CN111563257B - Data detection method and device, computer readable medium and terminal equipment - Google Patents
Data detection method and device, computer readable medium and terminal equipment Download PDFInfo
- Publication number
- CN111563257B CN111563257B CN202010295391.XA CN202010295391A CN111563257B CN 111563257 B CN111563257 B CN 111563257B CN 202010295391 A CN202010295391 A CN 202010295391A CN 111563257 B CN111563257 B CN 111563257B
- Authority
- CN
- China
- Prior art keywords
- file
- detected
- matching
- data detection
- code
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 85
- 238000000034 method Methods 0.000 claims abstract description 29
- 238000012544 monitoring process Methods 0.000 claims description 17
- 238000004590 computer program Methods 0.000 claims description 10
- 238000004458 analytical method Methods 0.000 claims description 3
- 230000003068 static effect Effects 0.000 abstract description 4
- 230000006870 function Effects 0.000 description 61
- 230000008569 process Effects 0.000 description 14
- 238000010586 diagram Methods 0.000 description 10
- 238000004891 communication Methods 0.000 description 7
- 238000012545 processing Methods 0.000 description 6
- 230000003287 optical effect Effects 0.000 description 4
- 230000002123 temporal effect Effects 0.000 description 3
- 230000009471 action Effects 0.000 description 2
- 230000006978 adaptation Effects 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 2
- 239000004973 liquid crystal related substance Substances 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 239000004065 semiconductor Substances 0.000 description 2
- 208000006011 Stroke Diseases 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000002708 enhancing effect Effects 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 230000003252 repetitive effect Effects 0.000 description 1
- 230000002441 reversible effect Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/563—Static detection by source code analysis
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Stored Programmes (AREA)
Abstract
The disclosure relates to the technical field of electronic equipment, and in particular relates to a data detection method, a data detection device, a computer readable medium and terminal equipment. The method comprises the following steps: obtaining a file to be detected, and unpacking the file to be detected to obtain an intermediate file in a target format; analyzing the intermediate file to obtain a corresponding code to be identified; and matching the code to be identified based on a pre-configured detection item so as to judge whether the file to be detected contains a target function according to a matching result. The method can realize static detection of the heat update function in the SDK. And the accuracy of the detection of the thermal updating function is improved.
Description
Technical Field
The disclosure relates to the technical field of electronic equipment, and in particular relates to a data detection method, a data detection device, a computer readable medium and terminal equipment.
Background
Along with the increasing richness of the functions of the intelligent terminal equipment, the dependence degree of people on the terminal equipment is also higher. People can make shopping, talking, information browsing and the like through application programs at terminal equipment such as mobile phones, tablet computers and the like. In some applications, multiple functions may be integrated and the application may be updated periodically or aperiodically to optimize the application to enhance the user experience. In order to meet the functional requirements of the application, the application developer also uses a specialized SDK (software development kit) of a certain aspect developed by a third party to perfect the functions of the application.
In some prior art, however, most third party SDKs have a hot update function. Some third party SDKs utilize hot update functionality to add some malicious functionality, such as collecting user privacy data, downloading malicious code, and so forth. Bringing data risk to the user.
It should be noted that the information disclosed in the above background section is only for enhancing understanding of the background of the present disclosure and thus may include information that does not constitute prior art known to those of ordinary skill in the art.
Disclosure of Invention
The disclosure provides a data detection method, a data detection device, a computer readable medium and a terminal device, which can accurately identify and monitor a thermal update function of an SDK and reduce safety risks.
Other features and advantages of the present disclosure will be apparent from the following detailed description, or may be learned in part by the practice of the disclosure.
According to a first aspect of the present disclosure, there is provided a data detection method, including:
obtaining a file to be detected, and unpacking the file to be detected to obtain an intermediate file in a target format;
analyzing the intermediate file to obtain a corresponding code to be identified;
and matching the code to be identified based on a pre-configured detection item so as to judge whether the file to be detected contains a target function according to a matching result.
According to a second aspect of the present disclosure, there is provided a data detection apparatus comprising:
the unpacking operation module is used for obtaining the file to be detected, unpacking the file to be detected to obtain the intermediate file in the target format;
the code analysis module is used for analyzing the intermediate file to obtain a corresponding code to be identified;
and the function detection module is used for matching the codes to be identified based on a pre-configured detection item so as to judge whether the file to be detected contains a target function or not according to a matching result.
According to a third aspect of the present disclosure, there is provided a computer readable medium having stored thereon a computer program which, when executed by a processor, implements the data detection method described above.
According to a fourth aspect of the present disclosure, there is provided a terminal device comprising:
one or more processors;
and a storage device for storing one or more programs which, when executed by the one or more processors, cause the one or more processors to implement the data detection method described above.
According to the data detection method provided by the embodiment of the disclosure, the SDK file to be detected is firstly unpacked to obtain the corresponding intermediate file smali file, and then the smali file is analyzed to obtain the corresponding code to be identified, so that the code to be identified can be matched according to the detection item which is configured in advance. When a matching result exists, proving that the file to be detected has a hot update function; if the matching result does not exist, the file to be detected is proved to not contain the hot update function. By utilizing the mode that the SDK codes are matched with the preconfigured detection items, the static detection of the thermal update function in the SDK can be realized. And the accuracy of the detection of the thermal updating function is improved.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the disclosure and together with the description, serve to explain the principles of the disclosure. It will be apparent to those of ordinary skill in the art that the drawings in the following description are merely examples of the disclosure and that other drawings may be derived from them without undue effort.
FIG. 1 schematically illustrates a flow diagram of a data detection method in an exemplary embodiment of the present disclosure;
FIG. 2 schematically illustrates a schematic diagram of a system architecture in an exemplary embodiment of the present disclosure;
fig. 3 schematically illustrates a composition diagram of a data detection device in an exemplary embodiment of the present disclosure;
fig. 4 schematically illustrates a system configuration diagram of a terminal device in an exemplary embodiment of the present disclosure.
Detailed Description
Example embodiments will now be described more fully with reference to the accompanying drawings. However, the exemplary embodiments may be embodied in many forms and should not be construed as limited to the examples set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of the example embodiments to those skilled in the art. The described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments.
Furthermore, the drawings are merely schematic illustrations of the present disclosure and are not necessarily drawn to scale. The same reference numerals in the drawings denote the same or similar parts, and thus a repetitive description thereof will be omitted. Some of the block diagrams shown in the figures are functional entities and do not necessarily correspond to physically or logically separate entities. These functional entities may be implemented in software or in one or more hardware modules or integrated circuits or in different networks and/or processor devices and/or microcontroller devices.
Applications installed and used in smart terminal devices, for Android systems, many APK (Android application package, android application packages) developers need to integrate a specialized SDK (Software Development Kit ) of some aspect of third party development for perfecting their own functions. The introduction of the third party SDK is a double-edged sword, which brings convenience and more security threats. And especially, if the SDKs are not monitored safely, a third party SDK with a hot updating function can be added with a plurality of malicious functions after the SDKs are hot updated, so that the SDKs are used for collecting user privacy, downloading malicious codes of hackers, taking the malicious codes as backdoors, even attacking a system and the like. So that APK developers integrated with the SDK are also involved. Therefore, there is an increasing need to detect whether the third party SDK is provided with a hot update function. When the third party SDK is detected to have the function of hot update, the original APK developer can request the SDK provider to remove the hot update function.
In general, the prior art may mainly include the following steps when implementing the hot update function: 1) Loading a hot update Dex file by constructing a Dex Class Loader object; 2) Acquiring default Path Class loader, pathList, dexElements of the system through reflection; 3) Combining the hot update Dex with a default Elements array of the system, and ensuring that the hot update Dex is before the default Elements array of the system; 4) And setting the array after completion of merging back to Path Class loader. The existing method for detecting whether the third party SDK has the hot updating function generally adopts a manual detection mode. For example, it is determined manually whether the APK integrated with the SDK downloads the dex file from the network during the operation, and places it in the "/data/data/package name" or "/data/app/package name" directory or subdirectory of the APK, and analyzes whether the downloaded dex file is a hot update package. Such a detection method results in lower detection efficiency and lower detection accuracy.
In view of the foregoing drawbacks and shortcomings of the prior art, the present exemplary embodiment provides a data detection method, which can implement automatic detection of a thermal update function, and improve accuracy of a detection result. Referring to fig. 1, the data detection method described above may include the steps of:
s11, acquiring a file to be detected, and unpacking the file to be detected to acquire an intermediate file in a target format;
s12, analyzing the intermediate file to obtain a corresponding code to be identified;
and S13, matching the codes to be identified based on a pre-configured detection item, so as to judge whether the file to be detected contains a target function according to a matching result.
In the data detection method provided in this example embodiment, on one hand, the SDK file to be detected is unpacked first, so that a corresponding intermediate file smali file can be obtained, and then the smali file is parsed to obtain a corresponding code to be identified, so that the code to be identified can be matched according to a detection item configured in advance. When a matching result exists, proving that the file to be detected has a hot update function; if the matching result does not exist, the file to be detected is proved to not contain the hot update function. On the other hand, by matching the SDK code with a preconfigured detection item, static detection of the thermal update function in the SDK can be achieved. And the accuracy of the detection of the thermal updating function is improved.
Hereinafter, each step of the data detection method in the present exemplary embodiment will be described in more detail with reference to the accompanying drawings and examples.
Step S11, obtaining a file to be detected, and unpacking the file to be detected to obtain an intermediate file in a target format.
In this exemplary embodiment, the data detection method described above may be applied to a server side. Referring to the system architecture shown in fig. 2, the system architecture may include a server side 202 (e.g., tablet, portable or desktop computer, server, etc.), a network 201, and an electronic device 203. The network 201 is the medium used to provide communication links between the server side 202 and the electronic devices 203. The network 201 may include various connection types, such as wired communication links, wireless communication links, and the like. It should be understood that the number of server-side, network and electronic devices in fig. 2 is merely illustrative. There may be any number of control terminals, networks and electronic devices, as desired for implementation. For example, multiple electronic devices may be monitored and detected simultaneously.
In the electronic device 203, a plurality of applications integrated with the third party SDK may be installed. The user may enter control instructions at the server side 202 to select one or more target applications. And monitoring the catalogs or subdirectories corresponding to the target application programs in the storage space to obtain one or more Dex files corresponding to the target application programs. And configuring the Dex file as a file to be detected. When the number of the files to be detected is multiple, multiple parallel detection tasks can be created at the server side, so that the files to be detected can be detected simultaneously.
After the Dex file to be detected is obtained, the Dex file can be unpacked first. For example, a bak2smali tool may be used to unpack the Dex file of the SDK to obtain all smali files in the Dex file.
Alternatively, in other example embodiments of the present disclosure, the Dex file may be unpacked into other formats of files. For example, a Dex2jar tool is used to convert a Dex file into a Java file, and the Java file is used as an intermediate file.
And step S12, analyzing the intermediate file to obtain a corresponding code to be identified.
In this example embodiment, after unpacking to obtain the smali file or the java file, the smali file or the java file may be parsed to obtain code data corresponding to each intermediate file as the code to be identified.
And step S13, matching the codes to be identified based on a pre-configured detection item, so as to judge whether the file to be detected contains a target function according to a matching result.
In this example embodiment, the preconfigured detection item described above may be: any one or a combination of any multiple of executable object file path information, object class information, object function information, object loader information and executable authority information of an object function.
For example, the user may configure specific functions, classes, loaders, arrays, file paths, execution permissions, etc. necessary to implement the hot update function in advance, as detection items; and then the detection items are respectively matched in the code to be identified row by row, and whether a corresponding matching result exists is judged. If a corresponding matching result exists, the existence of a hot updating function of the Dex file is indicated; or if the corresponding matching item does not exist, the fact that the Dex file does not exist a hot update function is indicated.
In this example embodiment, specifically, the step S13 described above may include:
s21, generating an XML configuration file according to the preconfigured detection item;
s22, calling a scanner to match the codes to be identified row by row according to the XML configuration file;
s22, when a matching item exists in the code to be identified, recording the matching item so as to generate the matching result according to the matching item.
For example, the configuration file may include five test items, each including a corresponding description (desc) and code (item). For example, the code corresponding to the configuration file may include the following:
for example, it may be matched whether the code has a "getDeclaredField" function; whether a "BaseDexClassLoader" Dex loader function exists; whether there is a Dex array of "dexElements"; whether the 'setAccess able' execution authority information exists; whether path information of the Dex file executable by the DexPathList exists.
When there are a plurality of detection items, the execution order of the detection items may be configured. For example, it may be configured to first perform matching of execution paths of executable Dex files, such as: the "dexPathList" field is used to match the code. If the matching result exists, the corresponding code is saved, and the position of the code section is recorded. The classes of the Dex loader may then be matched, for example, using the "Dalvik. System. BaseDexClassLoader" field to match the code. The Dex array function may then be matched, for example, using the "dexElements" field to match the code. Then, the specified function names can be matched; for example, use "Ljava/lang/Class; - > getDeclaaredField (Ljava/lang/String;) Ljava/lang/reflection/Field "Field matches the code. Finally, the execution authority information may also be used for matching, for example, "Ljava/lang/reflection/Field; the field of-setAccessible (Z) V "matches the code. The above embodiments are illustrative, and the user may configure other detection items, as well as other matching sequences.
When there are multiple smali files, each line of codes of each smali file can be matched respectively. And when the matching is successful, recording the name and the line of the smali file. When each item of the detection items is executed, if a matching result exists or a part of matching results exist, the SDK can be judged to have a hot update code, and the SDK has a hot update function.
In the present exemplary embodiment, based on the above, the above-described obtaining may further include: calculating the risk level of the file to be detected according to the following formula, wherein the risk level comprises the following steps:
P=a·f 1 +b·f 2 +c·f 3 +d·f 4 +e·f 5 ;
wherein a, b, c, d, e are coefficients, f 1 、f 2 、f 3 、f 4 、f 5 The executable authority information comprises an executable target file path information matching result, a target class information matching result, a target function information matching result, a target loader information matching result and a target function matching result.
For example, the matching result of each detection item may be scored according to a certain rule, so as to obtain the matching result score of each detection item. And obtaining the risk grade score of the Dex file according to the scores of the matching results. For example, when the scoring result is greater than 0.8, the Dex file may be used as a high risk file and a first mark may be made; when the scoring result is 0.5-0.8, the Dex file can be used as a stroke risk file and a second mark is made; when the scoring result is less than 0.5, the Dex file may be regarded as a low risk file. The first mark, the second mark and the third mark can be different mark modes for distinguishing.
In addition, in some exemplary embodiments of the present disclosure, after determining that the hot update function exists, the code to be identified may be parsed for a second time, and further parsed, so as to identify tasks that are specifically executed by the Dex file, such as tasks of collecting data, uploading information, downloading information, and the like. And generates prompt information according to the risk level and the data,
in other exemplary embodiments of the present disclosure, the data detection method described above may be executed on an intelligent terminal such as a mobile phone, a tablet computer, or the like, for example, in an application manner, and independently run on the intelligent terminal, without being configured by a server side. When the method is executed on the intelligent terminal side, a user can configure an application program needing detection in the interactive interface. Therefore, the corresponding file catalogue and subdirectory of the application program to be detected can be monitored and read, the existing Dex file in the file catalogue and subdirectory can be extracted, and the scanner is called to execute the preconfigured XML configuration file for detection and matching. So that the above-described method can be performed on the intelligent terminal.
In addition, for the intelligent terminal, when judging that the file to be detected contains a target function, configuring a catalog corresponding to the file to be detected as a monitoring target so as to monitor the monitoring catalog in real time; and when the new target type file in the monitoring directory is monitored, deleting the new target type file or transferring the new target type file to an isolated storage area.
For example, the SDK determined to have the function of thermal update may be monitored in real time, and the Dex file may be deleted or isolated; or isolate the SDK.
According to the method provided by the embodiment of the disclosure, the corresponding smali file is obtained by unpacking the Dex file, and then the smali file is analyzed to obtain the corresponding code; therefore, the code can be automatically matched by using the detection item, and the judging result of the hot update function can be automatically generated according to the matching result. The detection items are used in the form of configuration files, so that a user can conveniently and quickly adjust the detection items according to actual requirements, and the detection accuracy is improved. And further static detection and dynamic monitoring of the thermal updating function are realized.
It is noted that the above-described figures are only schematic illustrations of processes involved in a method according to an exemplary embodiment of the invention, and are not intended to be limiting. It will be readily appreciated that the processes shown in the above figures do not indicate or limit the temporal order of these processes. In addition, it is also readily understood that these processes may be performed synchronously or asynchronously, for example, among a plurality of modules.
Further, referring to fig. 3, in this exemplary embodiment, there is further provided a data detection apparatus 30 configured at an electronic device or a server, including: the system comprises an unpacking operation module 301, a code analysis module 302 and a function detection module 303. Wherein,,
the unpacking operation module 301 may be configured to obtain a file to be detected, and unpack the file to be detected to obtain an intermediate file in a target format.
The code parsing module 302 may be configured to parse the intermediate file to obtain a corresponding code to be identified.
The function detection module 303 is configured to match the code to be identified based on a preconfigured detection item, so as to determine whether the file to be detected includes a target function according to a matching result.
In one example of the present disclosure, the apparatus may further include: a risk level calculation module (not shown).
The risk level calculation module may be configured to determine, when it is determined that the file to be detected includes a target function, a risk level of the file to be detected according to the matching result.
In one example of the present disclosure, the preconfigured detection term may include: any one or a combination of any multiple of executable object file path information, object class information, object function information, object loader information and executable authority information of an object function.
In one example of the present disclosure, calculating the risk level of the document to be detected according to the following formula includes:
P=a·f 1 +b·f 2 +c·f 3 +d·f 4 +e·f 5 ;
wherein a, b, c, d, e are coefficients, f 1 、f 2 、f 3 、f 4 、f 5 The executable file path information, the target class information, the target function information, the target loader information and the executable authority information of the target function are respectively.
In one example of the present disclosure, the apparatus may further include: a prompt generation module (not shown).
The prompt information generation module can be used for marking the application program corresponding to the file to be detected according to the risk level of the file to be detected; and generating corresponding prompt information according to the risk level.
In one example of the present disclosure, the apparatus is applied to a terminal device, and the apparatus may further include: the monitoring execution module (not shown in the figure).
The monitoring execution module can be used for configuring a catalog corresponding to the file to be detected as a monitoring target when judging that the file to be detected contains a target function so as to monitor the monitoring catalog in real time; and when the new target type file in the monitoring directory is monitored, deleting the new target type file or transferring the new target type file to an isolated storage area.
In one example of the present disclosure, the function detection module may include: a configuration file generation unit, a matching execution unit, and a matching result processing unit (not shown in the figure). Wherein,,
the configuration file generating unit may be configured to generate an XML configuration file according to a preconfigured detection item.
The matching execution unit can be used for calling a scanner to match the codes to be identified row by row according to the XML configuration file.
The matching result processing unit may be configured to record a matching term when the matching term exists in the code to be identified, so as to generate the matching result according to the matching term.
The specific details of each module in the above-mentioned data detection device are already described in detail in the corresponding data detection method, so that the details are not repeated here.
It should be noted that although in the above detailed description several modules or units of a device for action execution are mentioned, such a division is not mandatory. Indeed, the features and functionality of two or more modules or units described above may be embodied in one module or unit in accordance with embodiments of the present disclosure. Conversely, the features and functions of one module or unit described above may be further divided into a plurality of modules or units to be embodied.
Fig. 4 shows a schematic diagram of a computer system suitable for use in implementing embodiments of the present invention.
It should be noted that, the computer system 800 of the electronic device shown in fig. 4 is only an example, and should not impose any limitation on the functions and the application scope of the embodiments of the present invention.
As shown in fig. 4, the computer system 800 includes a central processing unit (Central Processing Unit, CPU) 801 that can perform various appropriate actions and processes according to a program stored in a Read-Only Memory (ROM) 802 or a program loaded from a storage section 808 into a random access Memory (Random Access Memory, RAM) 803. In the RAM 803, various programs and data required for system operation are also stored. The CPU 801, ROM802, and RAM 803 are connected to each other by a bus 804. An Input/Output (I/O) interface 805 is also connected to bus 804.
The following components are connected to the I/O interface 805: an input portion 806 including a keyboard, mouse, etc.; an output portion 807 including a Cathode Ray Tube (CRT), a liquid crystal display (Liquid Crystal Display, LCD), and the like, and a speaker, and the like; a storage section 808 including a hard disk or the like; and a communication section 809 including a network interface card such as a LAN (Local Area Network ) card, modem, or the like. The communication section 809 performs communication processing via a network such as the internet. The drive 810 is also connected to the I/O interface 805 as needed. A removable medium 811 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 810 as needed so that a computer program read out therefrom is mounted into the storage section 808 as needed.
In particular, according to embodiments of the present invention, the processes described below with reference to flowcharts may be implemented as computer software programs. For example, embodiments of the present invention include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method shown in the flowcharts. In such an embodiment, the computer program may be downloaded and installed from a network via the communication section 809, and/or installed from the removable media 811. When executed by a Central Processing Unit (CPU) 801, the computer program performs the various functions defined in the system of the present application.
It should be noted that, the computer readable medium shown in the embodiments of the present invention may be a computer readable signal medium or a computer readable storage medium, or any combination of the two. The computer readable storage medium can be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples of the computer-readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-Only Memory (ROM), an erasable programmable read-Only Memory (Erasable Programmable Read Only Memory, EPROM), flash Memory, an optical fiber, a portable compact disc read-Only Memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present invention, however, the computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave, with the computer-readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wired, etc., or any suitable combination of the foregoing.
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The units involved in the embodiments of the present invention may be implemented by software, or may be implemented by hardware, and the described units may also be provided in a processor. Wherein the names of the units do not constitute a limitation of the units themselves in some cases.
As another aspect, the present application also provides a computer-readable medium that may be contained in the electronic device described in the above embodiment; or may exist alone without being incorporated into the electronic device. The computer-readable medium carries one or more programs which, when executed by one of the electronic devices, cause the electronic device to implement the methods described in the embodiments below. For example, the electronic device may implement the steps shown in fig. 1.
Furthermore, the above-described drawings are only schematic illustrations of processes included in the method according to the exemplary embodiment of the present invention, and are not intended to be limiting. It will be readily appreciated that the processes shown in the above figures do not indicate or limit the temporal order of these processes. In addition, it is also readily understood that these processes may be performed synchronously or asynchronously, for example, among a plurality of modules.
It should be noted that, as another aspect, the present application also provides a computer-readable medium, which may be included in the electronic device described in the above embodiment; or may exist alone without being incorporated into the electronic device. The computer-readable medium carries one or more programs which, when executed by one of the electronic devices, cause the electronic device to implement the methods described in the embodiments below. For example, the electronic device may implement the steps shown in fig. 1.
Furthermore, the above-described drawings are only schematic illustrations of processes included in the method according to the exemplary embodiment of the present invention, and are not intended to be limiting. It will be readily appreciated that the processes shown in the above figures do not indicate or limit the temporal order of these processes. In addition, it is also readily understood that these processes may be performed synchronously or asynchronously, for example, among a plurality of modules.
Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure disclosed herein. This application is intended to cover any adaptations, uses, or adaptations of the disclosure following, in general, the principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.
It is to be understood that the present disclosure is not limited to the precise arrangements and instrumentalities shown in the drawings, and that various modifications and changes may be effected without departing from the scope thereof. The scope of the present disclosure is limited only by the appended claims.
Claims (9)
1. A data detection method, comprising:
obtaining a file to be detected, and unpacking the file to be detected to obtain an intermediate file in a target format;
analyzing the intermediate file to obtain a corresponding code to be identified;
matching the code to be identified based on a pre-configured detection item so as to judge whether the file to be detected contains a target function according to a matching result;
when judging that the file to be detected contains a target function, configuring a directory corresponding to the file to be detected as a monitoring directory so as to monitor the monitoring directory in real time;
and when the new target type file in the monitoring directory is monitored, deleting the new target type file or transferring the new target type file to an isolated storage area.
2. The data detection method according to claim 1, characterized in that the method further comprises:
and when judging that the file to be detected contains the target function, determining the risk level of the file to be detected according to the matching result.
3. The data detection method according to claim 2, wherein the preconfigured detection items include:
any one or a combination of any multiple of executable object file path information, object class information, object function information, object loader information and executable authority information of an object function.
4. A data detection method according to claim 3, wherein calculating the risk level of the document to be detected according to the following formula comprises:
P=a·f 1 +b·f 2 +c·f 3 +d·f 4 +e·f 5 ;
wherein a, b, c, d, e are coefficients, f 1 、f 2 、f 3 、f 4 、f 5 The executable file path information, the target class information, the target function information, the target loader information and the executable authority information of the target function are respectively.
5. The data detection method according to claim 2, characterized in that the method further comprises:
marking an application program corresponding to the file to be detected according to the risk level of the file to be detected; and generating corresponding prompt information according to the risk level.
6. The data detection method according to claim 1, wherein the matching the code to be identified based on a pre-configured detection item includes:
generating an XML configuration file according to the preconfigured detection item;
invoking a scanner to match the codes to be identified row by row according to the XML configuration file;
and when a matching item exists in the code to be identified, recording the matching item so as to generate the matching result according to the matching item.
7. A data detection apparatus, comprising:
the unpacking operation module is used for obtaining the file to be detected, unpacking the file to be detected to obtain the intermediate file in the target format;
the code analysis module is used for analyzing the intermediate file to obtain a corresponding code to be identified;
the function detection module is used for matching the codes to be identified based on a pre-configured detection item so as to judge whether the file to be detected contains a target function or not according to a matching result;
the monitoring execution module is used for configuring a directory corresponding to the file to be detected as a monitoring directory when judging that the file to be detected contains a target function so as to monitor the monitoring directory in real time; and when the new target type file in the monitoring directory is monitored, deleting the new target type file or transferring the new target type file to an isolated storage area.
8. A computer readable medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the data detection method according to any one of claims 1 to 6.
9. A terminal device, comprising:
one or more processors;
storage means for storing one or more programs which when executed by the one or more processors cause the one or more processors to implement the data detection method of any of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010295391.XA CN111563257B (en) | 2020-04-15 | 2020-04-15 | Data detection method and device, computer readable medium and terminal equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010295391.XA CN111563257B (en) | 2020-04-15 | 2020-04-15 | Data detection method and device, computer readable medium and terminal equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111563257A CN111563257A (en) | 2020-08-21 |
| CN111563257B true CN111563257B (en) | 2023-07-21 |
Family
ID=72071753
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010295391.XA Active CN111563257B (en) | 2020-04-15 | 2020-04-15 | Data detection method and device, computer readable medium and terminal equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111563257B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112732581B (en) * | 2021-01-12 | 2023-03-10 | 京东科技控股股份有限公司 | SDK detection method, device, electronic equipment, system and storage medium |
| CN112948830B (en) * | 2021-03-12 | 2023-11-10 | 安天科技集团股份有限公司 | File risk identification method and device |
| CN112988287B (en) * | 2021-03-15 | 2022-07-08 | 上海益世界信息技术集团有限公司广州分公司 | Application program running method and device |
| CN113946507A (en) * | 2021-10-13 | 2022-01-18 | 湖南快乐阳光互动娱乐传媒有限公司 | Target API (application program interface) retrieval method and device |
| CN117806688B (en) * | 2024-03-01 | 2024-05-28 | 腾讯科技(深圳)有限公司 | Thermal update detection method, thermal update detection device, computer equipment and storage medium |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106650452A (en) * | 2016-12-30 | 2017-05-10 | 北京工业大学 | Mining method for built-in application vulnerability of Android system |
Family Cites Families (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP5575066B2 (en) * | 2011-07-19 | 2014-08-20 | 三菱電機株式会社 | Security evaluation apparatus, security evaluation method for security evaluation apparatus, and security evaluation program |
| US20140215614A1 (en) * | 2013-01-30 | 2014-07-31 | Samsung Electronics Co., Ltd. | System and method for a security assessment of an application uploaded to an appstore |
| CN104715196B (en) * | 2015-03-27 | 2017-05-31 | 北京奇虎科技有限公司 | The Static Analysis Method and system of smart mobile phone application program |
| CN105631334A (en) * | 2015-12-25 | 2016-06-01 | 北京奇虎科技有限公司 | Application security detecting method and system |
| CN108416216A (en) * | 2018-02-28 | 2018-08-17 | 阿里巴巴集团控股有限公司 | leak detection method, device and computing device |
| CN108875688B (en) * | 2018-06-28 | 2022-06-10 | 北京旷视科技有限公司 | Living body detection method, device, system and storage medium |
| CN109543444A (en) * | 2018-10-25 | 2019-03-29 | 深圳壹账通智能科技有限公司 | A kind of file signature method, apparatus, storage medium and server |
-
2020
- 2020-04-15 CN CN202010295391.XA patent/CN111563257B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106650452A (en) * | 2016-12-30 | 2017-05-10 | 北京工业大学 | Mining method for built-in application vulnerability of Android system |
Non-Patent Citations (3)
| Title |
|---|
| "Watch Your Step": Precise Obstacle Detection and Navigation for Mobile Users Through Their Mobile Service;Minghui Sun 等;《IEEE Access》;第7卷;全文 * |
| Android系统外部SDK安全漏洞检测研究;马杰;《信息技术与网络安全》;第38卷(第8期);全文 * |
| 基于程序分析的软件安全漏洞检测技术研究;管铭;《中国优秀所示学位论文全文数据库 信息科技辑》;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111563257A (en) | 2020-08-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111563257B (en) | Data detection method and device, computer readable medium and terminal equipment | |
| US10515212B1 (en) | Tracking sensitive data in a distributed computing environment | |
| CN105940654B (en) | Franchise static web application in trust | |
| US10025694B1 (en) | Monitoring activity of software development kits using stack trace analysis | |
| CN111563015B (en) | Data monitoring method and device, computer readable medium and terminal equipment | |
| US11507655B1 (en) | Automatic and predictive source code generation | |
| CN110858172A (en) | Automatic test code generation method and device | |
| CN109376534B (en) | Method and apparatus for detecting applications | |
| CN109241722A (en) | For obtaining method, electronic equipment and the computer-readable medium of information | |
| CN115033894B (en) | Software component supply chain safety detection method and device based on knowledge graph | |
| CN113449310A (en) | Application program vulnerability detection method, device and equipment | |
| CN110928571A (en) | Business program development method and device | |
| CN110347573B (en) | Application program analysis method, device, electronic equipment and computer readable medium | |
| CN110688096A (en) | Method, device, medium and electronic equipment for constructing application program containing plug-in | |
| US9569335B1 (en) | Exploiting software compiler outputs for release-independent remote code vulnerability analysis | |
| CN110866031B (en) | Database access path optimization method and device, computing equipment and medium | |
| CN109460363B (en) | Automatic testing method and device, electronic equipment and computer readable medium | |
| CN114139161A (en) | Method, device, electronic equipment and medium for batch vulnerability detection | |
| CN108694172B (en) | Information output method and device | |
| CN112256252B (en) | Interface generation method and device, storage medium and electronic equipment | |
| CN113055410B (en) | Cloud resource management method, device, equipment, system and readable storage medium | |
| US20230141948A1 (en) | Analysis and Testing of Embedded Code | |
| CN114879985B (en) | Method, device, equipment and storage medium for installing certificate file | |
| CN112379967B (en) | Simulator detection method, device, equipment and medium | |
| CN110554892A (en) | Information acquisition method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |