CN118427802B - Automatic certificate detection method and device, electronic equipment and storage medium - Google Patents
Automatic certificate detection method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN118427802B CN118427802B CN202410895953.2A CN202410895953A CN118427802B CN 118427802 B CN118427802 B CN 118427802B CN 202410895953 A CN202410895953 A CN 202410895953A CN 118427802 B CN118427802 B CN 118427802B
- Authority
- CN
- China
- Prior art keywords
- file
- target
- credential
- application program
- program
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 50
- 238000000034 method Methods 0.000 claims abstract description 72
- 230000008569 process Effects 0.000 claims description 31
- 230000015654 memory Effects 0.000 claims description 24
- 230000000694 effects Effects 0.000 abstract description 8
- 230000006870 function Effects 0.000 description 15
- 238000009434 installation Methods 0.000 description 14
- 230000007123 defense Effects 0.000 description 11
- 238000012544 monitoring process Methods 0.000 description 11
- 241000208818 Helianthus Species 0.000 description 10
- 235000003222 Helianthus annuus Nutrition 0.000 description 10
- 238000004891 communication Methods 0.000 description 9
- 238000012545 processing Methods 0.000 description 8
- 238000007726 management method Methods 0.000 description 7
- 238000012360 testing method Methods 0.000 description 6
- 238000004458 analytical method Methods 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 230000035515 penetration Effects 0.000 description 3
- 238000012216 screening Methods 0.000 description 3
- 238000012795 verification Methods 0.000 description 3
- 230000006399 behavior Effects 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000010354 integration Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000013515 script Methods 0.000 description 2
- 238000004088 simulation Methods 0.000 description 2
- 230000006978 adaptation Effects 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 238000009877 rendering Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/51—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
- Stored Programmes (AREA)
Abstract
The application provides an automatic certificate detection method, an automatic certificate detection device, electronic equipment and a storage medium, and relates to the technical field of network security, wherein the method comprises the following steps: acquiring a target application program in an installed program list; determining a target program type corresponding to a target application program; determining a preset credential storage area corresponding to the type of the target program; determining a target folder read by a target application program according to file read-write operation aiming at a preset credential storage area, wherein the target folder is positioned in the preset credential storage area; and scanning the target folder, inquiring the target file meeting the preset condition, and outputting the target file as the voucher file of the target application program. The application has the effect of improving the credential acquisition efficiency.
Description
Technical Field
The application relates to the technical field of network security, in particular to an automatic credential detection method, an automatic credential detection device, electronic equipment and a storage medium.
Background
In the present internet age, network security attack and defense actual combat exercises are a critical task, and attack and defense exercises are generally exercise activities simulating attack and defense behaviors in an actual network environment. These exercises aim to test the security measures of an organization, identify potential security risks, and train security teams to deal with various threats and attacks. In attack and defense exercise, after an infrared party (a simulated attacker) takes an intranet machine, intranet information collection is a crucial step. Intranet information collection refers to the acquisition and analysis of information within a target network, including but not limited to network topology, host information, services and applications, user credential information, and the like. By collecting this information, the red party can better understand the structure and composition of the target network, thereby more effectively performing penetration testing or simulation attacks.
The collection of credential information is particularly important in intranet information collection. The credential information includes authentication information such as a user name, password, token, etc., and is a key credential for accessing the target system and service. By acquiring the effective credential information, the red party can easily acquire the access rights to the target system and data, thereby implementing deeper simulation attacks such as lateral movement, data retrieval, and the like.
However, conventional credential collection techniques suffer from a number of significant drawbacks, and credential information may be stored in a number of different locations, including profiles, databases, registries, memory, and the like. The red party needs to adopt different collection methods for different storage modes, which increases the complexity and difficulty of credential collection. Resulting in a significant amount of time required to search for valid credential information, thereby reducing the efficiency of red team penetration.
In this context, it is particularly important to develop a credential collection system that enables automated and efficient automated credential collection. For an application program which does not learn a credential collection method, an existing credential collection system cannot automatically identify the application program, and needs to manually check whether a related program exists or not, and the credential of the program needs to be manually collected after the existence of the related program is confirmed. Finally, the credential collection system learns the credential collection method of the application. The process of manually collecting credentials consumes a lot of time, resulting in inefficient attack and defense exercises. Thus, a need exists for a method to increase the efficiency of credential acquisition.
Disclosure of Invention
The application provides an automatic credential detection method, an automatic credential detection device, electronic equipment and a storage medium, which have the effect of improving credential acquisition efficiency.
In a first aspect of the application, there is provided an automated credential detection method, the method comprising:
Acquiring a target application program in an installed program list;
determining a target program type corresponding to the target application program;
determining a preset credential storage area corresponding to the target program type;
determining a target folder read by the target application program according to file read-write operation aiming at the preset credential storage area, wherein the target folder is positioned in the preset credential storage area;
and scanning the target folder, inquiring a target file meeting preset conditions, and outputting the target file as a voucher file of the target application program.
By adopting the technical scheme, the document reading and writing activities of the areas are systematically monitored through predefining and centrally managing the document storage areas of the application program, and the target folder is automatically scanned to search the document files meeting the specific conditions, so that the document acquisition efficiency is remarkably improved. Firstly, according to the target program type of the target application program, a possible preset credential storage area of the target program type is found out. And then monitoring a preset certificate storage area, if the target application program performs file read-write operation on the preset certificate storage area, further determining that the certificate file is likely to be stored in the area, and finally, only scanning a folder in the preset certificate storage area to inquire out the certificate file. Thus avoiding the traditional carpet search for a plurality of uncertain positions, making the credential collection more direct and efficient, reducing the mistakes and time consumption of manual operations, and ensuring the accuracy and security of credential management. Through an automatic process, the certificate file can be quickly identified and verified, so that the overall security test and application program configuration efficiency is improved.
Optionally, the determining the type of the target program corresponding to the target application program specifically includes:
querying a first execution file, a first configuration file and a first resource file of the target application program;
inquiring at least one of a second execution file, a second configuration file and a second resource file of a first application program, wherein the first application program is any one of a plurality of pre-stored application programs in a preset database, and the first application program corresponds to the target program type;
If the first execution file is determined to contain the same key information as the second execution file, determining that the target application program corresponds to the target program type, wherein the key information comprises the naming of the execution file; and/or,
If the first configuration file is determined to contain the same key data as the second configuration file, determining that the target application program corresponds to the target program type; and/or,
And if the first resource file is determined to contain the same resource data as the second resource file, determining that the target application program corresponds to the target program type.
By adopting the technical scheme, the execution file, the configuration file and the resource file of the target application program are analyzed in detail, and the files are compared with the known application program files in the preset database, so that the specific type of the target application program can be effectively determined. Based on file naming, matching of configuration data and resource content, high precision and high reliability application identification is ensured.
Optionally, the determining the preset credential storage area corresponding to the target program type specifically includes:
determining a first application program and a second application program corresponding to the target program type, wherein the first application program and the second application program are any two pre-stored application programs in a plurality of pre-stored application programs in a preset database;
acquiring a first credential storage path of the first application program and acquiring a second credential storage path of the second application program;
Extracting a common storage path of the first credential storage path and the second credential storage path;
And setting the folder corresponding to the common storage path as the preset certificate storage area.
By adopting the technical scheme, the credential storage paths of the two selected application programs in the preset database are analyzed and compared, so that the common part of the paths is effectively extracted and set as the preset credential storage area, the subsequent credential detection range is reduced, and the detection efficiency is improved.
Optionally, the acquiring the target application program in the installed program list specifically includes:
Querying Windows Installer and a registry to obtain an installer list, wherein the installer list comprises a plurality of installers;
Acquiring a process list of a running program;
combining the installer list with the process list to obtain an installer list, wherein the installer list comprises a plurality of installed application programs;
Searching in a detected list according to the name of the installed application program, and determining a target application program which is not subjected to credential detection, wherein the detected list comprises a plurality of application programs subjected to credential detection.
By adopting the technical scheme, a comprehensive installed program list is obtained through comprehensive query Windows Installer and the registry, and is combined with the process list of the current running program, so that a more complete installed application program list is created. Then, by comparing this list with a detected list (containing applications that have been credential detected), those applications that have not been credential detected are effectively identified. The method can obviously improve the coverage rate and the security of the certificate management, and ensure that all key applications pass the certificate security detection.
Optionally, the determining, according to the file read-write operation for the preset credential storage area, the target folder read by the target application program specifically includes:
capturing a plurality of file read-write operations aiming at a file system in real time;
Determining a first file corresponding to each file read-write operation;
Determining a second file in the plurality of first files according to the file storage paths of the first files, wherein the file storage paths of the folders corresponding to the second files comprise the common storage path;
And determining the target folder for storing the second file according to the file storage path of the second file.
By adopting the technical scheme, the read-write operation of the file system is monitored in real time to track the actual access behavior of the application program to the files, so that the files which are accessed and the storage paths of the files are accurately determined. Operations on files are first captured, then folders associated with the preset credential storage area are identified by analyzing the storage paths of the files, and further analyzing the target folders where credential data may be present.
Optionally, the scanning the target folder, querying a target file meeting a preset condition, and outputting the target file as a credential file of the target application program specifically includes:
Determining a first file type of a first credential file and a second file type of a second credential file, wherein the first credential file is a credential file of the first application program, and the second credential file is a credential file of the second application program;
Acquiring a plurality of scanned files contained in the scanned target folder;
And if the file type of the scanned file is determined to be the same as the first file type, or if the file type of the scanned file is determined to be the same as the second file type, determining the scanned file as the target file.
By adopting the technical scheme, the file types are systematically determined and compared, and the credential files belonging to the specific application program in the specific target folder are effectively identified and confirmed. Firstly, defining the types of the voucher files, then scanning a specific folder to obtain a file list, and finally accurately identifying the files which accord with the preset voucher file types by comparing the file types.
Optionally, after scanning the target folder and querying a target file meeting a preset condition, and outputting the target file as a credential file of the target application program, the method further includes:
reading first data content of the target file;
Extracting a credential field meeting a preset format from the first data content;
acquiring a local file of the target application program;
reading second data content of the local file;
Determining an encryption field meeting the preset format from the second data content;
And adopting the credential field to replace the encryption field, judging whether the target application program can finish the credential authentication operation, and if the target application program is determined to finish the credential authentication operation, determining that the target file is the credential file of the target application program.
By adopting the technical scheme, the data content of the target file is read, the certificate fields conforming to the preset format are extracted from the data content, then the fields are compared with the encryption fields in the local file of the target application program and replaced, and then whether the replaced certificate can successfully authenticate the application program is tested, because only the correct certificate file can pass the authentication of the application program, the verification of the acquired certificate file is completed.
In a second aspect of the present application, an automated credential detection device is provided, the device comprising an acquisition module, an identification module, a determination module, and a scanning module, wherein:
the acquisition module is used for acquiring a target application program in the installed program list;
the identification module is used for determining a target program type corresponding to the target application program;
the judging module is used for determining a preset credential storage area corresponding to the target program type;
The judging module is used for determining a target folder read by the target application program according to file read-write operation aiming at the preset credential storage area, wherein the target folder is positioned in the preset credential storage area;
And the scanning module is used for scanning the target folder, inquiring the target file meeting the preset condition, and outputting the target file as the certificate file of the target application program.
Optionally, the acquiring module is configured to query a first execution file, a first configuration file, and a first resource file of the target application program;
The identification module is used for inquiring at least one of a second execution file, a second configuration file and a second resource file of a first application program, wherein the first application program is any one of a plurality of pre-stored application programs in a preset database, and the first application program corresponds to the type of the target program;
The judging module is configured to determine that the target application program corresponds to the target program type if it is determined that the first execution file contains the same key information as the second execution file, where the key information includes an execution file name; and/or,
The judging module is configured to determine that the target application program corresponds to the target program type if it is determined that the first configuration file contains the same key data as the second configuration file; and/or,
And the judging module is used for determining that the target application program corresponds to the target program type if the first resource file contains the same resource data as the second resource file.
Optionally, the identification module is configured to determine a first application program and a second application program corresponding to the target program type, where the first application program and the second application program are any two pre-stored application programs in a plurality of pre-stored application programs in a preset database;
The acquisition module is used for acquiring a first credential storage path of the first application program and acquiring a second credential storage path of the second application program;
The acquisition module is used for extracting a common storage path of the first credential storage path and the second credential storage path;
the judging module is used for setting the folder corresponding to the common storage path as the preset credential storage area.
Optionally, the obtaining module is configured to query Windows Installer the registry to obtain an installer list, where the installer list includes a plurality of installers;
the acquisition module is used for acquiring a process list of the running program;
The scanning module is used for combining the installer list and the process list to obtain the installer list, and the installer list comprises a plurality of installed application programs;
And the scanning module is used for searching in a detected list according to the name of the installed application program and determining a target application program which is not subjected to credential detection, wherein the detected list comprises a plurality of application programs subjected to credential detection.
Optionally, the acquiring module is configured to capture, in real time, a plurality of file read-write operations for a file system;
the judging module is used for determining a first file corresponding to each file read-write operation;
the judging module is used for v determining second files in the plurality of first files according to the file storage paths of the first files, wherein the file storage paths of the corresponding folders of the second files comprise the common storage path;
And the judging module is used for determining the target folder for storing the second file according to the file storage path of the second file.
Optionally, the identification module is configured to determine a first file type of a first credential file and a second file type of a second credential file, where the first credential file is a credential file of the first application program, and the second credential file is a credential file of the second application program;
the acquisition module is used for acquiring a plurality of scanned files contained in the scanned target folder;
The judging module is configured to determine that the scanned file is the target file if it is determined that the file type of the scanned file is the same as the first file type, or if it is determined that the file type of the scanned file is the same as the second file type.
Optionally, the identification module is configured to read a first data content of the target file;
the identification module is used for extracting a voucher field meeting a preset format from the first data content;
the acquisition module is used for acquiring the local file of the target application program;
The acquisition module is used for reading the second data content of the local file;
the judging module is used for determining an encryption field meeting the preset format from the second data content;
the judging module is used for replacing the encryption field with the credential field and judging whether the target application program can finish the credential authentication operation, if so, determining that the target file is the credential file of the target application program.
In a third aspect the application provides an electronic device comprising a processor, a memory for storing instructions, a user interface and a network interface, both for communicating with other devices, the processor being for executing instructions stored in the memory to cause the electronic device to perform a method as claimed in any one of the preceding claims.
In a fourth aspect of the application there is provided a computer readable storage medium storing instructions which, when executed, perform a method as claimed in any one of the preceding claims.
In summary, one or more technical solutions provided in the embodiments of the present application at least have the following technical effects or advantages:
By predefining and centralizing the credential storage areas of the management application, systematically monitoring file read-write activities of these areas and automatically scanning the target folder for credential files meeting specific conditions, thereby significantly improving the efficiency of credential acquisition. Firstly, according to the target program type of the target application program, a possible preset credential storage area of the target program type is found out. And then monitoring a preset certificate storage area, if the target application program performs file read-write operation on the preset certificate storage area, further determining that the certificate file is likely to be stored in the area, and finally, only scanning a folder in the preset certificate storage area to inquire out the certificate file. Thus avoiding the traditional carpet search for a plurality of uncertain positions, making the credential collection more direct and efficient, reducing the mistakes and time consumption of manual operations, and ensuring the accuracy and security of credential management. Through an automatic process, the certificate file can be quickly identified and verified, so that the overall security test and application program configuration efficiency is improved.
Drawings
FIG. 1 is a flow chart of an automated credential detection method disclosed in an embodiment of the present application;
FIG. 2 is a block diagram of an automated credential detection device according to an embodiment of the present application;
Fig. 3 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Reference numerals illustrate: 201. an acquisition module; 202. an identification module; 203. a judging module; 204. a scanning module; 301. a processor; 302. a communication bus; 303. a user interface; 304. a network interface; 305. a memory.
Detailed Description
In order that those skilled in the art will better understand the technical solutions in the present specification, the technical solutions in the embodiments of the present specification will be clearly and completely described below with reference to the drawings in the embodiments of the present specification, and it is apparent that the described embodiments are only some embodiments of the present application, not all embodiments.
In describing embodiments of the present application, words such as "for example" or "for example" are used to mean serving as examples, illustrations, or descriptions. Any embodiment or design described herein as "such as" or "for example" in embodiments of the application should not be construed as preferred or advantageous over other embodiments or designs. Rather, the use of words such as "or" for example "is intended to present related concepts in a concrete fashion.
In the description of embodiments of the application, the term "plurality" means two or more. For example, a plurality of systems means two or more systems, and a plurality of screen terminals means two or more screen terminals. Furthermore, the terms "first," "second," and the like, are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating an indicated technical feature. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include one or more such feature. The terms "comprising," "including," "having," and variations thereof mean "including but not limited to," unless expressly specified otherwise.
In the present internet age, network security attack and defense actual combat exercises are of great importance, especially in intranet information collection links in exercises, which include acquisition of key user credential information. This information is the basis for implementing deeper level network attacks. However, conventional credential collection methods are complex and inefficient due to the multiple storage schemes involved. Therefore, it is important to develop a system capable of automatically and efficiently collecting certificates, so as to improve the penetration efficiency of the red team in the network attack and defense exercise, and further improve the attack and defense exercise effect.
The embodiment discloses an automatic credential detection method, referring to fig. 1, comprising the following steps:
s110, acquiring a target application program in the installed program list.
The embodiment of the application discloses an automatic credential detection method which is applied to a server, wherein the server is a test computer for performing attack and defense exercise, privacy data such as credential data are all data which are compiled for performing attack and defense exercise, for example, a user name and a password are all temporarily compiled. And the server is fully granted the right of data reading to complete the attack and defense exercise.
The credential information includes authentication information such as a user name, password, token, etc., and is a key credential for accessing the system and services of the server. Before detecting the credential information of an application, it is necessary to identify the installed application in the server. Under normal conditions, a user only needs to input the searched program name or process name as a parameter, can automatically traverse the installation program and process of the server and detect whether the program to be searched exists, and then the server marks the existing application program and records the installation position so as to facilitate the searching of the follow-up certificates and improve the efficiency.
In one possible implementation, the acquiring the target application program in the installed program list specifically includes: querying Windows Installer and a registry to obtain an installer list, wherein the installer list comprises a plurality of installers; acquiring a process list of a running program; combining an installer list and a process list to obtain an installer list, wherein the installer list comprises a plurality of installed application programs; searching in a detected list according to the name of the installed application program, and determining the target application program which is not subjected to the credential detection, wherein the detected list comprises a plurality of application programs which are subjected to the credential detection.
Specifically, in Windows systems, installed application information is typically stored in Windows Installer's database and Windows registry. Windows Installer (MSI) maintains a database containing information about all applications installed by MSI on the server. The program installed by Windows Installer is first acquired. In addition to MSI-installed applications, there are many programs that may be installed by other installer programs (e.g., EXE installer programs), which are typically stored in a registry of a server, and for which application-related information may be obtained by directly retrieving related paths in the registry, examples of which include, for example: "HKEY_LOCAL\u" MACHINE\software\ Microsoft\Windows\ CurrentVersion/Uninstall). Each sub-key under these paths typically represents an installed program, which contains information about the name, installation path, version, etc. of the program. DISPLAYNAME in Uninstall in the registry is queried to obtain the name of the installer. And finally merging the arrays of the names of the unrepeated returned installers to obtain an installer list containing a plurality of installers.
And meanwhile, acquiring a currently running Process list by using a Get-Process command of the PowerShell. The Get-Process command is used to obtain the Process information currently running in the system. It may list all running processes in the system and provide detailed information about each process, such as Process ID (PID), name, memory usage, CPU usage, etc. The running program in the server can be determined through the process information, so that a process list containing a plurality of running programs is output and obtained.
The installer list obtained from Windows Installer and registry is compared and merged with the process list. Matching may be performed according to attributes such as the name of the program, executable file path, and the like. The result of the merge is a list that contains all installed and possibly running applications. This list more fully reflects the application state on the server. The combined list is an installed program list, which includes a plurality of installed applications.
A detected list is maintained, the application program which has been subjected to the credential detection is recorded, the detected list comprises the application program which has been subjected to the automatic credential detection and the manual credential detection, and the detected list also comprises a credential detection method, the credential storage position information and the like. By comparing the installed list with the detected list, applications that have not been credential detected can be screened out by looking for entries that are in the installed list but not in the detected list. And after comparison, screening out application programs which are not subjected to credential detection, and outputting the application programs so as to carry out subsequent automatic credential detection.
S120, determining the type of the target program corresponding to the target application program.
In one possible implementation manner, determining the target program type corresponding to the target program type specifically includes: querying a first execution file, a first configuration file and a first resource file of a target application program; inquiring at least one of a second execution file, a second configuration file and a second resource file of a first application program, wherein the first application program is any one application program of a plurality of application programs pre-stored in a preset database, and the first application program corresponds to a target program type; if the key information of the first execution file and the key information of the second execution file are determined, determining the type of the target program corresponding to the target application program, wherein the key information comprises the naming of the execution files; and/or if the first configuration file is determined to contain the same key data as the second configuration file, determining that the target application program corresponds to the target program type; and/or if the first resource file is determined to contain the same resource file as the second resource file, determining that the target application program corresponds to the target program type.
In particular, credential information may be stored in a variety of different locations, including profiles, databases, registries, memories, etc., requiring different collection methods for different storage modes. However, the credential information storage locations of some applications are regularly circulated, including the credential information of the same type of partial application being stored in the same large folder. For example, for applications of the remote control type such as ToDesk and sunflower, the credential information for ToDesk is located in the configuration file, while the configuration path for the configuration file for ToDesk is config. Ini under the installation directory, while the installation path for Todek is typically "C: \program files\ ToDesk \". For sunflowers, the credential information of the sunflower Program with the version number smaller than 11.1.2.38529 is stored in a configuration file, and the local identification code and the verification code of the sunflowers are both in a config. Ini configuration file, and the specific path of the configuration file is' C: \program files\ Oray \ SunLogin \ SunloginClient \config. Ini. Therefore, the credential information of both are under the folder "C: \program files\".
Thus, for a target application program for which credential detection has not been performed, the credential acquisition method of the target application program is not stored in the server. In order to improve the efficiency of credential detection, the program type of the target application program needs to be identified, and then the application program with detected credential information, which belongs to the same type as the target application program, is found, and the credential information of the target application program is detected by attempting to pass through the credential detection method corresponding to the application program with detected credential information.
The automatic credential detection method disclosed by the embodiment of the application is preferably used for detecting the credential aiming at the application program of a remote control type. Remote control type applications refer to applications that allow a user to control another computer or device from one location (typically a remote location) over a network. Remote control type programs are commonly used for remote access and management of computers or network devices, and therefore require the storage of certain critical user credential information to ensure security and functionality, the type of such credential information may vary from one particular remote control software to another, but typically includes user names and passwords, API keys or tokens, and digital certificates (including client and server certificates), and the like.
For unknown applications, determining the use of a program from its local files involves analysis of file type, content and structure. Such analysis may reveal the functionality of the program, the target user, and how it interacts with the operating system or other application programs. The application type of the application can be further revealed by the purpose. In Windows systems, for example, the analysis program has entries in the registry that may be associated with the start-up of the program, service configuration, or system level integration. The checking procedure has system level integration such as service installation, system start-up, planning tasks, etc., which typically come from a system management, monitoring or security related procedure.
For a target application, there are various methods for judging whether it belongs to a target program type (preferably a remote control type) or not.
The first method may be identified by an executable file (first executable file) of the target application. The method comprises the steps that related data of a plurality of application programs in different types are stored in a preset database, a user manually classifies the application programs according to the types of the application programs, and classification information and related data of the application programs are stored in a preset server after classification, wherein the related data comprise an execution file, a configuration file, a second resource file and the like.
The server queries a plurality of pre-stored application programs corresponding to the target program types in a preset database, pre-stores the application programs in any one of the plurality of pre-stored application programs in the preset database, and the first application program is illustrated and corresponds to the target program types. Inquiring a first execution file of the target application program and a second execution file of the first application program, comparing key information of the first execution file with key information of the second execution file, and determining that the target application program corresponds to the target program type if the first execution file contains the same key information as the second execution file.
For remote control type applications, an executable refers to the main execution portion of a software program specifically designed to allow a user to control another computer or device from one location (typically a remote location). The executable file contains all necessary codes and resources for realizing the remote control function, and allows screen sharing, file transmission, command execution and other operations to be performed. By looking up executable file names associated with remote desktop, remote access, or network communications, such as file names with "remote", "vnc", "rdp", "ssh", etc., key information (file names containing related keywords), it can be determined whether the application is a remote control type application.
The second method may be identified by a configurable file (first configuration file) of the target application. For remote control type applications, the configuration file contains the necessary settings and parameters to enable the remote connection to be successfully established and run securely. The configuration file of the viewer contains key data such as remote server addresses, port numbers, network configuration options, etc., which are typically preset or user-configurable by the remote control software. Inquiring a first configuration file of the target application program and a second configuration file of the first application program, comparing key data of the first configuration file with key data of the second configuration file, and determining that the target application program corresponds to the target program type if the first configuration file contains the same key data as the second configuration file.
The third method may be identified by a resource file (first resource file) of the target application. For remote control type applications, various files supporting their functions and user interfaces, such as graphical user interface resources like icon files, are mainly included, buttons and toolbar icons typically used for application interfaces. For example, ico,. Png files, icons for displaying connection, disconnection, setting, etc. operations. The UI resource file of the target application is analyzed to see if it contains graphical interface elements (resource data) related to the remote control, such as buttons or tabs of "connect", "disconnect", "remote desktop", etc. Inquiring a first resource file of the target application program and a second resource file of the first application program, comparing the key data of the first resource file with the resource data of the second resource file, and if the first resource file is determined to contain the same key data as the second resource file, determining that the target application program corresponds to the target program type.
The three identification methods can be alternatively implemented to determine whether the target application program corresponds to the target program type, i.e. if the first execution file is determined to contain the same key information as the second execution file, the target application program is determined to correspond to the target program type; or if the first configuration file is determined to contain the same key data as the second configuration file, determining that the target application program corresponds to the target program type; and if the first resource file is determined to contain the same key data as the second resource file, determining that the target application program corresponds to the target program type.
Or three recognition methods are implemented in parallel to judge whether the target application program type corresponds to the target program type, namely if the first execution file is determined to contain the same key information as the second execution file, the first configuration file is determined to contain the same key data as the second configuration file, and the first resource file is determined to contain the same key data as the second resource file, the target application program is determined to correspond to the target program type. And when the first execution file is determined to not contain the same key information as the second execution file, or the first configuration file is determined to not contain the same key data as the second configuration file, or the first resource file is determined to not contain the same key data as the second resource file, determining that the target application program does not correspond to the target program type.
S130, determining a preset credential storage area corresponding to the target program type.
In a possible implementation manner, determining a preset credential storage area corresponding to the target program type specifically includes: determining a first application program and a second application program corresponding to the target program type, wherein the first application program and the second application program are any two pre-stored application programs in a plurality of pre-stored application programs in a preset database; acquiring a first credential storage path of a first application program and acquiring a second credential storage path of a second application program; extracting a common storage path of the first credential storage path and the second credential storage path; and setting the folder corresponding to the common storage path as a preset credential storage area.
Specifically, for the application program in the preset database, that is, the application program in the detected list, the credential storage path of the application program is stored, and the credential storage path item can be added in the detected list for storage. As mentioned earlier, the credential storage path may be the same for applications of the same program type. And extracting the same item of the storage path from the application program which is subjected to the credential detection and belongs to the same type, and determining a storage area for narrowing the subsequent credential detection range of the application program belonging to the type, thereby improving the efficiency. For example, for ToDesk and sunflower, toDesk, both belonging to the remote control type Program, the credential storage path of sunflower is "C: \program files\ ToDesk \ … …", the credential storage path of sunflower is "C: \program files\ Oray \ SunLogin \ … …", then the same common storage path exists for both is "C: \program Files", then the Program Files folder under the C disc is the credential storage area of the application Program of the subsequent remote control type.
In addition, the installation path of the determined program application program with the credentials is required to be collected in advance to obtain a final credential storage path, the installation position of the determined program application program with the credentials is searched through a Get-instrument Location function, the installation position is obtained, then the Split-instrument Location function is called to clean the data in a unified format, and finally a key value pair of the program name and the installation position is formed. The function searches the Uninstall String items in the registry location to determine the installation location of the program by comparing keywords.
After the installation position is acquired, the path is required to be subjected to unified format, single and double quotation marks are removed, the name of the uninstaller program is removed, a plurality of diagonal strokes are combined, and then the processed path is returned. For example, the uninstall path of the application program which obtains "sunflower" in the registry is D: \ SunLogin \ SunloginClient \SunlogingClient. Exe-mod= uninstall, and after processing, the uninstalled application program becomes D: \ SunLogin \ SunloginClient \. Or if the ToDesk file path contains double quotation marks of 'D: \ ToDesk \uninst. Exe', the file path is changed into D: \ ToDesk \after being processed, and the patterns of various paths are processed uniformly by the function.
Although the credentials may be stored in subfiles of the folder to which the path corresponds, since only a common storage path is needed to construct the credential storage area, subsequent paths may not be collected. The installation path may thus be set directly as the credential storage path. However, if the credentials are not stored in the folder corresponding to the installation path, determining a corresponding credential storage path according to the actual storage location.
And after judging that the target application program belongs to the target program type, invoking a plurality of prestored application programs corresponding to the target program type, and storing paths based on the certificates of the prestored application programs. Comparing the components of each path, starting with the root directory, each directory is compared step by step down, the root directory typically being designated as a drive letter, such as "C: \". The comparison continues down as long as the directory names are the same. When a directory mismatch is found to exist for one of the credential storage paths, the comparison is stopped. All the matched parts are combined to form the longest path which is the common storage path. If all paths start to be different in the root directory, the common storage path is empty; if there is a common portion, that portion is returned as a result.
And performing distance description on the first application program and the second application program by using any two pre-stored application programs in a plurality of pre-stored application programs in a preset database, wherein the first application program and the second application program correspond to the type of the target program. The method comprises the steps of obtaining a first credential storage path of a first application program, wherein the first credential storage path is 'C: \A\D\E\G', and obtaining a second credential storage path of the first application program, wherein the second credential storage path is 'C: \A\D\F\G'. Comparison starts from the root directory, since both and the directory are "C: and/", outputting the record. The second-level catalogues are all 'A\', and output records. The third-level catalogues are D\and output records. And the fourth-level catalogue of the first credential storage path is E\ ", the fourth-level catalogue of the second credential storage path is F\", the fourth-level catalogue and the fourth-level catalogue are different, comparison is stopped, and the common storage path is C\A\D\is output. In the server, the common storage path corresponds to a folder, and the folder is the preset credential storage area.
S140, determining a target folder read by the target application program according to target read-write operation aiming at a preset credential storage area.
In one possible implementation manner, detecting the target read-write operation for the preset credential storage area specifically includes: capturing a plurality of file read-write operations aiming at a file system in real time; determining a first file corresponding to each file read-write operation; determining a second file in the plurality of first files, and determining file read-write operation for the second file as target read-write operation, wherein a file storage path of the second file comprises a common storage path.
Specifically, after the possible credential storage area (preset credential storage area) of the target application is acquired, in order to further reduce the detection range, a more specific credential storage location is found. Credential authentication operations may be performed at the target application, including registering an account, logging in an account, and the like. When a user registers or logs in to his own account with a target application and selects "remember account" or "auto login", the target application will typically store credential information, including account and password, locally. Thus, when the subsequent user logs in, the target application program can call local credential information, thereby realizing automatic login.
Based on the principle, by executing the certificate authentication operations such as login or registration on the target application program and triggering the read-write operation on the certificate file, the monitoring range of the certificate can be further reduced after the operation is monitored.
The preset credential storage area is acquired to improve the efficiency of querying the target folder. Because of the typically large number of folders in the server, there are many applications. If the files of all the disk symbols in the whole server are monitored, the monitoring amount is larger. Or if all the file read-write operations of the target application program are monitored, the accuracy is low, and all the file read-write operations cannot be completely monitored. Therefore, a preset certificate storage area with a smaller range is screened out from a large number of folders of the server, and only the preset certificate storage area is monitored, so that monitoring quantity can be effectively reduced, and monitoring efficiency is improved.
In Windows systems, file manipulation events, including creation, reading, modification, deletion, etc., may be captured using tools such as FILE SYSTEM WATCHER classes or SYSINTERNALS PROCESS MONITOR. The log file is parsed using scripts or automation tools to extract file information from the captured events, including file name, type of operation, time of operation, operator, and the like.
By monitoring the captured event, detailed information of the operated file (first file) including the file name and the complete path can be directly obtained. And then screening the second files from the plurality of first files, and particularly screening according to the file storage path of each first file. When the storage path of the first file includes the above-mentioned common storage path, it means that the first file is located in the preset document storage area, and the first file may be a document file, or the storage folder of the first file stores the document file, and then the first file is determined to be the second file. And the folder storing the second file is the target folder and is used for monitoring the credential information subsequently.
And S150, scanning the target folder, inquiring the target file meeting the preset condition, and outputting the target file as the certificate file of the target application program.
For the target application program, since the file type of the credential file is not stored in the preset database, in the automatic detection process, even if the credential file can be judged to be possibly located in the target folder, in the case that the target folder contains a plurality of scanned files, it still cannot be directly determined which scanned file is the credential file of the target application program.
But for remote control type applications its credential information is stored in some fixed type of file. For example, for sunflower, when the version value of the application is less than 11.1.2.38529, the sunflower's native identification code and verification code (credential information) are both in the config. Ini profile. ToDesk credential information including the encrypted temporary password and the secure password is also located in the config. Ini profile.
Based on the principle, after the fact that the flat files of the target application program are possibly located in the target folder is primarily judged, only the file types of a plurality of scanned files contained in the scanned target folder are required to be compared with the file types of the credential files of the corresponding pre-stored application programs of the target program types, and if the file types of the file types are consistent with the file types of the credential files of the pre-stored application programs, the scanned files are output as the credential files.
And performing distance description on the first application program and the second application program by using any two pre-stored application programs in a plurality of pre-stored application programs in a preset database, wherein the first application program and the second application program correspond to the type of the target program. First, the credential files of the first application program and the second application program are analyzed, and the file types of the credential files are stored in the database because the first application program and the second application program are both application programs subjected to credential detection.
The file type of each scanned file is analyzed by identifying the extension (e.g.,. Txt,. XML,. Db, etc.) and the file content (particular format or schema, such as JSON or XML structure) of the scanned file. And then comparing whether the type of each scanned file in the target folder is matched with the file type of the first credential file or the second credential file. If the file type of the scanned file is the same as the first file type of the first credential file, or if the file type of the scanned file is the same as the second file type of the second credential file, the target file is determined to be the credential file for output.
Further, in order to further determine whether the identified target file is a credential file of the target application program, a specific field in the target file may be used to replace a corresponding field in a local file of the target application program, and whether the corresponding credential authentication operation can be successfully completed is determined, thereby determining whether the target file is a credential file of the target application program.
Specifically, depending on the file type of the target file (e.g., text file, database file, or configuration file of a particular format), an appropriate tool or method is selected to read the first data content thereof. For example, if the file is in text format, any standard text editor or file reading function of programming language may be used. Which data constitutes a "credential field" is explicitly defined, which may be a user name, password, token, etc., and the format in which these data are represented in a file (e.g., a specific XML tag, JSON key, or fixed-location string, etc.), may be determined by a preset format commonly used for credentials for remote control type applications. These credential fields are identified and extracted using appropriate parsing tools or scripts depending on the format of the data. For example, for XML or JSON files, the information may be extracted using a corresponding parsing library.
A local configuration file or data file is found for use by the target application, where encrypted credential information may be stored. And referring to the reading process of the first data content, reading an encrypted field which accords with a preset format of the second data content in the local file, wherein the content can be an encrypted credential field.
The original encryption field is replaced by the extracted credential field in the second data content, and credential authentication is attempted using the modified data. This typically involves loading the modified file into the application or calling the authentication mechanism of the application through an API. If the application accepts the modified credential and successfully performs a predetermined operation (e.g., login, connection database, etc.), it is verified that the file is indeed a valid credential file for the target application.
Illustrated at ToDesk, the configuration path of ToDesk is config. Ini under the installation directory. In the content of config.ini, clientId is a device ID, authMode is an authentication mode, 0 is a temporary password only, 1 is a secure password only, 2 is a temporary password which can be used, tempAuthPassEx is an encrypted temporary password, authPassEx is an encrypted secure password, only one latest version ToDesk is required to be locally installed, toDesk is exited, tempAuthPassEx or authPassEx fields in the configuration file config.ini are copied to be locally replaced, and ToDesk is finally rerun to check the password, which means that the "config.ini" is a credential file of ToDesk.
By adopting the technical scheme of the application, the document reading and writing activities of the areas are systematically monitored through predefining and centrally managing the document storage areas of the application program, and the target folder is automatically scanned to search the document files meeting the specific conditions, thereby obviously improving the efficiency of acquiring the documents. Firstly, according to the target program type of the target application program, a possible preset credential storage area of the target program type is found out. And then monitoring a preset certificate storage area, if the target application program performs file read-write operation on the preset certificate storage area, further determining that the certificate file is likely to be stored in the area, and finally, only scanning a folder in the preset certificate storage area to inquire out the certificate file. Thus avoiding the traditional carpet search for a plurality of uncertain positions, making the credential collection more direct and efficient, reducing the mistakes and time consumption of manual operations, and ensuring the accuracy and security of credential management. Through an automatic process, the certificate file can be quickly identified and verified, so that the overall security test and application program configuration efficiency is improved.
The embodiment also discloses an automated credential detection device, referring to fig. 2, the device includes an acquisition module 201, an identification module 202, a judgment module 203, and a scanning module 204, where:
an acquisition module 201, configured to acquire a target application program located in the installed program list.
The identifying module 202 is configured to determine a target program type corresponding to the target application program.
The judging module 203 is configured to determine a preset credential storage area corresponding to the target program type.
The judging module 203 is configured to determine, according to a file read-write operation for a preset credential storage area, a target folder read by the target application program, where the target folder is in the preset credential storage area.
The scanning module 204 is configured to scan the target folder, query a target file that meets a preset condition, and output a credential file that is the target application.
In one possible implementation, the obtaining module 201 is configured to query the first execution file, the first configuration file, and the first resource file of the target application program.
The identification module 202 is configured to query at least one of a second execution file, a second configuration file, and a second resource file of a first application program, where the first application program is any one of a plurality of pre-stored application programs in a preset database, and the first application program corresponds to a target program type.
The determining module 203 is configured to determine that the target application corresponds to the target program type if it is determined that the first execution file contains the same key information as the second execution file, where the key information includes an execution file name. And/or,
The determining module 203 is configured to determine that the target application corresponds to the target program type if it is determined that the first configuration file contains the same key data as the second configuration file. And/or,
The determining module 203 is configured to determine that the target application corresponds to the target program type if it is determined that the first resource file contains the same resource data as the second resource file.
In a possible implementation manner, the identification module 202 is configured to determine a first application program and a second application program corresponding to the target program type, where the first application program and the second application program are any two pre-stored application programs in a plurality of pre-stored application programs in a preset database.
The acquiring module 201 is configured to acquire a first credential storage path of a first application program and acquire a second credential storage path of a second application program.
An obtaining module 201 is configured to extract a common storage path of the first credential storage path and the second credential storage path.
The judging module 203 is configured to set a folder corresponding to the common storage path as a preset credential storage area.
In a possible implementation, the obtaining module 201 is configured to query Windows Installer and a registry to obtain an installer list, where the installer list includes a plurality of installers.
An obtaining module 201, configured to obtain a process list of a running program.
The scanning module 204 is configured to combine the installer list and the process list to obtain an installed program list, where the installed program list includes a plurality of installed applications.
The scanning module 204 is configured to search through a detected list according to the name of the installed application program, and determine a target application program that is not subjected to credential detection, where the detected list includes a plurality of application programs that are subjected to credential detection.
In one possible implementation, the obtaining module 201 is configured to capture, in real time, a plurality of file read-write operations for the file system.
And the judging module 203 is configured to determine a first file corresponding to the read-write operation of each file.
The determining module 203 is configured to determine a second file of the plurality of first files according to a file storage path of the first file, where the file storage path of a folder corresponding to the second file includes a common storage path.
And the judging module 203 is configured to determine, according to the file storage path of the second file, a target folder for storing the second file.
In one possible implementation, the identification module 202 is configured to determine a first file type of a first credential file, and a second file type of a second credential file, where the first credential file is a credential file of the first application and the second credential file is a credential file of the second application.
The obtaining module 201 is configured to obtain a plurality of scanned files contained in the scanned target folder.
The determining module 203 is configured to determine the scanned file as the target file if it is determined that the file type of the scanned file is the same as the first file type, or if it is determined that the file type of the scanned file is the same as the second file type.
In one possible implementation, the identification module 202 is configured to read the first data content of the target file.
The identification module 202 is configured to extract a credential field that satisfies a preset format from the first data content.
The obtaining module 201 is configured to obtain a local file of the target application program.
The obtaining module 201 is configured to read the second data content of the local file.
A judging module 203, configured to determine an encrypted field that meets a preset format from the second data content.
The judging module 203 is configured to replace the encryption field with the credential field, and judge whether the target application program can complete the credential authentication operation, and if it is determined that the target application program can complete the credential authentication operation, determine that the target file is the credential file of the target application program.
It should be noted that: in the device provided in the above embodiment, when implementing the functions thereof, only the division of the above functional modules is used as an example, in practical application, the above functional allocation may be implemented by different functional modules according to needs, that is, the internal structure of the device is divided into different functional modules, so as to implement all or part of the functions described above. In addition, the embodiments of the apparatus and the method provided in the foregoing embodiments belong to the same concept, and specific implementation processes of the embodiments of the method are detailed in the method embodiments, which are not repeated herein.
The embodiment also discloses an electronic device, referring to fig. 3, the electronic device may include: at least one processor 301, at least one communication bus 302, a user interface 303, a network interface 304, at least one memory 305.
Wherein the communication bus 302 is used to enable connected communication between these components.
The user interface 303 may include a Display screen (Display), a Camera (Camera), and the optional user interface 303 may further include a standard wired interface, and a wireless interface.
The network interface 304 may optionally include a standard wired interface, a wireless interface (e.g., WI-FI interface), among others.
Wherein the processor 301 may include one or more processing cores. The processor 301 utilizes various interfaces and lines to connect various portions of the overall server, perform various functions of the server and process data by executing or executing instructions, programs, code sets, or instruction sets stored in the memory 305, and invoking data stored in the memory 305. Alternatively, the processor 301 may be implemented in at least one hardware form of digital signal Processing (DIGITAL SIGNAL Processing, DSP), field-Programmable gate array (Field-Programmable GATE ARRAY, FPGA), programmable logic array (Programmable Logic Array, PLA). The processor 301 may integrate one or a combination of several of a central processing unit (Central Processing Unit, CPU), an image processor (Graphics Processing Unit, GPU), and a modem, etc. The CPU mainly processes an operating system, a user interface, an application program and the like; the GPU is used for rendering and drawing the content required to be displayed by the display screen; the modem is used to handle wireless communications. It will be appreciated that the modem may not be integrated into the processor 301 and may be implemented by a single chip.
The Memory 305 may include a random access Memory (Random Access Memory, RAM) or a Read-Only Memory (Read-Only Memory). Optionally, the memory includes a non-transitory computer readable medium (non-transitory computer-readable storage medium). Memory 305 may be used to store instructions, programs, code, sets of codes, or sets of instructions. The memory 305 may include a stored program area and a stored data area, wherein the stored program area may store instructions for implementing an operating system, instructions for at least one function (such as a touch function, a sound playing function, an image playing function, etc.), instructions for implementing the above-described respective method embodiments, etc.; the storage data area may store data or the like involved in the above respective method embodiments. Memory 305 may also optionally be at least one storage device located remotely from the aforementioned processor 301. The memory 305, which is a computer storage medium, may include an operating system, a network communication module, a user interface 303 module, and an application program for an automated credential detection method.
In the electronic device shown in fig. 3, the user interface 303 is mainly used for providing an input interface for a user, and acquiring data input by the user; and the processor 301 may be configured to invoke an application in the memory 305 that stores an automated credential detection method that, when executed by the one or more processors 301, causes the electronic device to perform the method as in one or more of the embodiments described above.
It should be noted that, for simplicity of description, the foregoing method embodiments are all described as a series of acts, but it should be understood by those skilled in the art that the present application is not limited by the order of acts described, as some steps may be performed in other orders or concurrently in accordance with the present application. Further, those skilled in the art will also appreciate that the embodiments described in the specification are all of the preferred embodiments, and that the acts and modules referred to are not necessarily required for the present application.
In the foregoing embodiments, the descriptions of the embodiments are emphasized, and for parts of one embodiment that are not described in detail, reference may be made to related descriptions of other embodiments.
In the several embodiments provided by the present application, it should be understood that the disclosed apparatus may be implemented in other ways. For example, the apparatus embodiments described above are merely illustrative, such as a division of units, merely a division of logic functions, and there may be additional divisions in actual implementation, such as multiple units or components may be combined or integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some service interface, device or unit indirect coupling or communication connection, electrical or otherwise.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable memory. Based on this understanding, the technical solution of the present application may be embodied essentially or partly in the form of a software product, or all or part of the technical solution, which is stored in a memory 305, and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the method of the embodiments of the present application. And the aforementioned memory 305 includes: various media capable of storing program codes, such as a U disk, a mobile hard disk, a magnetic disk or an optical disk.
The application also discloses a computer readable storage medium, which stores instructions. When executed by the one or more processors 301, cause the electronic device to perform the method as described in one or more of the embodiments above.
The foregoing is merely exemplary embodiments of the present disclosure and is not intended to limit the scope of the present disclosure. That is, equivalent changes and modifications are contemplated by the teachings of this disclosure, which fall within the scope of the present disclosure. Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure. This application is intended to cover any variations, uses, or adaptations of the disclosure following, in general, the principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a scope and spirit of the disclosure being indicated by the claims.
Claims (8)
1. An automated credential detection method, the method comprising:
Acquiring a target application program in an installed program list;
determining a target program type corresponding to the target application program;
determining a preset credential storage area corresponding to the target program type;
determining a target folder read by the target application program according to file read-write operation aiming at the preset credential storage area, wherein the target folder is positioned in the preset credential storage area;
Scanning the target folder, inquiring a target file meeting preset conditions, and outputting the target file as a voucher file of the target application program;
the determining the preset credential storage area corresponding to the target program type specifically includes:
determining a first application program and a second application program corresponding to the target program type, wherein the first application program and the second application program are any two pre-stored application programs in a plurality of pre-stored application programs in a preset database;
acquiring a first credential storage path of the first application program and acquiring a second credential storage path of the second application program;
Extracting a common storage path of the first credential storage path and the second credential storage path;
setting a folder corresponding to the common storage path as the preset certificate storage area;
the determining the target folder read by the target application program according to the file read-write operation aiming at the preset credential storage area specifically comprises the following steps:
capturing a plurality of file read-write operations aiming at a file system in real time;
Determining a first file corresponding to each file read-write operation;
Determining a second file in the plurality of first files according to the file storage paths of the first files, wherein the file storage paths of the folders corresponding to the second files comprise the common storage path;
And determining the target folder for storing the second file according to the file storage path of the second file.
2. The method for detecting automated credentials according to claim 1, wherein the determining the target program type corresponding to the target application program specifically includes:
querying a first execution file, a first configuration file and a first resource file of the target application program;
inquiring at least one of a second execution file, a second configuration file and a second resource file of a first application program, wherein the first application program is any one of a plurality of pre-stored application programs in a preset database, and the first application program corresponds to the target program type;
If the first execution file is determined to contain the same key information as the second execution file, determining that the target application program corresponds to the target program type, wherein the key information comprises the naming of the execution file; and/or,
If the first configuration file is determined to contain the same key data as the second configuration file, determining that the target application program corresponds to the target program type; and/or,
And if the first resource file is determined to contain the same resource data as the second resource file, determining that the target application program corresponds to the target program type.
3. An automated credential detection method according to claim 2, wherein the obtaining a target application in an installed program list comprises:
Querying Windows Installer and a registry to obtain an installer list, wherein the installer list comprises a plurality of installers;
Acquiring a process list of a running program;
combining the installer list with the process list to obtain an installer list, wherein the installer list comprises a plurality of installed application programs;
Searching in a detected list according to the name of the installed application program, and determining a target application program which is not subjected to credential detection, wherein the detected list comprises a plurality of application programs subjected to credential detection.
4. The automated credential detection method according to claim 1, wherein the scanning the target folder, querying a target file that meets a preset condition, and outputting the target file as a credential file of the target application program, specifically includes:
Determining a first file type of a first credential file and a second file type of a second credential file, wherein the first credential file is a credential file of the first application program, and the second credential file is a credential file of the second application program;
Acquiring a plurality of scanned files contained in the scanned target folder;
And if the file type of the scanned file is determined to be the same as the first file type, or if the file type of the scanned file is determined to be the same as the second file type, determining the scanned file as the target file.
5. The automated credential detection method of claim 1, wherein after the scanning the target folder, querying a target file that meets a preset condition, and outputting the target file as a credential file of the target application, the method further comprises:
reading first data content of the target file;
Extracting a credential field meeting a preset format from the first data content;
acquiring a local file of the target application program;
reading second data content of the local file;
Determining an encryption field meeting the preset format from the second data content;
And adopting the credential field to replace the encryption field, judging whether the target application program can finish the credential authentication operation, and if the target application program is determined to finish the credential authentication operation, determining that the target file is the credential file of the target application program.
6. An automated credential detection device, comprising an acquisition module, an identification module, a determination module, and a scanning module, wherein:
the acquisition module is used for acquiring a target application program in the installed program list;
the identification module is used for determining a target program type corresponding to the target application program;
the judging module is used for determining a preset credential storage area corresponding to the target program type;
The judging module is used for determining a target folder read by the target application program according to file read-write operation aiming at the preset credential storage area, wherein the target folder is positioned in the preset credential storage area;
The scanning module is used for scanning the target folder, inquiring a target file meeting preset conditions, and outputting the target file as a voucher file of the target application program;
The judging module is further configured to determine a preset credential storage area corresponding to the target program type, and specifically includes: determining a first application program and a second application program corresponding to the target program type, wherein the first application program and the second application program are any two pre-stored application programs in a plurality of pre-stored application programs in a preset database; acquiring a first credential storage path of the first application program and acquiring a second credential storage path of the second application program; extracting a common storage path of the first credential storage path and the second credential storage path; setting a folder corresponding to the common storage path as the preset certificate storage area;
The judging module is further configured to determine, according to a file read-write operation for the preset credential storage area, a target folder read by the target application program, where the determining module specifically includes: capturing a plurality of file read-write operations aiming at a file system in real time; determining a first file corresponding to each file read-write operation; determining a second file in the plurality of first files according to the file storage paths of the first files, wherein the file storage paths of the folders corresponding to the second files comprise the common storage path; and determining the target folder for storing the second file according to the file storage path of the second file.
7. An electronic device comprising a processor, a memory, a user interface, and a network interface, the memory for storing instructions, the user interface and the network interface each for communicating with other devices, the processor for executing instructions stored in the memory to cause the electronic device to perform the method of any of claims 1-5.
8. A computer readable storage medium storing instructions which, when executed, perform the method of any one of claims 1-5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410895953.2A CN118427802B (en) | 2024-07-05 | 2024-07-05 | Automatic certificate detection method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410895953.2A CN118427802B (en) | 2024-07-05 | 2024-07-05 | Automatic certificate detection method and device, electronic equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN118427802A CN118427802A (en) | 2024-08-02 |
| CN118427802B true CN118427802B (en) | 2024-09-24 |
Family
ID=92311044
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410895953.2A Active CN118427802B (en) | 2024-07-05 | 2024-07-05 | Automatic certificate detection method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN118427802B (en) |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110532231A (en) * | 2019-09-02 | 2019-12-03 | Oppo(重庆)智能科技有限公司 | File polling method, file polling device and terminal device |
| CN114296738A (en) * | 2021-12-28 | 2022-04-08 | 苏州达家迎信息技术有限公司 | Method for determining compiled directory, computer equipment and storage medium |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7536383B2 (en) * | 2006-08-04 | 2009-05-19 | Apple Inc. | Method and apparatus for searching metadata |
| CN115455217A (en) * | 2021-06-09 | 2022-12-09 | 浙江宇视科技有限公司 | Data retrieval prediction method and device, electronic equipment and readable medium |
-
2024
- 2024-07-05 CN CN202410895953.2A patent/CN118427802B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110532231A (en) * | 2019-09-02 | 2019-12-03 | Oppo(重庆)智能科技有限公司 | File polling method, file polling device and terminal device |
| CN114296738A (en) * | 2021-12-28 | 2022-04-08 | 苏州达家迎信息技术有限公司 | Method for determining compiled directory, computer equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN118427802A (en) | 2024-08-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9798446B2 (en) | Standard commands for native commands | |
| US10587612B2 (en) | Automated detection of login sequence for web form-based authentication | |
| US11734427B2 (en) | Systems, methods and devices for memory analysis and visualization | |
| CN111695156A (en) | Service platform access method, device, equipment and storage medium | |
| CN108667855B (en) | Network flow abnormity monitoring method and device, electronic equipment and storage medium | |
| US8806643B2 (en) | Identifying trojanized applications for mobile environments | |
| US20010052121A1 (en) | Installation method, activation method, execution apparatus and medium of application program | |
| KR100968126B1 (en) | System for Detecting Webshell and Method Thereof | |
| CN101542446A (en) | System analysis and management | |
| CN111209565A (en) | Horizontal override vulnerability detection method, equipment and computer readable storage medium | |
| CN111416811A (en) | Unauthorized vulnerability detection method, system, equipment and storage medium | |
| JP2008257577A (en) | Security diagnostic system, method and program | |
| JP5102556B2 (en) | Log analysis support device | |
| CN114003794A (en) | Asset collection method, device, electronic equipment and medium | |
| CN118427802B (en) | Automatic certificate detection method and device, electronic equipment and storage medium | |
| CN112148545A (en) | Security baseline detection method and security baseline detection system of embedded system | |
| CN114064510A (en) | Function testing method and device, electronic equipment and storage medium | |
| CN113886837A (en) | Vulnerability detection tool credibility verification method and system | |
| CN115878238A (en) | Operation and maintenance auditing method and pattern fort machine | |
| KR102022984B1 (en) | Web Based SSO Service Method | |
| KR20050100278A (en) | Vulnerability analysis apparatus and method of web application | |
| CN111666471A (en) | Information acquisition method and device, computer equipment and storage medium | |
| US9800588B1 (en) | Automated analysis pipeline determination in a malware analysis environment | |
| CN116881880B (en) | Space-time data management system and space-time data service resource cooperative scheduling method | |
| WO2022024495A1 (en) | Breach sensing system, breach sensing method, and program |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |