[go: up one dir, main page]

CN114168957B - Method, apparatus, device, medium and program product for resolving malicious application program - Google Patents

Method, apparatus, device, medium and program product for resolving malicious application program

Info

Publication number
CN114168957B
CN114168957B CN202111502673.3A CN202111502673A CN114168957B CN 114168957 B CN114168957 B CN 114168957B CN 202111502673 A CN202111502673 A CN 202111502673A CN 114168957 B CN114168957 B CN 114168957B
Authority
CN
China
Prior art keywords
instructions
instruction
unknown
application program
malicious application
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111502673.3A
Other languages
Chinese (zh)
Other versions
CN114168957A (en
Inventor
钱维正
牟天宇
金驰
叶红
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Industrial and Commercial Bank of China Ltd ICBC
Original Assignee
Industrial and Commercial Bank of China Ltd ICBC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Industrial and Commercial Bank of China Ltd ICBC filed Critical Industrial and Commercial Bank of China Ltd ICBC
Priority to CN202111502673.3A priority Critical patent/CN114168957B/en
Publication of CN114168957A publication Critical patent/CN114168957A/en
Application granted granted Critical
Publication of CN114168957B publication Critical patent/CN114168957B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The disclosure provides a method for analyzing malicious software, which can be applied to the field of information security. The method for analyzing the malicious application program comprises the steps of obtaining a plurality of unknown instructions of the malicious application program and a plurality of known instructions of a white sample application program, obtaining a first calling frequency of the plurality of unknown instructions of the malicious application program in the running process and a second calling frequency of the plurality of known instructions of the white sample application program in the running process through statistics, determining at least one target instruction matched with the plurality of known instructions in the plurality of unknown instructions according to the first calling frequency and the second calling frequency, and analyzing the at least one target instruction to obtain running related data of the malicious application program. The disclosure also provides a malware parsing apparatus, a device, a storage medium and a program product.

Description

Method, apparatus, device, medium and program product for resolving malicious application program
Technical Field
The present disclosure relates to the field of information security, and in particular, to the field of information security of mobile terminal applications, and more particularly, to a method, apparatus, device, medium, and program product for resolving a malicious application.
Background
In the process of performing security analysis on mobile terminal applications, developers often encounter malicious applications that employ VMP (Virtual Machine Protect) for reinforcement. The dex file of the hardened malicious application program is unreadable, so that the malicious behavior of the malicious application program cannot be analyzed.
Disclosure of Invention
In view of the foregoing, the present disclosure provides a method, apparatus, device, medium, and program product for resolving malicious applications.
According to a first aspect of the disclosure, a method for analyzing a malicious application program is provided, and the method comprises the steps of obtaining a plurality of unknown instructions of the malicious application program and a plurality of known instructions of a white sample application program, obtaining a first calling frequency of the unknown instructions of the malicious application program in a running process and a second calling frequency of the known instructions of the white sample application program in the running process through statistics, determining at least one target instruction matched with the known instructions in the unknown instructions, and analyzing the target instruction to obtain running related data of the malicious application program.
According to the embodiment of the disclosure, the method for determining at least one target instruction matched with the known instructions in the unknown instructions according to the first calling frequency and the second calling frequency comprises the steps of determining a first ordering of the called unknown instructions according to the first calling frequency, determining a second ordering of the called known instructions according to the second calling frequency, and determining at least one target instruction matched with the known instructions in the unknown instructions according to the first ordering and the second ordering, wherein the white sample application program and the malicious application program are the same type of application program.
According to the embodiment of the disclosure, the statistics is utilized to obtain first calling frequencies of the plurality of unknown instructions in the running process of the malicious application program, wherein the first calling frequencies comprise the steps of obtaining respective instruction addresses of the plurality of unknown instructions to obtain a plurality of instruction addresses, setting break points at positions corresponding to the plurality of instruction addresses in the malicious application program respectively, obtaining calling data of the plurality of unknown instructions through the break points, and obtaining the first calling frequencies of the plurality of unknown instructions according to the calling data in a statistics mode.
According to the embodiment of the disclosure, the method for obtaining the instruction addresses of the unknown instructions comprises the steps of obtaining an interpreter of the malicious application program, analyzing an executable file of the malicious application program through the interpreter to obtain code data corresponding to the unknown instructions in the executable file, and analyzing the code data to obtain the instruction addresses.
According to the embodiment of the disclosure, the method for acquiring the interpreter of the malicious application program comprises the steps of calling the plurality of unknown instructions to obtain call addresses of the plurality of unknown instructions, and determining the interpreter according to the call addresses.
According to the embodiment of the disclosure, the obtaining the plurality of unknown instructions of the malicious application program comprises analyzing the reinforcement policy to obtain the plurality of unknown instructions when the malicious application program comprises the reinforcement policy.
According to the embodiment of the disclosure, the method for obtaining the plurality of unknown instructions of the malicious application program further comprises the steps of obtaining an installation package of the malicious application program, unshelling the installation package under the condition that the installation package is determined to comprise a code extraction shell, and analyzing the unshelling installation package to obtain the plurality of unknown instructions.
The second aspect of the disclosure provides a device for analyzing a malicious application program, which comprises an acquisition module, a statistics module, a determination module and an analysis module, wherein the acquisition module is used for acquiring a plurality of unknown instructions of the malicious application program and a plurality of known instructions of a white sample application program, the statistics module is used for obtaining a first calling frequency of the unknown instructions of the malicious application program in a running process and a second calling frequency of the known instructions of the white sample application program in the running process by using statistics, the determination module is used for determining at least one target instruction matched with the known instructions in the unknown instructions, and the analysis module is used for analyzing the target instructions to obtain running related data of the malicious application program.
A third aspect of the present disclosure provides an electronic device comprising one or more processors and a memory for storing one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the above-described method of resolving malicious applications.
A fourth aspect of the present disclosure also provides a computer-readable storage medium having stored thereon executable instructions that, when executed by a processor, cause the processor to perform the above-described method of resolving malicious applications.
A fifth aspect of the present disclosure also provides a computer program product comprising a computer program which, when executed by a processor, implements the above-described method of resolving malicious applications.
Drawings
The foregoing and other objects, features and advantages of the disclosure will be more apparent from the following description of embodiments of the disclosure with reference to the accompanying drawings, in which:
FIG. 1 schematically illustrates an application scenario diagram of a method, apparatus, device, medium, and program product for resolving malicious applications according to embodiments of the present disclosure;
FIG. 2 schematically illustrates a schematic diagram of a method of resolving malicious applications according to an embodiment of the present disclosure;
FIG. 3 schematically illustrates a flow chart of a method of resolving malicious applications according to an embodiment of the present disclosure;
FIG. 4 schematically illustrates a flow diagram of obtaining a plurality of unknown instructions of a malicious application according to an embodiment of the present disclosure;
FIG. 5 schematically illustrates a flow chart of counting call frequencies at which a plurality of unknown instructions are called, according to an embodiment of the present disclosure;
FIG. 6 schematically illustrates a flow diagram for fetching a plurality of instruction addresses, according to an embodiment of the present disclosure;
FIG. 7 schematically illustrates a flow diagram for determining target instructions according to call frequency, according to an embodiment of the disclosure;
FIG. 8 schematically illustrates a block diagram of an apparatus for resolving malicious applications in accordance with an embodiment of the present disclosure, and
Fig. 9 schematically illustrates a block diagram of an electronic device adapted to implement a method of resolving malicious applications according to an embodiment of the present disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is only exemplary and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the present disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. In addition, in the following description, descriptions of well-known structures and techniques are omitted so as not to unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and/or the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It should be noted that the terms used herein should be construed to have meanings consistent with the context of the present specification and should not be construed in an idealized or overly formal manner.
Where a convention analogous to "at least one of A, B and C, etc." is used, in general such a convention should be interpreted in accordance with the meaning of one of skill in the art having generally understood the convention (e.g., "a system having at least one of A, B and C" would include, but not be limited to, systems having a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).
It should be noted that, the method and the device for resolving a malicious application program provided by the present disclosure may be used in the field of information security, may also be used in the field of mobile terminal application security in the financial field, and may also be used in any field other than the financial field.
In the technical scheme of the disclosure, the related processes of collecting, storing, using, processing, transmitting, providing, disclosing, applying and the like of the personal information of the user all conform to the regulations of related laws and regulations, necessary security measures are adopted, and the public order harmony is not violated. In the technical scheme of the disclosure, the authorization or consent of the user is obtained before the personal information of the user is obtained or acquired.
The embodiment of the disclosure provides a method for analyzing a malicious application program, which comprises the steps of obtaining a plurality of unknown instructions of the malicious application program and a plurality of known instructions of a white sample application program, obtaining a first calling frequency of the plurality of unknown instructions of the malicious application program in a running process and a second calling frequency of the plurality of known instructions of the white sample application program in the running process by statistics, determining at least one target instruction matched with the plurality of known instructions in the plurality of unknown instructions according to the first calling frequency and the second calling frequency, and analyzing the at least one target instruction to obtain running related data of the malicious application program.
FIG. 1 schematically illustrates an application scenario diagram of a method, apparatus, device, medium, and program product for resolving malicious applications according to embodiments of the present disclosure.
As shown in fig. 1, an application scenario 100 according to this embodiment may include mobile terminal devices 101, 102, 103, a network 104, and a server 105. The network 104 is the medium used to provide communication links between the mobile terminal devices 101, 102, 103 and the server 105. The network 104 may include various connection types, such as wired, wireless communication links, or fiber optic cables, among others.
A user may interact with the server 105 via the network 104 using the mobile terminal devices 101, 102, 103 to receive or send messages or the like. Various communication client applications may be installed on the mobile terminal devices 101, 102, 103, such as shopping class applications, web browser applications, search class applications, instant messaging tools, mailbox clients, social platform software, and the like (just examples).
The mobile terminal devices 101, 102, 103 may be a variety of electronic devices having a display screen and supporting web browsing, including but not limited to smartphones, tablets, and laptop computers, among others.
The server 105 may be a server providing various services, such as a background management server (by way of example only) providing support for websites browsed by users using mobile terminal devices 101, 102, 103. The background management server may analyze and process the received data such as the user request, and feed back the processing result (e.g., the web page, information, or data obtained or generated according to the user request) to the terminal device.
It should be noted that, the method for resolving a malicious application provided by the embodiments of the present disclosure may be generally performed by the server 105. Accordingly, the apparatus for resolving malicious applications provided by the embodiments of the present disclosure may be generally disposed in the server 105. The method of resolving malicious applications provided by the embodiments of the present disclosure may also be performed by a server or a cluster of servers other than the server 105 and capable of communicating with the mobile terminal devices 101, 102, 103 and/or the server 105. Accordingly, the apparatus for resolving malicious applications provided by the embodiments of the present disclosure may also be provided in a server or a server cluster that is different from the server 105 and is capable of communicating with the mobile terminal devices 101, 102, 103 and/or the server 105.
It should be understood that the number of terminal devices, networks and servers in fig. 1 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
The method for resolving malicious applications according to the disclosed embodiments will be described in detail below with reference to fig. 2 to 7 based on the scenario described in fig. 1.
Fig. 2 schematically illustrates a schematic diagram of a method of resolving malicious applications according to an embodiment of the present disclosure.
Since the running process of the application can be understood as a process in which various instructions are called and executed, the running-related data of the application can be analyzed according to the called condition of the various instructions.
For a malicious application program subjected to VMP reinforcement treatment, the installation package of the malicious application program needs to be dehulled, and then reinforcement strategy analysis is carried out, so that an unknown instruction is obtained. Since the instructions of the hardened malicious application are typically unreadable, the instructions may be considered unknown instructions.
For unknown instructions, the instruction address of the unknown instruction needs to be determined by resolving through an interpreter of the malicious application program. After determining the instruction address of the unknown instruction, counting the called condition of the unknown instruction.
Typically, the instructions that the same type of application calls during execution are also the same. And comparing the called conditions of various known instructions of the malicious application programs with the called conditions of various known instructions of the same type of white sample application programs to match the unknown instructions with the known instructions one by one, thereby determining the instruction meanings of the various unknown instructions. And recording the unknown instruction which successfully determines the instruction meaning as a target instruction, and further analyzing the operation related data of the malicious application program according to the target instruction.
Compared with the traditional analysis method for tracking codes and analyzing function mapping relations, the method for analyzing the malicious application program can analyze the operation process of the malicious application program only through the instruction calling frequency, and effectively improves the efficiency of information security analysis. In addition, under the condition of increasing the number of white samples, the matching precision of instructions can be effectively improved, and the analysis efficiency of malicious application behaviors is improved.
Fig. 3 schematically illustrates a flow chart of a method of resolving malicious applications according to an embodiment of the present disclosure.
As shown in FIG. 3, the method for analyzing a malicious application in this embodiment includes operations S310-S340.
In operation S310, a plurality of unknown instructions of a malicious application and a plurality of known instructions of a white sample application are acquired.
In the disclosed embodiment, malicious applications include illegal applications and unrecognized applications. Since malicious applications are typically written in custom bytecodes, for conventional security analysis methods, the instructions that the malicious application invokes during execution are typically unreadable, unknown instructions.
The white sample application is a known security application, and the instructions invoked by the white sample application during operation are readable known instructions. The white samples may be one or a plurality of white samples.
The malicious application and the white sample application for acquiring instructions are the same type of application. For example, in the case where the malicious application is a mail-like application, the white sample application for acquiring the known instruction is also a mail-like application. In the case where the malicious application is a music-like application, the white sample application for acquiring the known instruction is also a music-like application.
In operation S320, the statistics are used to obtain a first calling frequency of calling a plurality of unknown instructions in the running process of the malicious application program and a second calling frequency of calling a plurality of known instructions in the running process of the white sample application program.
In the disclosed embodiments, multiple instructions may be invoked during the execution of an application. When an application program runs a certain function, related instructions can be called for corresponding times at a certain moment.
The first call frequency includes a frequency at which each of the plurality of unknown instructions is called. The second call frequency includes a frequency at which each of the plurality of known instructions is called. The frequency that is invoked includes the number of times that is invoked.
In operation S330, at least one target instruction of the plurality of unknown instructions that matches the plurality of known instructions is determined according to the first call frequency and the second call frequency.
In the disclosed embodiment, the target instruction is an instruction of the plurality of unknown instructions that matches any one of the known instructions. Since the instructions that are invoked by the same type of application program when performing the same function are similar, the instruction meaning of the unknown instruction can be determined from the known instructions.
And determining a target instruction, matching the known instructions with the unknown instructions according to the calling frequencies of the unknown instructions in the first calling frequency and the calling frequencies of the known instructions in the second calling frequency, and determining the instruction matched with the known instructions from the unknown instructions.
For example, the matching may be performed according to the relative levels of the call frequencies of the plurality of instructions, or may be performed according to the call frequencies of the plurality of instructions when different functions are executed.
In operation S340, at least one target instruction is parsed to obtain operation related data of the malicious application.
In the embodiment of the present disclosure, the running process of an application program may be understood as a process in which various instructions are called and executed, and after the instruction meaning of an unknown instruction of a malicious application program is clarified, the execution content of the running process of the malicious application program may be analyzed according to the instruction meaning.
Since the executable file of the hardened malicious application is unreadable, the execution content of the malicious application during running cannot be directly obtained. According to the method, the called instruction of the malicious application program during operation is determined by referring to the white sample through the frequency matching method, and then the execution content of the malicious application program is analyzed according to the called instruction. In addition, under the condition that a plurality of white samples are provided, the reference samples are expanded, so that the matching accuracy of instructions can be improved, and further, the analysis efficiency of malicious application programs is improved.
Fig. 4 schematically illustrates a flow chart of obtaining a plurality of unknown instructions of a malicious application according to an embodiment of the present disclosure.
As shown in fig. 4, operation S310 of the embodiment acquires a plurality of unknown instructions of a malicious application, including operation S410.
In operation S410, in the case that the malicious application includes a reinforcement policy, the reinforcement policy is analyzed to obtain a plurality of unknown instructions.
In the embodiment of the disclosure, the malicious application program protects the running function thereof through the VMP reinforcement technology, and the running of the function is realized by calling the corresponding instruction. For example, for a mail class application, the running function includes a function for sending mail, and when an instruction corresponding to the function is called, the application executes an operation for sending mail.
VMP instrumentation policy typically involves VMP protection of a class of functions with the same registry address, such as instrumentation of all OnCreate (), and conversion of the function properties from Native Java to Native. Or abstracting the functions needing reinforcement, such as key functions for realizing core services, into a shell function, and performing VMP protection on the shell function.
In the case that the malicious application includes a reinforcement policy, the reinforcement policy is analyzed to obtain a reinforced function, thereby obtaining an unknown instruction corresponding to the reinforced function.
In the embodiment of the present disclosure, in the case that the malicious application has a code extraction shell, operation S420 to operation S440 are further included before operation S410.
In operation S420, an installation package of a malicious application is acquired.
In operation S430, in the case where it is determined that the installation package includes the code extraction case, the installation package is dehulled.
In operation S440, the dehulled installation package is analyzed to obtain a plurality of unknown instructions.
In the event that it is determined that the installation package includes a code extraction shell, the complete executable of the malicious application cannot be obtained until the installation package is unshelling. The executable file comprises a dex file, and the VMP reinforcement strategy of the malicious application program can be obtained by analyzing the dex file. Analyzing the dehulled installation package includes analyzing the reinforcement policy of the malicious application.
Illustratively, the code extraction shell may be dehulled using a FART automated dehulling machine.
Under the condition that the installation package of the malicious application program does not comprise a code extraction shell, a complete dex file can be directly obtained from the installation package, and then VMP reinforcement strategies in the dex file are analyzed to obtain a plurality of unknown instructions.
FIG. 5 schematically illustrates a flow chart of counting call frequencies at which a plurality of unknown instructions are called, according to an embodiment of the present disclosure.
As shown in fig. 5, operation S320 of the embodiment obtains a first call frequency of a malicious application program in which a plurality of unknown instructions are called in a running process by using statistics, including operation S510 to operation S540.
In operation S510, the instruction addresses of the unknown instructions are obtained, and a plurality of instruction addresses are obtained.
In operation S520, break points are set at positions corresponding to the plurality of instruction addresses, respectively, in the malicious application.
In operation S530, call data of a plurality of unknown instructions is obtained through the break point.
In operation S540, according to the call data, a first call frequency of the plurality of unknown instructions being called is obtained by statistics.
In the embodiment of the disclosure, a break point is set at a corresponding position of a malicious application program, and when the malicious application program runs to the position, the program runs to break. After the instruction address of each unknown instruction in the memory is set to be a break point, when the program is interrupted in running, the unknown instruction is called.
After setting the interrupt point, when an instruction is called, the program is interrupted in operation, and call data is output. The call data may be a byte code associated with the instruction, the associated byte code being recorded in a log of the application. For example, the log may be a custom opcode statistics log. For an instruction, the instruction is called at different time, and after the program is interrupted, the byte code output by the application program and related to the instruction is the same. Therefore, the number of times each byte code is recorded can be counted according to the log, and the frequency of calling each instruction is obtained.
Before counting call frequency, invalid information in the statistics log needs to be filtered out. For example, the custom opcode statistical log is read one by one, system error reporting information recorded in the statistical log is screened out, and calling information of successful instruction calling is reserved. By screening out invalid information, the matching efficiency and accuracy of the follow-up unknown instruction and the known instruction can be improved.
According to the embodiment of the disclosure, after the interrupt point is set in the malicious application program, the calling conditions of a plurality of unknown instructions can be recorded in the running process of the malicious application program. After the break point is set in the malicious application program, the malicious application program can execute specific operation, and the calling condition of an unknown instruction in the operation process is recorded, so that the dynamic debugging of the malicious application program is realized.
FIG. 6 schematically illustrates a flow diagram for fetching a plurality of instruction addresses, according to an embodiment of the present disclosure.
As shown in fig. 6, operation S510 obtains respective instruction addresses of a plurality of unknown instructions, and obtains a plurality of instruction addresses, including operations S5101 to S5103.
In operation S5101, an interpreter of a malicious application is acquired.
An interpreter is a component for implementing the addressing, decoding, execution processes of the smali instruction set. Because the core codes of the malicious application programs subjected to VMP reinforcement are all written by the customized byte codes, unknown instructions obtained through analysis are unreadable messy codes. The unknown instructions need to be decoded by an interpreter of the malicious application.
The method comprises the steps of obtaining an interpreter of a malicious application program, wherein the interpreter comprises the steps of calling a plurality of unknown instructions to obtain calling addresses of the plurality of unknown instructions, and determining the interpreter according to the calling addresses.
Since the VMP-hardened function is bound in the address where the interpreter is located, locating the interpreter can be achieved by invoking unknown instructions.
Illustratively, the functions of statement print function name and call address are added by modifying REGISTERNATIVE methods in ART source code. When the Native function is called, the name of the called Native function and the address of the called Native function are printed. When an unknown instruction corresponding to the running function reinforced by the VMP is called, the printed call address is the address of the interpreter, so that the positioning of the interpreter is realized.
Typically, the VMP-hardened application also includes a back-tuning policy. The anti-debug policy is used to prevent dynamic debugging of the interpreter. Therefore, before the interpreter of the malicious application is acquired in operation S5101, it is also necessary to bypass the anti-debug policy of the original application using the custom ART file. For example, the code in the art-runtime-art method. Cc file that calls the JNI function portion is modified. Before the JNI function is called, the system of the malicious application is put into sleep. When the system is in a dormant state, a debugging tool is accessed, so that subsequent dynamic debugging of malicious application programs is realized.
In operation S5102, the executable file of the malicious application is parsed by the interpreter, and code data corresponding to a plurality of unknown instructions in the executable file is obtained.
In operation S5103, the code data is analyzed to obtain a plurality of instruction addresses.
In the embodiment of the disclosure, the executable file is parsed by the interpreter, and codes related to unknown instructions in the executable file can be saved. And analyzing the transferred codes to obtain a plurality of instruction addresses. For example, the instruction address of the instruction in the memory is determined according to CodeItem information located in the first 8 bytes in the relevant code corresponding to the instruction.
The instruction information of the malicious application program cannot be directly obtained through VMP reinforcement processing. Multiple unknown instructions may also be obtained through reinforcement policy analysis. The unknown instruction is written by a custom byte code of the malicious application program, and for the security analysis program, the custom byte code of the malicious application program belongs to unreadable messy codes before the interpreter is not determined. After determining the interpreter, compiling the custom byte code of the malicious application program through the interpreter to obtain a plurality of instruction addresses.
FIG. 7 schematically illustrates a flow diagram for determining target instructions based on call frequency according to an embodiment of the disclosure.
As shown in fig. 7, operation S510 determines at least one target instruction matching with a plurality of known instructions from a plurality of unknown instructions according to the first call frequency and the second call frequency, including operations 710-720.
In operation S710, a first ordering of the plurality of unknown instructions to be invoked is determined according to a first invocation frequency, and a second ordering of the plurality of known instructions to be invoked is determined according to a second invocation frequency.
In the disclosed embodiments, the first ordering and the second ordering may be instruction ordering tables. The first ordering may be an ordered list ordered according to the calling frequencies of the plurality of unknown instructions in the first calling frequency. The second ordering may be an ordered list ordered according to the call frequency of the plurality of known instructions in the second call frequency. The ordering mode can be from high to low or from low to high.
For example, in the case that the first call frequency includes call frequencies of 10 unknown instructions, the call frequencies of 10 unknown instructions are sequentially ordered from high to low, resulting in a first ordering. And under the condition that the second calling frequency comprises the calling frequency of 10 known instructions, sequencing the calling frequencies of the 10 known instructions from high to low in sequence to obtain a second sequencing. The present disclosure is not limited to a particular ordering manner, nor is the number of instructions included in the first ordering and the second ordering. The number of instructions included in the first ordering may be the same as or different from the number of instructions included in the second ordering.
In operation S720, at least one target instruction of the unknown instructions that matches the plurality of known instructions is determined according to the first ordering and the second ordering.
Continuing to refer to the example above. The first ordering is an ordered list comprising 10 unknown instructions, the 10 unknown instructions being ordered in sequence from high to low according to the call frequency. The second ordering is an ordered list comprising 10 known instructions, the 10 known instructions being ordered in order from high to low according to the call frequency. The 10 unknown instructions and the 10 known instructions are instructions which are called when the malicious application program and the white sample application program execute the same operation respectively.
The white sample application is the same type of application as the malicious application. The same type of application program performs the same operation with approximately the same type and number of instructions called. But malicious applications may perform other illegal operations without permission while normally performing specified operations. For example, a malicious application of the mailbox class may record user information and send it out while sending and receiving mail, but the operations presented on the client are not different from other security software.
By way of example, the matching means may be an instruction that invokes instructions that are ranked the same frequency as each other. For example, an unknown instruction in the first order that calls for the first frequency rank is a target instruction that matches a known instruction in the second order that calls for the first frequency rank, the unknown instruction (target instruction) having the same instruction meaning as the known instruction.
Illustratively, the disclosed embodiments also disclose another method for determining a target instruction according to a calling frequency.
And through dynamic debugging, the malicious application program and the white sample program execute the same first operation, and the calling frequency of each instruction is counted to obtain a first unknown instruction calling sequencing table and a first known instruction calling sequencing table. And then the malicious application program and the white sample program execute the same second operation, and the calling frequency of each instruction is counted to obtain a second unknown instruction calling ordered list and a second known instruction calling ordered list.
Comparing the first known instruction call ordering table with the first unknown instruction call ordering table to generate a first mapping table comprising the mapping relation between the unknown instruction and the known instruction. And comparing the second known instruction call sequencing table with the second unknown instruction call sequencing table to generate a second mapping table comprising the mapping relation between the unknown instruction and the known instruction. Comparing the first mapping table with the second mapping table, and in the case that the first mapping table and the second mapping table comprise a known instruction and an unknown instruction with the same mapping relation, the unknown instruction is a target instruction matched with the known instruction.
Illustratively, the embodiment of the disclosure also discloses a method for determining the target instruction according to the calling frequency.
And through dynamic debugging, the malicious application program and the first white sample program execute the same first operation, and the calling frequency of each instruction is counted to obtain a first unknown instruction calling ordered list and a first known instruction calling ordered list. And then the malicious application program and the second white sample program execute the same first operation, and a second unknown instruction calling sequencing table and a second known instruction calling sequencing table are obtained according to the calling frequency of each instruction.
Comparing the first known instruction call ordering table with the first unknown instruction call ordering table to generate a first mapping table comprising the mapping relation between the unknown instruction and the known instruction. And comparing the second known instruction call sequencing table with the second unknown instruction call sequencing table to generate a second mapping table comprising the mapping relation between the unknown instruction and the known instruction. Comparing the first mapping table with the second mapping table, and in the case that the first mapping table and the second mapping table comprise a known instruction and an unknown instruction with the same mapping relation, the unknown instruction is a target instruction matched with the known instruction.
The present disclosure provides a method for resolving a malicious application program, which achieves resolving the malicious application program subjected to VMP reinforcement processing based on the frequency of a call instruction. Compared with the traditional analysis method, the method has the advantages that the instruction meaning is determined according to the instruction calling frequency, the analysis process is simplified, a large amount of time and energy for tracking codes and analyzing the function mapping relation are saved, and the analysis efficiency of malicious application programs is effectively improved. Furthermore, matching accuracy is increased by a different way of comparison with a white sample application. The accurate matching result is more beneficial to improving the analysis efficiency of malicious behaviors.
Based on the method for analyzing the malicious application program, the disclosure also provides a device for analyzing the malicious application program. The device will be described in detail below in connection with fig. 8.
Fig. 8 schematically illustrates a block diagram of an apparatus for resolving malicious applications according to an embodiment of the present disclosure.
As shown in fig. 8, the apparatus 800 for resolving a malicious application according to this embodiment includes an acquisition module 810, a statistics module 820, a determination module 830, and a resolution module 840.
The acquisition module 810 is configured to acquire a plurality of unknown instructions of a malicious application and a plurality of known instructions of a white sample application. In an embodiment, the obtaining module 810 may be configured to perform the operation S310 described above, which is not described herein.
The statistics module 820 is configured to obtain a first calling frequency of calling a plurality of unknown instructions in the running process of the malicious application program and a second calling frequency of calling a plurality of known instructions in the running process of the white sample application program by using statistics. In an embodiment, the statistics module 820 may be used to perform the operation S320 described above, which is not described herein.
The determining module 830 is configured to determine at least one target instruction of the plurality of unknown instructions that matches the plurality of known instructions according to the first call frequency and the second call frequency. In an embodiment, the determining module 830 may be configured to perform the operation S330 described above, which is not described herein.
The parsing module 840 is configured to parse at least one target instruction to obtain operation related data of the malicious application. In an embodiment, the parsing module 840 may be used to perform the operation S340 described above, which is not described herein.
According to an embodiment of the present disclosure, the obtaining module 810 includes a first analyzing unit, configured to analyze the reinforcement policy to obtain a plurality of unknown instructions in a case where the malicious application includes the reinforcement policy.
According to an embodiment of the disclosure, the obtaining module 810 further includes a first obtaining unit configured to obtain an installation package of the malicious application, a unshelling unit configured to unshelling the installation package if it is determined that the installation package includes a code extraction shell, and a second analyzing unit configured to analyze the unshelling installation package to obtain a plurality of unknown instructions.
According to the embodiment of the disclosure, the statistics module 820 comprises a second acquisition unit, a setting unit, an acquisition unit and a statistics unit, wherein the second acquisition unit is used for acquiring instruction addresses of a plurality of unknown instructions to obtain the plurality of instruction addresses, the setting unit is used for setting interrupt points at positions corresponding to the plurality of instruction addresses in a malicious application program respectively, the acquisition unit is used for acquiring call data of the plurality of unknown instructions through the interrupt points, and the statistics unit is used for counting and obtaining first call frequencies of the plurality of unknown instructions to be called according to the call data.
According to the embodiment of the disclosure, the second acquisition unit comprises a third acquisition unit used for acquiring an interpreter of the malicious application program, an analysis unit used for analyzing an executable file of the malicious application program through the interpreter to obtain code data corresponding to a plurality of unknown instructions in the executable file, and a third analysis unit used for analyzing the code data to obtain a plurality of instruction addresses.
The third acquisition unit comprises a calling unit and a first determination unit, wherein the calling unit is used for calling a plurality of unknown instructions to obtain calling addresses of the plurality of unknown instructions, and the first determination unit is used for determining an interpreter according to the calling addresses.
According to an embodiment of the disclosure, the determining module 830 includes a second determining unit configured to determine a first order in which a plurality of unknown instructions are called according to a first call frequency, and determine a second order in which a plurality of known instructions are called according to a second call frequency, and a third determining unit configured to determine at least one target instruction matching the plurality of known instructions in the unknown instructions according to the first order and the second order, wherein the white sample application is an application of the same type as the malicious application.
Any of the acquisition module 810, the statistics module 820, the determination module 830, and the parsing module 840 may be combined in one module to be implemented, or any of the modules may be split into multiple modules, according to embodiments of the present disclosure. Or at least some of the functionality of one or more of the modules may be combined with, and implemented in, at least some of the functionality of other modules. At least one of the acquisition module 810, the statistics module 820, the determination module 830, and the parsing module 840 may be implemented at least in part as hardware circuitry, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or in hardware or firmware in any other reasonable manner of integrating or packaging the circuitry, or in any one of or in any suitable combination of three of software, hardware, and firmware, according to embodiments of the present disclosure. Or at least one of the acquisition module 810, the statistics module 820, the determination module 830, and the parsing module 840 may be at least partially implemented as a computer program module, which when executed, may perform the corresponding functions.
Fig. 9 schematically illustrates a block diagram of an electronic device adapted to implement a method of resolving malicious applications according to an embodiment of the present disclosure.
As shown in fig. 9, an electronic device 900 according to an embodiment of the present disclosure includes a processor 901 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 902 or a program loaded from a storage portion 908 into a Random Access Memory (RAM) 903. The processor 901 may include, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or an associated chipset and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), or the like. Processor 901 may also include on-board memory for caching purposes. Processor 901 may include a single processing unit or multiple processing units for performing the different actions of the method flows according to embodiments of the present disclosure.
In the RAM 903, various programs and data necessary for the operation of the electronic device 900 are stored. The processor 901, the ROM 902, and the RAM 903 are connected to each other by a bus 904. The processor 901 performs various operations of the method flow according to the embodiments of the present disclosure by executing programs in the ROM 902 and/or the RAM 903. Note that the program may be stored in one or more memories other than the ROM 902 and the RAM 903. The processor 901 may also perform various operations of the method flow according to embodiments of the present disclosure by executing programs stored in the one or more memories.
According to an embodiment of the disclosure, the electronic device 900 may also include an input/output (I/O) interface 905, the input/output (I/O) interface 905 also being connected to the bus 904. The electronic device 900 may also include one or more of an input portion 906 including a keyboard, a mouse, etc., an output portion 907 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), etc., and a speaker, etc., a storage portion 908 including a hard disk, etc., and a communication portion 909 including a network interface card such as a LAN card, a modem, etc., connected to the I/O interface 905. The communication section 909 performs communication processing via a network such as the internet. The drive 910 is also connected to the I/O interface 905 as needed. A removable medium 911 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is installed as needed on the drive 910 so that a computer program read out therefrom is installed into the storage section 908 as needed.
The present disclosure also provides a computer-readable storage medium that may be included in the apparatus/device/system described in the above embodiments, or may exist alone without being assembled into the apparatus/device/system. The computer-readable storage medium carries one or more programs which, when executed, implement methods in accordance with embodiments of the present disclosure.
According to embodiments of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium, which may include, for example, but is not limited to, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this disclosure, a computer-readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. For example, according to embodiments of the present disclosure, the computer-readable storage medium may include ROM 902 and/or RAM 903 and/or one or more memories other than ROM 902 and RAM 903 described above.
Embodiments of the present disclosure also include a computer program product comprising a computer program containing program code for performing the methods shown in the flowcharts. The program code, when executed in a computer system, causes the computer system to implement the item recommendation method provided by embodiments of the present disclosure.
The above-described functions defined in the system/apparatus of the embodiments of the present disclosure are performed when the computer program is executed by the processor 901. The systems, apparatus, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the disclosure.
In one embodiment, the computer program may be based on a tangible storage medium such as an optical storage device, a magnetic storage device, or the like. In another embodiment, the computer program may also be transmitted, distributed, and downloaded and installed in the form of a signal on a network medium, via communication portion 909, and/or installed from removable medium 911. The computer program may comprise program code that is transmitted using any appropriate network medium, including but not limited to wireless, wireline, etc., or any suitable combination of the preceding.
In such an embodiment, the computer program may be downloaded and installed from the network via the communication portion 909 and/or installed from the removable medium 911. The above-described functions defined in the system of the embodiments of the present disclosure are performed when the computer program is executed by the processor 901. The systems, devices, apparatus, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the disclosure.
According to embodiments of the present disclosure, program code for performing computer programs provided by embodiments of the present disclosure may be written in any combination of one or more programming languages, and in particular, such computer programs may be implemented in high-level procedural and/or object-oriented programming languages, and/or assembly/machine languages. Programming languages include, but are not limited to, such as Java, c++, python, "C" or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of remote computing devices, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., connected via the Internet using an Internet service provider).
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Those skilled in the art will appreciate that the features recited in the various embodiments of the disclosure and/or in the claims may be provided in a variety of combinations and/or combinations, even if such combinations or combinations are not explicitly recited in the disclosure. In particular, the features recited in the various embodiments of the present disclosure and/or the claims may be variously combined and/or combined without departing from the spirit and teachings of the present disclosure. All such combinations and/or combinations fall within the scope of the present disclosure.
The embodiments of the present disclosure are described above. These examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described above separately, this does not mean that the measures in the embodiments cannot be used advantageously in combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be made by those skilled in the art without departing from the scope of the disclosure, and such alternatives and modifications are intended to fall within the scope of the disclosure.

Claims (11)

1. A method of resolving malicious applications, comprising:
Acquiring a plurality of unknown instructions of a malicious application program and a plurality of known instructions of a white sample application program, wherein the white sample application program and the malicious application program are application programs of the same type;
Obtaining a first calling frequency of the plurality of unknown instructions in the running process of the malicious application program and a second calling frequency of the plurality of known instructions in the running process of the white sample application program by using statistics, wherein the first calling frequency comprises the calling times of the plurality of unknown instructions;
determining at least one target instruction matched with the known instructions in the unknown instructions according to the first calling frequency and the second calling frequency;
analyzing the at least one target instruction to obtain operation related data of the malicious application program;
Wherein determining at least one target instruction of the plurality of unknown instructions that matches the plurality of known instructions according to the first call frequency and the second call frequency comprises:
the malicious application program and the white sample program execute the same first operation, and the calling frequency of each instruction is counted to obtain a first unknown instruction calling ordered list and a first known instruction calling ordered list;
The malicious application program and the white sample program execute the same second operation, and the calling frequency of each instruction is counted to obtain a second unknown instruction calling ordered list and a second known instruction calling ordered list;
comparing the first known instruction call ordering table with the first unknown instruction call ordering table to generate a first mapping table;
comparing the second known instruction call ordering table with the second unknown instruction call ordering table to generate a second mapping table;
In the case where the known instruction and the unknown instruction having the same mapping relationship are included in the first mapping table and the second mapping table, the unknown instruction is determined to be a target instruction matching the known instruction.
2. The method of claim 1, wherein the determining at least one target instruction of the plurality of unknown instructions that matches the plurality of known instructions according to the first and second call frequencies comprises:
Determining a first ordering of the plurality of unknown instructions to be invoked according to the first invocation frequency and a second ordering of the plurality of known instructions to be invoked according to the second invocation frequency, and
At least one target instruction of the unknown instructions that matches the plurality of known instructions is determined based upon the first ordering and the second ordering.
3. The method of claim 1, wherein the utilizing statistics to obtain the first call frequency at which the plurality of unknown instructions are invoked during the running of the malicious application comprises:
Acquiring respective instruction addresses of the plurality of unknown instructions to obtain a plurality of instruction addresses;
respectively setting break points at positions corresponding to the instruction addresses in the malicious application program;
obtaining call data of the plurality of unknown instructions through the interrupt point, and
And counting to obtain a first calling frequency of the plurality of unknown instructions to be called according to the calling data.
4. A method according to claim 3, wherein said obtaining instruction addresses of each of said plurality of unknown instructions, results in a plurality of instruction addresses, comprises:
acquiring an interpreter of the malicious application program;
analyzing the executable file of the malicious application program through the interpreter to obtain code data corresponding to the plurality of unknown instructions in the executable file, and
Analyzing the code data to obtain the plurality of instruction addresses.
5. The method of claim 4, wherein the obtaining the interpreter of the malicious application comprises:
calling the plurality of unknown instructions to obtain calling addresses of the plurality of unknown instructions, and
And determining the interpreter according to the call address.
6. The method of claim 1, wherein the obtaining a plurality of unknown instructions of a malicious application comprises:
And in the case that the malicious application program comprises a reinforcement strategy, analyzing the reinforcement strategy to obtain the plurality of unknown instructions.
7. The method of claim 6, wherein the obtaining a plurality of unknown instructions of a malicious application further comprises:
acquiring an installation package of the malicious application program;
In the case where it is determined that the installation package includes a code extraction shell, unshelling the installation package, and
Analyzing the unshelling installation package to obtain the plurality of unknown instructions.
8. An apparatus for resolving malicious applications, comprising:
The system comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for acquiring a plurality of unknown instructions of a malicious application program and a plurality of known instructions of a white sample application program, and the white sample application program and the malicious application program are application programs of the same type;
The statistics module is used for obtaining a first calling frequency of the plurality of unknown instructions in the running process of the malicious application program and a second calling frequency of the plurality of known instructions in the running process of the white sample application program by means of statistics, and the first calling frequency comprises the calling times of the plurality of unknown instructions;
A determining module for determining at least one target instruction matched with the known instructions in the unknown instructions according to the first calling frequency and the second calling frequency, and
The analysis module is used for analyzing the at least one target instruction to obtain operation related data of the malicious application program;
The determining module is further configured to make the malicious application program and the white sample program execute the same first operation, count call frequencies of the instructions to obtain a first unknown instruction call ordering table and a first known instruction call ordering table, make the malicious application program and the white sample program execute the same second operation, count call frequencies of the instructions to obtain a second unknown instruction call ordering table and a second known instruction call ordering table, compare the first known instruction call ordering table with the first unknown instruction call ordering table to generate a first mapping table, compare the second known instruction call ordering table with the second unknown instruction call ordering table to generate a second mapping table, and determine that the unknown instruction is a target instruction matched with the known instruction under the condition that the first mapping table and the second mapping table include the known instruction and the unknown instruction with the same mapping relation.
9. An electronic device, comprising:
one or more processors;
Storage means for storing one or more programs,
Wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the method of any of claims 1-7.
10. A computer readable storage medium having stored thereon executable instructions which, when executed by a processor, cause the processor to perform the method according to any of claims 1-7.
11. A computer program product comprising a computer program which, when executed by a processor, implements the method according to any one of claims 1 to 7.
CN202111502673.3A 2021-12-09 2021-12-09 Method, apparatus, device, medium and program product for resolving malicious application program Active CN114168957B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111502673.3A CN114168957B (en) 2021-12-09 2021-12-09 Method, apparatus, device, medium and program product for resolving malicious application program

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111502673.3A CN114168957B (en) 2021-12-09 2021-12-09 Method, apparatus, device, medium and program product for resolving malicious application program

Publications (2)

Publication Number Publication Date
CN114168957A CN114168957A (en) 2022-03-11
CN114168957B true CN114168957B (en) 2025-08-12

Family

ID=80485219

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111502673.3A Active CN114168957B (en) 2021-12-09 2021-12-09 Method, apparatus, device, medium and program product for resolving malicious application program

Country Status (1)

Country Link
CN (1) CN114168957B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103038777A (en) * 2010-06-03 2013-04-10 诺基亚公司 Method and apparatus for analyzing and detecting malicious software
CN105431859A (en) * 2013-07-31 2016-03-23 惠普发展公司,有限责任合伙企业 Signal flags indicating malware

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110889115A (en) * 2019-11-07 2020-03-17 国家计算机网络与信息安全管理中心 Malicious push behavior detection method and device

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103038777A (en) * 2010-06-03 2013-04-10 诺基亚公司 Method and apparatus for analyzing and detecting malicious software
CN105431859A (en) * 2013-07-31 2016-03-23 惠普发展公司,有限责任合伙企业 Signal flags indicating malware

Also Published As

Publication number Publication date
CN114168957A (en) 2022-03-11

Similar Documents

Publication Publication Date Title
US10673889B2 (en) Selective website vulnerability and infection testing
US10481964B2 (en) Monitoring activity of software development kits using stack trace analysis
US9444899B2 (en) Use of internet information services logging to collect user information in an asynchronous manner
US10614208B1 (en) Management of login information affected by a data breach
CN113489713B (en) Network attack detection method, device, equipment and storage medium
US9665465B1 (en) Automated determination of application permissions
WO2015131804A1 (en) Call stack relationship acquiring method and apparatus
CN109889511B (en) Process DNS activity monitoring method, equipment and medium
CN117828617A (en) Application code vulnerability detection method and device
CN111460448B (en) Method and device for detecting malware family
CN111046393B (en) Vulnerability information uploading method and device, terminal equipment and storage medium
CN114168957B (en) Method, apparatus, device, medium and program product for resolving malicious application program
CN112685255A (en) Interface monitoring method and device, electronic equipment and storage medium
CN114490264B (en) File monitoring method, device, electronic device and storage medium for application system
CN112733104B (en) Account registration request processing method and device
CN115185798A (en) Data acquisition and analysis method and device, electronic equipment and storage medium
CN113051090A (en) Interface processing method and device, interface calling method and device, system and medium
CN113420302A (en) Host vulnerability detection method and device
KR20210117682A (en) Method and system for detecting malware using memory map
CN115421873B (en) Dictionary construction method, dictionary-based file evaluation device and dictionary-based file evaluation equipment
CN115421738A (en) Version deployment method and device, electronic equipment and storage medium
CN116821158A (en) Structured query statement generation method and device, electronic equipment and storage medium
CN116257825A (en) Object authority configuration method and device, electronic equipment and readable storage medium
CN116975852A (en) Risk detection method, system, electronic equipment and storage medium
CN119249426A (en) Vulnerability detection method, device, electronic device and readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant