattern string is not found yet after complete main string of substring or search equal with pattern string, algorithm terminates.
In this step, using the malicious code feature database for pre-setting, function calling sequence is matched, if matching Success, it is determined that the dex files of application program include malicious code.Specifically, and including two kinds of situations.The first situation is, Using function calling sequence as killing target, using the malicious code feature database for pre-setting, function calling sequence is looked into Kill, for example, carry out the matching of functional similarity degree or carry out Function feature fuzzy matching.Second situation is, by multiple function calls The function with certain function of Sequence composition as target characteristic, using the malicious code feature database for pre-setting, to target Feature carries out killing, for example, carries out the matching of functional similarity degree or carries out Function feature fuzzy matching.
It should be noted that the present invention is not limited malicious code is detected using which kind of malicious code protectiving scheme, It is for instance possible to use sample characteristics killing presented hereinbefore(Eigenvalue is scanned), based on virtual machine killing or heuristic killing, It can in addition contain carry out similar sample clustering.And, for matching algorithm is not also restricted, it is for instance possible to use presented hereinbefore Fuzzy matching algorithm or Similarity matching algorithm etc..
It can be seen that, the embodiment of the present invention obtains function calling sequence by the format analysis to dex files and decompiling, leads to Cross feature based on function calling sequence, carry out being matched with malicious code feature database, so that it is determined that whether dex files Comprising malicious code.Additionally, by function calling sequence, the function of determining function can be analyzed, therefore, it can a series of letters The code of number calling sequence carries out being matched with malicious code feature database, so that it is determined that dex files as a target characteristic Whether malicious code is included.
Using the present invention program, by the dex files of application program, can analyze and determine the application program whether comprising malice Code, it is possible thereby to application program to being tampered or killing be carried out to Malware, protects the safety of intelligent terminal.
Corresponding with said method, the embodiment of the present invention also provides a kind of device of malicious code in detection intelligent terminal. The device can be realized by software, hardware or software and hardware combining.Specifically, the device may refer to a terminal unit, May refer to the functional entity of device interior.For example, the device may refer to the functional module of interior of mobile phone.Preferably, the dress Put and operate under Android operation system.
Referring to Fig. 2, the device includes that file obtaining unit 201, decompiling unit 202, extraction unit 203 and detection are single Unit 204.
Wherein:
File obtaining unit 201, for from the application layer of intelligent terminal operation system, obtaining the virtual of application program Machine performs file, for example, obtain dex files;
Decompiling unit 202, for carrying out decompiling to dex files, obtains the function information structure of decompiling;
Extraction unit 203, for parsing the function information structure of decompiling, in extracting the function information structure of decompiling Function calling sequence;
Detector unit 204, for using the malicious code feature database for pre-setting, matching to function calling sequence, If the match is successful, it is determined that the dex files of application program include malicious code.
Preferably, the device also includes resolution unit 205:
Resolution unit 205, for by the function information structure of parsing decompiling, obtaining virtual machine memonic symbol sequence;
In the case of this, extraction unit 203 is to extract to obtain function calling sequence from virtual machine memonic symbol sequence.
Preferably, function calling sequence is multiple;In the case of this, the device also includes:
Function performance determining unit 206, the instruction of the multiple function calling sequences for being performed in order by analysis, Determine the function of function.
For example, the instruction that multiple function calling sequences that function performance determining unit 206 determines are performed in order includes: Decryption character string, establishment information signature example, the sub- pin of acquisition character string, Hash encryption.
Wherein, detector unit 204 is specifically for using the malicious code feature database for pre-setting, to function calling sequence Functional similarity degree matching is carried out, and/or, Function feature fuzzy matching is carried out to function calling sequence;
Or, detector unit 204 to target characteristic specifically for using the malicious code feature database for pre-setting, carrying out Functional similarity degree is matched, and/or, Function feature fuzzy matching is carried out to target characteristic, wherein, target characteristic refers to function performance The function with certain function that multiple function calling sequences that determining unit 206 determines are constituted.
Additionally, detector unit 204 sample characteristics killing is carried out to dex files, based on virtual machine killing, heuristic killing, And/or, similar sample clustering.
Wherein, decompiling unit 202 specifically for, dex files are parsed according to dex file formats, obtain each The function information structure of class;According to the field in function information structure, position and the size of the function of dex files are determined, Obtain the function information structure of decompiling;Further, decompiling unit 202 is additionally operable to, analytical function information structure, is referred to The list length field of the bytecode array field for showing the function position of dex files and the function size for indicating dex files;Root According to bytecode array field and list length field, position and the size of the function of dex files are determined;
Or, decompiling unit 202 is specifically for using dex file decompiling instruments, by dex file reverses void being compiled as Plan machine bytecode.
Wherein, acquiring unit 201 is specifically for from the application layer of intelligent terminal operation system, finding and applying journey The installation kit of sequence;Parsing installation kit, the dex files of the program that is applied.
With regard to the device implement details can mothed of participating embodiment, will not be described here.
Provided herein algorithm and display be not inherently related to any certain computer, virtual system or miscellaneous equipment. Various general-purpose systems can also be used together based on teaching in this.As described above, construct required by this kind of system Structure be obvious.Additionally, the present invention is also not for any certain programmed language.It is understood that, it is possible to use it is various Programming language realizes the content of invention described herein, and the description done to language-specific above is to disclose this Bright preferred forms.
In description mentioned herein, a large amount of details are illustrated.It is to be appreciated, however, that the enforcement of the present invention Example can be put into practice in the case of without these details.In some instances, known method, structure is not been shown in detail And technology, so as not to obscure the understanding of this description.
Similarly, it will be appreciated that in order to simplify the disclosure and help understand one or more in each inventive aspect, exist Above in the description of the exemplary embodiment of the present invention, each feature of the present invention is grouped together into single enforcement sometimes In example, figure or descriptions thereof.However, the method for the disclosure should be construed to reflect following intention:I.e. required guarantor The more features of feature that the application claims ratio of shield is expressly recited in each claim.More precisely, such as following Claims reflect as, inventive aspect is all features less than single embodiment disclosed above.Therefore, Thus the claims for following specific embodiment are expressly incorporated in the specific embodiment, wherein each claim itself All as the separate embodiments of the present invention.
Those skilled in the art are appreciated that can be carried out adaptively to the module in the equipment in embodiment Change and they are arranged in one or more equipment different from the embodiment.Can be the module or list in embodiment Unit or component are combined into a module or unit or component, and can be divided in addition multiple submodule or subelement or Sub-component.In addition at least some in such feature and/or process or unit is excluded each other, can adopt any Combination is to this specification(Including adjoint claim, summary and accompanying drawing)Disclosed in all features and so disclosed appoint Where all processes or unit of method or equipment are combined.Unless expressly stated otherwise, this specification(Including adjoint power Profit requires, makes a summary and accompanying drawing)Disclosed in each feature can be by providing identical, equivalent or the alternative features of similar purpose carry out generation Replace.
Although additionally, it will be appreciated by those of skill in the art that some embodiments described herein include other embodiments In included some features rather than further feature, but the combination of the feature of different embodiments means in of the invention Within the scope of and form different embodiments.For example, in the following claims, embodiment required for protection appoint One of meaning can in any combination mode using.
The present invention all parts embodiment can be realized with hardware, or with one or more processor operation Software module realize, or with combinations thereof realization.It will be understood by those of skill in the art that can use in practice Microprocessor or digital signal processor(DSP)Malicious code in realize detection intelligent terminal according to embodiments of the present invention Device in some or all parts some or all functions.The present invention is also implemented as performing institute here Some or all equipment of the method for description or program of device(For example, computer program and computer program are produced Product).Such program for realizing the present invention can be stored on a computer-readable medium, or can have one or more The form of signal.Such signal can be downloaded from internet website and obtained, or be provided on carrier signal, or to appoint What other forms is provided.
It should be noted that above-described embodiment the present invention will be described rather than limits the invention, and ability Field technique personnel can design without departing from the scope of the appended claims alternative embodiment.In the claims, Any reference markss between bracket should not be configured to limitations on claims.Word "comprising" is not excluded the presence of not Element listed in the claims or step.Word "a" or "an" before element does not exclude the presence of multiple such Element.The present invention can come real by means of the hardware for including some different elements and by means of properly programmed computer It is existing.If in the unit claim for listing equipment for drying, several in these devices can be by same hardware branch To embody.The use of word first, second, and third does not indicate that any order.These words can be explained and be run after fame Claim.
The invention discloses following scheme:
A kind of method of malicious code in A1, detection intelligent terminal, including:
From the application layer of intelligent terminal operation system, the virtual machine execution file of application program is obtained;
Decompiling is carried out to the virtual machine execution file, the function information structure of decompiling is obtained;
The function information structure of the decompiling is parsed, the function extracted in the function information structure of the decompiling is adjusted Use sequence;
Using the malicious code feature database for pre-setting, the function calling sequence is matched, if the match is successful, The virtual machine execution file for then determining the application program includes malicious code.
A2, the method as described in A1, also include:
By the function information structure for parsing the decompiling, virtual machine memonic symbol sequence is obtained;
Extract from the virtual machine memonic symbol sequence and obtain the function calling sequence.
A3, the method as described in A1, the function calling sequence is multiple;Methods described also includes:
By the instruction for analyzing the multiple function calling sequences for performing in order, the function of the function is determined.
A4, the method as described in A3, the instruction that the plurality of function calling sequence is performed in order includes:Decryption character String, establishment information signature example, the sub- pin of acquisition character string, Hash encryption.
A5, the method as described in A1, it is described using the malicious code feature database for pre-setting, to the function calling sequence Carrying out matching includes:
Using the malicious code feature database for pre-setting, functional similarity degree matching is carried out to the function calling sequence, and/ Or, carrying out Function feature fuzzy matching to the function calling sequence.
A6, the method as described in A3, using the plurality of function calling sequence constitute the function with certain function as Target characteristic;
Described to utilize the malicious code feature database for pre-setting, carrying out matching to the function calling sequence includes:
Using the malicious code feature database for pre-setting, functional similarity degree matching is carried out to the target characteristic, and/or, Function feature fuzzy matching is carried out to the target characteristic.
A7, the method as described in A1, are carried out sample characteristics killing, are looked into based on virtual machine to the virtual machine execution file Kill, heuristic killing, and/or, similar sample clustering.
A8, the method as described in A1, it is described that decompiling is carried out to the virtual machine execution file, obtain the function of decompiling Message structure includes:
Virtual machine execution file is parsed according to virtual machine execution file form, obtains the function information knot of each class Structure body;
According to the field in the function information structure, the position of the function of the virtual machine execution file and big is determined It is little, obtain the function information structure of the decompiling.
A9, the method as described in A8, the field in the structure according to function information determines that the virtual machine performs text The position of the function of part and size include:
The function information structure is parsed, the bytecode array word of the function position of instruction virtual machine execution file is obtained The list length field of the function size of section and instruction virtual machine execution file;
According to the bytecode array field and the list length field, the letter of the virtual machine execution file is determined Several position and size.
A10, the method as described in A1, it is described that decompiling is carried out to the virtual machine execution file, obtain the letter of decompiling Number message structure includes:
It is virtual machine byte by the virtual machine execution file decompiling using virtual machine execution file decompiling instrument Code.
A11, the method as described in A1, the application layer from intelligent terminal operation system obtains application program Virtual machine execution file includes:
From the application layer of intelligent terminal operation system, the installation kit of the application program is found;
The installation kit is parsed, the virtual machine execution file of the application program is obtained.
A12, the method as described in any one of A1-A11, the operating system refers to Android system.
The device of malicious code in B13, a kind of detection intelligent terminal, including:
File obtaining unit, for from the application layer of intelligent terminal operation system, obtaining the virtual machine of application program Perform file;
Decompiling unit, for carrying out decompiling to the virtual machine execution file, obtains the function information knot of decompiling Structure;
Extraction unit, for parsing the function information structure of the decompiling, extracts the function information of the decompiling Function calling sequence in structure;
Detector unit, for using the malicious code feature database for pre-setting, matching to the function calling sequence, If the match is successful, it is determined that the virtual machine execution file of the application program includes malicious code.
B14, the device as described in B13, also include:
Resolution unit, for by the function information structure of the parsing decompiling, obtaining virtual machine memonic symbol sequence;
The extraction unit is to extract to obtain the function calling sequence from the virtual machine memonic symbol sequence.
B15, the device as described in B13, the function calling sequence is multiple;Described device also includes:
Function performance determining unit, the instruction of the multiple function calling sequences for being performed in order by analysis, really The function of the fixed function.
B16, the device as described in B15, multiple function calling sequences that the function performance determining unit determines are according to suitable The instruction that sequence is performed includes:Decryption character string, establishment information signature example, the sub- pin of acquisition character string, Hash encryption.
B17, the device as described in B13, the detector unit is specifically for using the malicious code feature for pre-setting Storehouse, functional similarity degree matching is carried out to the function calling sequence, and/or, Function feature is carried out to the function calling sequence Fuzzy matching.
B18, the device as described in B15, the detector unit is specifically for using the malicious code feature for pre-setting Storehouse, functional similarity degree matching is carried out to target characteristic, and/or, Function feature fuzzy matching is carried out to the target characteristic, its In, the target characteristic refers to the function with certain function that the plurality of function calling sequence is constituted.
B19, the device as described in B13, the detector unit virtual machine execution file is carried out sample characteristics killing, Based on virtual machine killing, heuristic killing, and/or, similar sample clustering.
B20, the device as described in B13, the decompiling unit is specifically for according to virtual machine execution file form to void Plan machine performs file and is parsed, and obtains the function information structure of each class;According to the word in the function information structure Section, determines position and the size of the function of the virtual machine execution file, obtains the function information structure of the decompiling.
B21, the device as described in B20, the decompiling unit parses the function information structure, obtains indicating void Plan machine performs the bytecode array field of the function position of file and indicates the list of the function size of virtual machine execution file Length field;According to the bytecode array field and the list length field, the virtual machine execution file is determined The position of function and size.
B22, the device as described in B13, it is described to decompiling unit specifically for using virtual machine execution file decompiling Instrument, is Virtual Machine bytecodes by the virtual machine execution file decompiling.
B23, the device as described in B13, the acquiring unit is specifically for from the application program of intelligent terminal operation system Layer, finds the installation kit of the application program;The installation kit is parsed, the virtual machine for obtaining the application program performs text Part.
B24, the device as described in any one of B13-B23, the operating system refers to Android system.

Claims (18)

1. it is a kind of detection intelligent terminal in malicious code method, it is characterised in that include:
From the application layer of intelligent terminal operation system, the virtual machine execution file of application program is obtained;
Decompiling is carried out to the virtual machine execution file, the function information structure of decompiling is obtained;
The function information structure of the decompiling is parsed, virtual machine memonic symbol sequence is obtained;From the virtual machine memonic symbol sequence In extract function calling sequence in the function information structure of the decompiling, wherein, the function calling sequence refers to tool There is the code of semantic function, and the function calling sequence is multiple;
By the instruction for analyzing the multiple function calling sequences for performing in order, the function of the function is determined, will be described many The function with certain function that individual function calling sequence is constituted is used as target characteristic;
Using the malicious code feature database for pre-setting, the target characteristic is matched, if the match is successful, it is determined that institute The virtual machine execution file for stating application program includes malicious code.
2. the method for claim 1, it is characterised in that the instruction that the plurality of function calling sequence is performed in order Including:Decryption character string, establishment information signature example, the sub- pin of acquisition character string, Hash encryption.
3. the method for claim 1, it is characterised in that described using the malicious code feature database for pre-setting, to institute Stating target characteristic and carrying out matching includes:
Using the malicious code feature database for pre-setting, functional similarity degree matching is carried out to the target characteristic, and/or, to institute Stating target characteristic carries out Function feature fuzzy matching.
4. the method for claim 1, it is characterised in that the virtual machine execution file is carried out sample characteristics killing, Based on virtual machine killing, heuristic killing, and/or, similar sample clustering.
5. the method for claim 1, it is characterised in that described to carry out decompiling to the virtual machine execution file, obtains Function information structure to decompiling includes:
Virtual machine execution file is parsed according to virtual machine execution file form, obtains the function information structure of each class Body;
According to the field in the function information structure, position and the size of the function of the virtual machine execution file are determined, Obtain the function information structure of the decompiling.
6. method as claimed in claim 5, it is characterised in that the field in the structure according to function information, determines institute The position and size for stating the function of virtual machine execution file includes:
Parse the function information structure, obtain indicate virtual machine execution file function position bytecode array field with And the list length field of the function size of instruction virtual machine execution file;
According to the bytecode array field and the list length field, the function of the virtual machine execution file is determined Position and size.
7. the method for claim 1, it is characterised in that described to carry out decompiling to the virtual machine execution file, obtains Function information structure to decompiling includes:
It is Virtual Machine bytecodes by the virtual machine execution file decompiling using virtual machine execution file decompiling instrument.
8. the method for claim 1, it is characterised in that the application layer from intelligent terminal operation system, obtains Taking the virtual machine execution file of application program includes:
From the application layer of intelligent terminal operation system, the installation kit of the application program is found;
The installation kit is parsed, the virtual machine execution file of the application program is obtained.
9. the method as described in any one of claim 1-8, it is characterised in that the operating system refers to Android system.
10. it is a kind of detection intelligent terminal in malicious code device, it is characterised in that include:
File obtaining unit, for from the application layer of intelligent terminal operation system, the virtual machine for obtaining application program to be performed File;
Decompiling unit, for carrying out decompiling to the virtual machine execution file, obtains the function information structure of decompiling;
Resolution unit, for by the function information structure of the parsing decompiling, obtaining virtual machine memonic symbol sequence;
Extraction unit, for extract the decompiling from the virtual machine memonic symbol sequence function information structure in letter Number calling sequence, wherein, the function calling sequence refers to the code with semantic function, and the function calling sequence is many It is individual;
Function performance determining unit, the instruction of the multiple function calling sequences for being performed in order by analysis, determines institute The function of function is stated, the function with certain function that the plurality of function calling sequence is constituted is used as target characteristic;
Detector unit, for using the malicious code feature database for pre-setting, matching to the target characteristic, if matching Success, it is determined that the virtual machine execution file of the application program includes malicious code.
11. devices as claimed in claim 10, it is characterised in that multiple functions that the function performance determining unit determines are adjusted The instruction performed in order with sequence includes:Decryption character string, establishment information signature example, the sub- pin of acquisition character string, Hash Encryption.
12. devices as claimed in claim 10, it is characterised in that the detector unit is specifically for using what is pre-set Malicious code feature database, functional similarity degree matching is carried out to the target characteristic, and/or, line function is entered to the target characteristic Feature Fuzzy is matched.
13. devices as claimed in claim 10, it is characterised in that the detector unit is carried out to the virtual machine execution file Sample characteristics killing, based on virtual machine killing, heuristic killing, and/or, similar sample clustering.
14. devices as claimed in claim 10, it is characterised in that the decompiling unit according to virtual machine specifically for holding Row file format is parsed to virtual machine execution file, obtains the function information structure of each class;Believed according to the function Field in breath structure, determines position and the size of the function of the virtual machine execution file, obtains the letter of the decompiling Number message structure.
15. devices as claimed in claim 14, it is characterised in that the decompiling unit, parse the function information structure Body, the bytecode array field for obtaining the function position of instruction virtual machine execution file and the letter for indicating virtual machine execution file The list length field of number size;According to the bytecode array field and the list length field, determine described virtual Machine performs the position of the function of file and size.
16. devices as claimed in claim 10, it is characterised in that it is described to decompiling unit specifically for using virtual machine File decompiling instrument is performed, is Virtual Machine bytecodes by the virtual machine execution file decompiling.
17. devices as claimed in claim 10, it is characterised in that the acquiring unit is specifically for from intelligent terminal's operation Systematic difference program layer, finds the installation kit of the application program;The installation kit is parsed, the application program is obtained Virtual machine execution file.
18. devices as described in any one of claim 10-17, it is characterised in that the operating system refers to Android system.
CN201310746029.XA 2013-12-30 2013-12-30 Method and device for detecting malicious code in intelligent terminal Active CN103761475B (en)

Priority Applications (5)

Application Number Priority Date Filing Date Title
CN201310746029.XA CN103761475B (en) 2013-12-30 2013-12-30 Method and device for detecting malicious code in intelligent terminal
PCT/CN2014/083908 WO2015101042A1 (en) 2013-12-30 2014-08-07 Method and device for detecting malicious code in smart terminal
US15/108,927 US9792433B2 (en) 2013-12-30 2014-10-31 Method and device for detecting malicious code in an intelligent terminal
PCT/CN2014/090032 WO2015101096A1 (en) 2013-12-30 2014-10-31 Method and device for detecting malicious code in smart terminal
US15/714,721 US10114946B2 (en) 2013-12-30 2017-09-25 Method and device for detecting malicious code in an intelligent terminal

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310746029.XA CN103761475B (en) 2013-12-30 2013-12-30 Method and device for detecting malicious code in intelligent terminal

Publications (2)

Publication Number Publication Date
CN103761475A CN103761475A (en) 2014-04-30
CN103761475B true CN103761475B (en) 2017-04-26

Family

ID=50528711

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310746029.XA Active CN103761475B (en) 2013-12-30 2013-12-30 Method and device for detecting malicious code in intelligent terminal

Country Status (2)

Country Link
CN (1) CN103761475B (en)
WO (1) WO2015101042A1 (en)

Families Citing this family (30)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015101096A1 (en) * 2013-12-30 2015-07-09 北京奇虎科技有限公司 Method and device for detecting malicious code in smart terminal
CN103902910B (en) * 2013-12-30 2016-07-13 北京奇虎科技有限公司 Detect method and the device of malicious code in intelligent terminal
CN103761475B (en) * 2013-12-30 2017-04-26 北京奇虎科技有限公司 Method and device for detecting malicious code in intelligent terminal
CN104268473B (en) * 2014-09-23 2017-05-24 龙芯中科技术有限公司 Method and device for detecting application programs
CN105653949B (en) * 2014-11-17 2019-06-21 华为技术有限公司 A kind of malware detection methods and device
CN104657661B (en) * 2015-01-26 2018-05-22 武汉安天信息技术有限责任公司 The detection method and device of malicious code in mobile terminal
CN105550581B (en) * 2015-12-10 2018-09-25 北京奇虎科技有限公司 A kind of malicious code detecting method and device
CN106909841A (en) * 2015-12-22 2017-06-30 北京奇虎科技有限公司 A kind of method and device for judging viral code
CN106909844A (en) * 2015-12-22 2017-06-30 北京奇虎科技有限公司 The sorting technique and device of a kind of application program sample
CN106909839B (en) * 2015-12-22 2020-04-17 北京奇虎科技有限公司 Method and device for extracting sample code features
CN106940771A (en) * 2016-01-04 2017-07-11 阿里巴巴集团控股有限公司 Leak detection method and device based on file
EP3433788A4 (en) * 2016-03-25 2019-09-11 Nokia Technologies Oy A hybrid approach of malware detection
CN106682505B (en) * 2016-05-04 2020-06-12 腾讯科技(深圳)有限公司 Virus detection method, terminal, server and system
CN106130959B (en) * 2016-06-12 2019-07-23 微梦创科网络科技(中国)有限公司 Malicious application recognition methods and device
CN105978911B (en) * 2016-07-15 2019-05-21 江苏博智软件科技有限公司 Malicious code detecting method and device based on virtual execution technology
CN106529294B (en) * 2016-11-15 2019-03-01 广东华仝九方科技有限公司 A method of determine for mobile phone viruses and filters
CN106650426A (en) * 2016-12-09 2017-05-10 哈尔滨安天科技股份有限公司 Method and system for dynamically extracting executable file memory maps
CN108401253B (en) * 2017-02-06 2022-12-27 腾讯科技(深圳)有限公司 Application information identification method, device and system
CN107169355B (en) * 2017-04-28 2020-05-08 北京理工大学 Worm homology analysis method and device
CN113761482A (en) * 2017-06-06 2021-12-07 杭州网易智企科技有限公司 Program code protection method and device
CN108710492B (en) * 2018-04-20 2021-09-07 四川普思科创信息技术有限公司 Method for identifying third-party library in APP program
CN109120593A (en) * 2018-07-12 2019-01-01 南方电网科学研究院有限责任公司 Mobile application safety protection system
CN109492353B (en) * 2018-10-11 2024-04-16 北京奇虎科技有限公司 Application reinforcement method, device, electronic equipment and storage medium
CN110147671B (en) * 2019-05-29 2022-04-29 奇安信科技集团股份有限公司 Method and device for extracting character strings in program
CN112580043B (en) * 2019-09-30 2023-08-01 奇安信安全技术(珠海)有限公司 Virtual machine-based disinfection method and device, storage medium and computer equipment
CN111046385B (en) * 2019-11-22 2022-04-22 北京达佳互联信息技术有限公司 Software type detection method and device, electronic equipment and storage medium
CN111046388B (en) * 2019-12-16 2022-09-13 北京智游网安科技有限公司 Method for identifying third-party SDK in application, intelligent terminal and storage medium
CN111459822B (en) * 2020-04-01 2023-10-03 抖音视界有限公司 Method, device, equipment and readable medium for extracting system component data
CN112364349A (en) * 2020-11-30 2021-02-12 江苏极鼎网络科技有限公司 Cell-phone APP intellectual detection system equipment
CN112817603B (en) * 2021-01-26 2023-06-30 京东科技控股股份有限公司 Application processing method, device, electronic equipment, system and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102819697A (en) * 2011-12-26 2012-12-12 哈尔滨安天科技股份有限公司 Method and system for detecting multi-platform malicious codes based on thread decompiling
CN103365699A (en) * 2012-12-21 2013-10-23 北京安天电子设备有限公司 System API and running character string extraction method and system based on APK
CN103440459A (en) * 2013-09-25 2013-12-11 西安交通大学 Function-call-based Android malicious code detection method

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103268445B (en) * 2012-12-27 2016-01-13 武汉安天信息技术有限责任公司 A kind of android malicious code detecting method based on OpCode and system
CN103473507B (en) * 2013-09-25 2016-03-30 西安交通大学 A kind of Android malicious code detecting method
CN103473509A (en) * 2013-09-30 2013-12-25 清华大学 Android platform malware automatic detecting method
CN103761475B (en) * 2013-12-30 2017-04-26 北京奇虎科技有限公司 Method and device for detecting malicious code in intelligent terminal
CN103761476B (en) * 2013-12-30 2016-11-09 北京奇虎科技有限公司 The method and device of feature extraction
CN103902910B (en) * 2013-12-30 2016-07-13 北京奇虎科技有限公司 Detect method and the device of malicious code in intelligent terminal

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102819697A (en) * 2011-12-26 2012-12-12 哈尔滨安天科技股份有限公司 Method and system for detecting multi-platform malicious codes based on thread decompiling
CN103365699A (en) * 2012-12-21 2013-10-23 北京安天电子设备有限公司 System API and running character string extraction method and system based on APK
CN103440459A (en) * 2013-09-25 2013-12-11 西安交通大学 Function-call-based Android malicious code detection method

Also Published As

Publication number Publication date
WO2015101042A1 (en) 2015-07-09
CN103761475A (en) 2014-04-30

Similar Documents

Publication Publication Date Title
CN103761475B (en) Method and device for detecting malicious code in intelligent terminal
CN103902910B (en) Detect method and the device of malicious code in intelligent terminal
US10114946B2 (en) Method and device for detecting malicious code in an intelligent terminal
Li et al. Rebooting research on detecting repackaged android apps: Literature review and benchmark
Zhang et al. Libid: reliable identification of obfuscated third-party android libraries
Chen et al. Detecting android malware using clone detection
Crussell et al. Andarwin: Scalable detection of android application clones based on semantics
WO2015101097A1 (en) Method and device for feature extraction
CN101438529B (en) Proactive computer malware protection through dynamic translation
Lin et al. Automated forensic analysis of mobile applications on Android devices
Zhang et al. Android application forensics: A survey of obfuscation, obfuscation detection and deobfuscation techniques and their impact on investigations
US9454658B2 (en) Malware detection using feature analysis
Webster et al. Finding the needle: A study of the pe32 rich header and respective malware triage
Martinelli et al. Model checking and machine learning techniques for HummingBad mobile malware detection and mitigation
Li et al. Large-scale third-party library detection in android markets
Naidu et al. A syntactic approach for detecting viral polymorphic malware variants
Akram et al. DroidMD: an efficient and scalable android malware detection approach at source code level
Chen et al. Malware classification using static disassembly and machine learning
Ladisa et al. On the feasibility of cross-language detection of malicious packages in npm and pypi
Guo et al. A survey of obfuscation and deobfuscation techniques in android code protection
Feichtner et al. Obfuscation-resilient code recognition in Android apps
Liu et al. Enhancing Malware Detection for Android Apps: Detecting Fine-Granularity Malicious Components
Gonzalez et al. Measuring code reuse in Android apps
Liu et al. ImageDroid: Using deep learning to efficiently detect Android malware and automatically mark malicious features
US20200012581A1 (en) Method for Semantic Preserving Transform Mutation Discovery and Vetting

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant