[go: up one dir, main page]

CN113590133B - Android system injection detection method, device, equipment and computer storage medium - Google Patents

Android system injection detection method, device, equipment and computer storage medium Download PDF

Info

Publication number
CN113590133B
CN113590133B CN202110907927.3A CN202110907927A CN113590133B CN 113590133 B CN113590133 B CN 113590133B CN 202110907927 A CN202110907927 A CN 202110907927A CN 113590133 B CN113590133 B CN 113590133B
Authority
CN
China
Prior art keywords
segment
target
determining
matching
file
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110907927.3A
Other languages
Chinese (zh)
Other versions
CN113590133A (en
Inventor
蒲天豪
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
MIGU Culture Technology Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
MIGU Culture Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, MIGU Culture Technology Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN202110907927.3A priority Critical patent/CN113590133B/en
Publication of CN113590133A publication Critical patent/CN113590133A/en
Application granted granted Critical
Publication of CN113590133B publication Critical patent/CN113590133B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/40Transformation of program code
    • G06F8/41Compilation
    • G06F8/42Syntactic analysis
    • G06F8/427Parsing
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/903Querying
    • G06F16/90335Query processing
    • G06F16/90344Query processing by using string matching techniques

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computational Linguistics (AREA)
  • Data Mining & Analysis (AREA)
  • Software Systems (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

本发明实施例涉及安卓技术领域,公开了一种安卓系统注入检测方法,该方法包括:在应用启动后,获取所述应用在目标安卓系统的系统启动进程对应的二进制文件;对所述二进制文件进行解析,得到至少一个目标片段;所述目标片段的类型为字符串类型;查询所述至少一个目标片段中是否包括预设的特征字符串,根据查询结果确定所述应用是否注入系统修改框架,以确定所述应用是否安全。通过上述方式,本发明实施例提高了安卓系统中注入检测的准确率。

The embodiment of the present invention relates to the field of Android technology, and discloses an Android system injection detection method, which includes: after the application is started, obtaining the binary file corresponding to the system startup process of the application in the target Android system; parsing the binary file to obtain at least one target segment; the type of the target segment is a string type; querying whether the at least one target segment includes a preset feature string, and determining whether the application is injected into the system modification framework according to the query result to determine whether the application is safe. Through the above method, the embodiment of the present invention improves the accuracy of injection detection in the Android system.

Description

Android system injection detection method, device, equipment and computer storage medium
Technical Field
The embodiment of the invention relates to the technical field of android, in particular to an android system injection detection method, an android system injection detection device, android system injection detection equipment and a computer storage medium.
Background
At present, on the android system, in order to modify the return of the system interfaces, the purpose of simulating some system functions is achieved, and Xposed, namely a system modification framework is injected into the android system, so that some interfaces of the Hook system are realized. However, xposed has a great influence on the security of the android system, so that whether Xposed injection exists in the android system needs to be detected.
The inventor finds the following problems in the implementation process of the invention that the safety and the accuracy of the existing injection detection method aiming at Xposed in the android system are not high.
Disclosure of Invention
In view of the above problems, embodiments of the present invention provide an android system injection detection method, apparatus, device, and computer storage medium, which are used to solve the problem in the prior art that the accuracy is not high.
According to an aspect of the embodiment of the invention, there is provided an android system injection detection method, which includes:
after an application is started, acquiring a binary file corresponding to a system starting process of the application in a target android system;
Analyzing the binary file to obtain at least one target fragment, wherein the type of the target fragment is a character string type;
inquiring whether the at least one target segment comprises a preset characteristic character string, and determining whether the application is injected into a system modification framework according to an inquiry result so as to determine whether the application is safe.
In an optional manner, the method is implemented based on a native layer of the target android system, the binary file comprises a plurality of optional fragments, and the method further comprises:
Reading file header information included in the binary file;
Determining fragment header table information according to the file header information;
And determining the target fragment from the plurality of optional fragments according to the fragment header table information.
In an alternative, the method further comprises:
Determining the segment head offset positions corresponding to the optional segments according to the segment head table information;
Respectively determining segment header information corresponding to each optional segment according to the segment header offset position;
determining the fragment type of each optional fragment according to the fragment header information;
And determining the optional fragment with the fragment type being a character string type as the target fragment.
In an alternative, the method further comprises:
Matching the characteristic character strings in the target fragments, and determining the successful times of matching;
determining the total number of segment heads according to the file head information;
comparing the successful times of the matching with the total number of the segment heads;
and when the number of successful matching times is larger than the total number of the segment heads, determining the injection detection result as that the injection is detected.
In an optional mode, function description character strings corresponding to a plurality of optional functions are stored in the target segment, wherein the optional functions are functions included in the target android system, and the method further comprises:
Respectively matching the characteristic character strings with the function description character strings;
the number of successful matches is incremented by one each time one of the function description strings is matched.
In an alternative, the method further comprises:
When the successful times of matching is smaller than the total number of segment heads, determining a segment to be matched from the target segment according to a first file pointer, wherein the first file pointer is used for storing the segment head offset position corresponding to the target segment which is currently queried;
matching the characteristic character string with the function description character string in the fragment to be matched;
And after the matching is completed, updating the first file pointer according to a second file pointer and the fragment head offset positions corresponding to all the target fragments, wherein the second file pointer is used for storing the fragment head offset positions corresponding to the target fragments of the historical query.
In an alternative way, the characteristic string comprises Xposed characteristic function strings, and the method further comprises:
matching the Xposed feature function strings with the function description strings respectively;
and when the function character string is matched, determining the injection detection result as that the injection is detected.
According to another aspect of the embodiment of the present invention, there is provided an android system injection detection apparatus, including:
the acquisition module is used for acquiring a binary file corresponding to a system starting process of the application in the target android system after the application is started;
the analysis module is used for analyzing the binary file to obtain at least one target segment, wherein the type of the target segment is a character string type;
And the determining module is used for inquiring whether the at least one target segment comprises a preset characteristic character string, determining whether the application is injected into a system modification framework according to an inquiry result, and determining whether the application is safe.
According to another aspect of the embodiment of the present invention, there is provided an android system injection detection apparatus, including:
The device comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete communication with each other through the communication bus;
the memory is used for storing at least one executable instruction, and the executable instruction enables the processor to execute the operation of the android system injection detection method.
According to yet another aspect of the embodiments of the present invention, there is provided a computer readable storage medium having stored therein at least one executable instruction for causing a device to perform operations of the android system injection detection method as described.
According to the method and the device for the application security, after the application is started, the binary file corresponding to the system starting process of the application in the target android system is obtained, the binary file is analyzed, at least one segment with the character string type in the binary file is read out and used as a target segment, whether the at least one target segment comprises the preset characteristic character string or not is then inquired, whether the application is injected into a system modification framework or not is determined according to the inquiry result, and whether the application is safe or not is determined.
Therefore, in the scheme of detecting whether the current java environment is loaded with the related class library Xposed through the detection function, the accuracy and the safety of injection detection caused by the hook of the Xposed framework are lower, and the accuracy and the safety of the injection detection of the android system can be improved by detecting injection traces on the binary file level which is not easy to modify and forge.
The foregoing description is only an overview of the technical solutions of the embodiments of the present invention, and may be implemented according to the content of the specification, so that the technical details of the embodiments of the present invention can be more clearly understood, and the following detailed description of the present invention will be more specifically described.
Drawings
The drawings are only for purposes of illustrating embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to designate like parts throughout the figures. In the drawings:
Fig. 1 shows a flow diagram of an android system injection detection method according to an embodiment of the present invention;
fig. 2 (a) is a schematic system diagram before Xposed is injected in the android system injection detection method according to the embodiment of the present invention;
Fig. 2 (b) is a schematic system diagram after Xposed is injected in the android system injection detection method according to the embodiment of the present invention;
Fig. 3 is a schematic structural diagram of an android system injection detection method according to another embodiment of the present invention;
Fig. 4 is a schematic structural diagram of an android system injection detection device according to an embodiment of the present invention;
fig. 5 shows a schematic structural diagram of an android system injection detection device according to an embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present invention will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present invention are shown in the drawings, it should be understood that the present invention may be embodied in various forms and should not be limited to the embodiments set forth herein.
Before the description of the android system injection detection method in the embodiment of the invention is carried out, related nouns are explained:
Xposed A dynamic hijacking project aiming at an Android platform developed by rovo89 is a framework service capable of influencing program operation under the condition of not modifying APK. Xposed controls Zygote the process by the substitution/system/bin/app_process program, so that the app_process loads the jar packet xposedbridge.
App_process, an important compiled executable file in the target android system. The execution file is responsible for starting the Android core process Zygote and the system_server during the boot process. The app_process may also be used to run executable java programs.
ELF Executable and Linkable Format, executable connectible format, is part of the Unix/Linux system ABI (Application Binary Interface) specification. Executable binary files, object code files, shared library files, and core dump files under Unix/Linux all belong to ELF files. From the assembler and linker perspective, an ELF file is a collection of series of sections described by Section Header Table (Section header table). The first few tens of segments of the ELF file are ELF HEADER, the ELF file header.
ELF File header ELF HEADER, ELF the first tens of segments of the file. Basic information such as an architecture and an operating system corresponding to the ELF file is recorded, wherein the basic information comprises Section Header Table positions in the file, contained Section table sizes, numbers and the like.
Section is a component unit of the content of the object code file, the information in Section is used for the link to relocate the code, and the Section in the object code is organized into each Section (segment) of the executable file by the link. In the ELF file, one section necessarily has one section header describing it, but one section header does not necessarily have a corresponding section in the file, because some sections do not occupy a file word segment.
Section Header Table A fragment header table, which describes the information of each fragment, such as the fragment name of each fragment, the fragment length, the offset in the file, the read-write permissions, and other attributes of the fragment. The structure of the fragment header table is an array with the elf32_ Shdr structure (fragment descriptor) as an element.
String Section, in the ELF file, a number of strings, such as symbols of function names and global variable names defined and referenced in the program, and information related to the symbols, are used. The character string type is stored in the form of fragments in the ELF file, and the common fragment names are ". Strtab" or ". Shstrtab". The two String tables are a String Table (String Table) and a fragment Table String Table (HEADER STRING Table), respectively, the String Table stores common strings, and the fragment Table String Table is used for storing strings used in the fragment Table, such as fragment names.
Native layer, local service layer, which is mainly used to realize some local services and store some link libraries. The Native layer is characterized in that the Native layer is realized through C and C++ languages, and the code running efficiency, the code reversing and the debugging difficulty are higher than those of the java layer. Native can communicate with the Java layer through Jni mechanisms.
JNI (Java NATIVE INTERFACE) provides the Java with the ability to invoke C and c++ code. The JAVA can realize cross-platform and interact with dynamic libraries of other languages (such as C, C ++) at the same time, thereby giving the opportunity of other languages to play an advantage.
Fig. 1 shows a flowchart of an android system injection detection method according to an embodiment of the present invention, where the method is executed by a computer processing device. The computer processing device may include a cell phone, a notebook computer, and the like. As shown in fig. 1, the method comprises the steps of:
And 101, after the application is started, acquiring a binary file corresponding to a system starting process of the application in the target android system.
In one embodiment of the invention, the application refers to an application program in the target android system, and the system starting process refers to an app_process process, namely Zygote process, in the android system.
Binary files refer to files in the ELF format in the target android system.
The Zygote process is a core process of creating a new process by the Android system, is responsible for starting a Dalvik virtual machine, loading some necessary system resources and system classes, starting a system_server process, and then entering a waiting process for processing an app application request.
In still another embodiment of the present invention, in order to improve the system security of the target android system, after detecting that the application is started, step 101 and subsequent steps may be performed, the detection of injection may be completed in time, and a corresponding system protection operation may be performed according to the injection detection result.
And 102, analyzing the binary file to obtain at least one target segment, wherein the type of the target segment is a character string type.
The ELF file includes a plurality of optional fragments, namely, the fragments in the ELF file, and in one embodiment of the present invention, the character string type refers to a fragment type (fragment type) of STRTAB or a fragment name of strtab.
In one embodiment of the present invention, the injection process of Xposed framework refers to fig. 2, the Zygote process before injection is shown in fig. 2 (a), the Zygote process after injection is shown in fig. 2 (b), and the normal starting process of the non-injected android system generally includes starting the linux system, starting the Init process, starting Zygote process with service/system/bin/app_process, wherein starting Zygote process generally includes starting the virtual machine, configuring java environment, loading default jar file package, and finally calling java main (zygoteinfi ()) function to complete the starting of Zygote process.
After the android system is Xposed injected, after the linux system is started, the Init process is started, the starting process of the Zygote process is changed into that the injected Zygote process is started by the service/system/bin/app_process, wherein in the injected Zygote process, in addition to the normal starting process, the Xposed related jar packet such as xposedbridge, jar and the like is added to the CLASSPATH file path, and finally the java main (xposedbridge, main ()) bridging main function is called, so that the injected Zygote process is started.
The process of calling the java main (xposedbridge. Main ()) function comprises Zygote process initialization, loading a hook module of Xposed, calling a Orign source function and calling a zygoteInit. Main () (origin main) function, so that the injection of Xposed to Zygote processes is completed.
That is, xposed if a hook is needed, it is injected into the android system, which first needs to replace the keystone process app_process of the target android system. Since the app_process ' after the replacement is not the same as the app_process that the android originally has, if the app_process that the android originally has in the target android system is replaced with the app_process ', the injection trace of Xposed is left on the app_process ' in the underlying Linux system of the target android system, i.e. on the binary layer.
Wherein Xposed the injection trace includes that Xposed related function string identification exists in the ELF file, so that whether injection exists can be determined by reading the ELF file to find whether Xposed related function string identification exists.
In addition, considering that in the ELF file, the data of the character string type is stored in the character string type, and the search of Xposed related function character string identifiers in other types of fragments is meaningless, in order to improve the injection detection efficiency, the section of the character string type can be determined from the binary file as the target fragment.
Considering that the related method of injection detection in the prior art is realized based on the java layer of the android system, the safety of the data of the java layer is not high, the data is easy to reverse and debug, the accuracy of injection detection is affected, and Xposed has no hook capability on the api interface of the bottom layer of the system temporarily, so in still another embodiment of the invention, the method is realized based on the native layer of the target android system. The code corresponding to the detection process in the steps 102-103 is put in the native layer in the target android system, an interface of a detection function of the linux system is called for detection, and after detection is completed, a detection result is directly obtained from the native layer through the jni interface to the java layer, so that the safety and accuracy of injection detection are improved.
In yet another embodiment of the present invention, step 102 further includes at least:
And 1021, reading file header information included in the binary file.
File header information is ELF HEADER information of the ELF file. In one embodiment of the invention, the readelf-h instruction may be used to determine ELF HEADER information to read the binary file.
Step 1022, determining fragment header table information according to the file header information.
In one embodiment of the present invention, the segment header message is located according to the offset position of the section header described in ELF HEADER information.
Step 1023, determining the target fragment from the plurality of optional fragments according to the fragment header table information.
And determining the fragment type information of each optional fragment in the ELF file according to the fragment header table information, screening according to the fragment type information, and determining the optional fragment with the type belonging to the character string type as the target fragment.
In yet another embodiment of the present invention, step 1023 further comprises:
And 231, determining the segment head offset positions corresponding to the optional segments according to the segment head table information.
The segment header offset position is used to determine a starting position of a segment header of each segment, thereby locating a segment header corresponding to each segment.
And 232, respectively determining segment header information corresponding to each optional segment according to the segment header offset positions.
And 233, determining the fragment type of each optional fragment according to the fragment header information.
In one embodiment of the present invention, the fragment type is determined by reading the field value under the sh_type field in the fragment header information of each optional fragment.
In still another embodiment of the present invention, the segment type may also be determined by reading the segment names in the segment header information of each optional segment, and querying the preset name table by the segment names. When the fragment name includes strtab, the fragment type is the string type.
And 234, determining the optional fragment with the fragment type being the character string type as the target fragment.
In still another embodiment of the present invention, when no string type segment is detected in the ELF file, a prompt message such as "current detection occurs abnormality, please detect whether the system is normally loaded" may be returned.
And step 103, inquiring whether the at least one target segment comprises a preset characteristic character string, and determining whether the application is injected into a system modification framework according to an inquiry result so as to determine whether the application is safe.
In one embodiment of the invention, the feature string is used to characterize Xposed related functions, i.e., function related strings that only exist in the system where Xposed is present, which may be function identification, function description strings, etc. Whereas, since the function-related string is typically stored in the target segment according to its data type, in one embodiment of the present invention, step 103 further includes:
Step 1031, matching the characteristic character strings in the target segments, and determining the successful times of matching.
When the characteristic character string exists in the target segment, the target segment is determined to be successfully matched.
In still another embodiment of the present invention, the target segment stores function description strings corresponding to a plurality of selectable functions, where the selectable functions are functions included in the target android system, and step 1031 further includes:
And 311, respectively matching the characteristic character strings with the function description character strings.
In order to improve the accuracy of injection detection, the feature strings are respectively matched with all the target fragments until the traversal of all the target fragments is completed.
It should be noted that, in still another embodiment of the present invention, in order to increase the speed of injection detection, a method of traversing all the target segments may not be adopted, that is, if there is one match, it is determined that there is injection.
In yet another embodiment of the present invention, the feature string comprises Xposed feature function strings. Injection detection for android systems may also include:
and 312, matching the Xposed characteristic function character strings with the function description character strings respectively.
Step 313, when the function string is matched, determining the injection detection result as that the injection is detected.
In yet another embodiment of the present invention, step 311 further comprises:
and 3111, determining a segment to be matched from the target segment according to a first file pointer when the number of successful matching times is smaller than the total number of segment heads, wherein the first file pointer is used for storing a segment head offset position corresponding to the target segment currently queried.
In one embodiment of the present invention, when the number of successful matches is less than the total number of segment headers, then the matching of the next unmatched target segment is continued by the movement of the first file pointer.
And 3112, matching the characteristic character string with the function description character string in the fragment to be matched.
In one embodiment of the invention, when the feature string is included in the segment to be matched, then the two are considered to be matched.
Step 3113, after matching is completed, updating the first file pointer according to a second file pointer and segment header offset positions corresponding to all the target segments, where the second file pointer is used to store segment header offset positions corresponding to the target segments of the history query.
In one embodiment of the present invention, the updating of the first file pointer may be that the segment header offset positions corresponding to the unmatched target segments are determined according to the segment header offset positions corresponding to all target segments of the second file pointer, and the first file pointer is optionally determined from the unmatched segment header offset positions or according to the progressive order of the offset positions.
In still another embodiment of the present invention, the reading and the matching of the feature strings may be sequentially performed on each target segment according to the segment header offset position order of each target segment.
Step 314, adding one to the number of successful matches each time one of the function description strings is matched.
Step 1032, determining the total number of segment headers according to the file header information.
In one embodiment of the invention, the number of Section headers from ELF HEADER is taken as the total number of segment headers.
And 1033, comparing the successful times of the matching with the total number of the segment heads.
And 1034, determining the injection detection result as injection detection when the matching success times are larger than the total number of the segment heads.
In still another embodiment of the present invention, as shown in fig. 3, the injection detection method from step 101 to step 103 may be further packaged into a detection entry function of a native layer, where a flag value is set in the native layer, where the flag value is used to store a detection result, and the detection entry function may be called by a java layer of the target android system through a jni interface, and when called, the flag value is directly returned to the java layer, so that specific code logic of injection detection is hidden in the native layer with higher security, thereby improving efficiency and security of injection detection.
According to the android system injection detection method, after an application is started, binary files corresponding to a system starting process of the application in a target android system are obtained, the binary files are analyzed, at least one segment with the character string type in the binary files is read out to serve as a target segment, then inquiry is conducted in the target segment according to a preset characteristic character string, and an injection detection result of the target android system is determined according to an inquiry result.
Therefore, in the scheme of detecting whether the current java environment is loaded with the related class library Xposed through the detection function, the accuracy and the safety of injection detection caused by the Xposed frame hook of the detection function are lower, and the accuracy and the safety of injection detection of the android system can be improved by detecting injection marks on the level of binary files which are not easy to modify and forge.
Fig. 4 shows a schematic structural diagram of an android system injection detection device according to an embodiment of the present invention. As shown in fig. 4, the apparatus 200 includes an acquisition module 201, a parsing module 202, and a determining module 203.
The acquiring module 201 is configured to acquire, after an application is started, a binary file corresponding to a system starting process of the application in a target android system;
the analysis module 202 is configured to analyze the binary file to obtain at least one target segment, where the type of the target segment is a character string type;
The determining module 203 is configured to query whether the at least one target segment includes a preset feature string, determine whether the application is injected into a system modification framework according to a query result, and determine whether the application is safe.
In an alternative way, the binary file includes a plurality of optional fragments, and the parsing module 202 is further configured to:
Reading file header information included in the binary file;
Determining fragment header table information according to the file header information;
And determining the target fragment from the plurality of optional fragments according to the fragment header table information.
In an alternative way, the parsing module 202 is further configured to:
Determining the segment head offset positions corresponding to the optional segments according to the segment head table information;
Respectively determining segment header information corresponding to each optional segment according to the segment header offset position;
determining the fragment type of each optional fragment according to the fragment header information;
And determining the optional fragment with the fragment type being a character string type as the target fragment.
In an alternative way, the determining module 203 is further configured to:
Matching the characteristic character strings in the target fragments, and determining the successful times of matching;
determining the total number of segment heads according to the file head information;
comparing the successful times of the matching with the total number of the segment heads;
and when the number of successful matching times is larger than the total number of the segment heads, determining the injection detection result as that the injection is detected.
In an optional manner, the target segment stores function description strings corresponding to a plurality of optional functions, where the optional functions are functions included in the target android system, and the determining module 203 is further configured to:
Respectively matching the characteristic character strings with the function description character strings;
the number of successful matches is incremented by one each time one of the function description strings is matched.
In an alternative way, the determining module 203 is further configured to:
When the successful times of matching is smaller than the total number of segment heads, determining a segment to be matched from the target segment according to a first file pointer, wherein the first file pointer is used for storing the segment head offset position corresponding to the target segment which is currently queried;
matching the characteristic character string with the function description character string in the fragment to be matched;
And after the matching is completed, updating the first file pointer according to a second file pointer and the fragment head offset positions corresponding to all the target fragments, wherein the second file pointer is used for storing the fragment head offset positions corresponding to the target fragments of the historical query.
In an alternative way, the feature string comprises Xposed feature function strings, and the determining module 203 is further configured to:
matching the Xposed feature function strings with the function description strings respectively;
and when the function character string is matched, determining the injection detection result as that the injection is detected.
According to the android system injection detection device, after an application is started, binary files corresponding to a system starting process of the application in a target android system are obtained, the binary files are analyzed, at least one segment with the character string type in the binary files is read out to serve as a target segment, then inquiry is conducted in the target segment according to a preset characteristic character string, and an injection detection result of the target android system is determined according to an inquiry result.
Therefore, in the scheme of detecting whether the current java environment is loaded with the related class library Xposed through the detection function, the accuracy and the safety of injection detection caused by the Xposed frame hook of the detection function are lower, and the android system injection detection device provided by the embodiment of the invention can improve the accuracy and the safety of injection detection of the android system by detecting injection marks on the level of binary files which are difficult to modify and forge.
Fig. 5 shows a schematic structural diagram of an android system injection detection device according to an embodiment of the present invention, and the specific embodiment of the present invention does not limit the specific implementation of the android system injection detection device.
As shown in FIG. 5, the android injection detection device may include a processor 302, a communication interface (Communications Interface) 304, a memory 306, and a communication bus 308.
Wherein the processor 302, the communication interface 304, and the memory 306 communicate with each other via a communication bus 308. A communication interface 304 for communicating with network elements of other devices, such as clients or other servers. The processor 302 is configured to execute the program 310, and may specifically perform the relevant steps in the foregoing embodiments of the method for detecting injection into an android system.
In particular, program 310 may include program code comprising computer-executable instructions.
The processor 302 may be a central processing unit CPU, or an Application-specific integrated Circuit ASIC (Application SPECIFIC INTEGRATED Circuit), or one or more integrated circuits configured to implement embodiments of the present invention. The one or more processors included in the android system injection detection device may be the same type of processor, such as one or more CPUs, or may be different types of processors, such as one or more CPUs and one or more ASICs.
Memory 306 for storing programs 310. Memory 306 may comprise high-speed RAM memory or may also include non-volatile memory (non-volatile memory), such as at least one disk memory.
Program 310 may be specifically invoked by processor 302 to cause the android injection detection device to:
after an application is started, acquiring a binary file corresponding to a system starting process of the application in a target android system;
Analyzing the binary file to obtain at least one target fragment, wherein the type of the target fragment is a character string type;
inquiring whether the at least one target segment comprises a preset characteristic character string, and determining whether the application is injected into a system modification framework according to an inquiry result so as to determine whether the application is safe.
In an alternative manner, the binary file includes a plurality of optional fragments, and the program 310 is invoked by the processor 302 to cause the android injection detection device to:
Reading file header information included in the binary file;
Determining fragment header table information according to the file header information;
And determining the target fragment from the plurality of optional fragments according to the fragment header table information.
In an alternative manner, the program 310 is invoked by the processor 302 to cause the android injection detection device to:
Determining the segment head offset positions corresponding to the optional segments according to the segment head table information;
Respectively determining segment header information corresponding to each optional segment according to the segment header offset position;
determining the fragment type of each optional fragment according to the fragment header information;
And determining the optional fragment with the fragment type being a character string type as the target fragment.
In an alternative manner, the program 310 is invoked by the processor 302 to cause the android injection detection device to:
Matching the characteristic character strings in the target fragments, and determining the successful times of matching;
determining the total number of segment heads according to the file head information;
comparing the successful times of the matching with the total number of the segment heads;
and when the number of successful matching times is larger than the total number of the segment heads, determining the injection detection result as that the injection is detected.
In an alternative manner, the target segment stores function description strings corresponding to a plurality of alternative functions, wherein the alternative functions are functions included in the target android system, and the program 310 is called by the processor 302 to cause the android system injection detection device to perform the following operations:
Respectively matching the characteristic character strings with the function description character strings;
the number of successful matches is incremented by one each time one of the function description strings is matched.
In an alternative manner, the program 310 is invoked by the processor 302 to cause the android injection detection device to:
When the successful times of matching is smaller than the total number of segment heads, determining a segment to be matched from the target segment according to a first file pointer, wherein the first file pointer is used for storing the segment head offset position corresponding to the target segment which is currently queried;
matching the characteristic character string with the function description character string in the fragment to be matched;
And after the matching is completed, updating the first file pointer according to a second file pointer and the fragment head offset positions corresponding to all the target fragments, wherein the second file pointer is used for storing the fragment head offset positions corresponding to the target fragments of the historical query.
In an alternative, the feature string comprises Xposed feature function strings, and the program 310 is invoked by the processor 302 to cause the android injection detection device to:
matching the Xposed feature function strings with the function description strings respectively;
and when the function character string is matched, determining the injection detection result as that the injection is detected.
The android system injection detection equipment acquires a binary file corresponding to a system starting process of an application in a target android system after the application is started, analyzes the binary file, reads out at least one segment with a character string type in the binary file as a target segment, inquires in the target segment according to a preset characteristic character string, and determines an injection detection result of the target android system according to an inquiry result.
Therefore, in the scheme of detecting whether the current java environment is loaded with the related class library Xposed through the detection function, the accuracy and the safety of injection detection caused by the Xposed frame hook of the detection function are lower, and the android system injection detection device provided by the embodiment of the invention can improve the accuracy and the safety of injection detection of the android system by detecting injection marks on the level of binary files which are difficult to modify and forge.
The embodiment of the invention provides a computer readable storage medium, wherein the storage medium stores at least one executable instruction, and when the executable instruction runs on android system injection detection equipment, the android system injection detection equipment executes the android system injection detection method in any method embodiment.
The executable instructions may be specifically configured to cause the android injection detection device to:
after an application is started, acquiring a binary file corresponding to a system starting process of the application in a target android system;
Analyzing the binary file to obtain at least one target fragment, wherein the type of the target fragment is a character string type;
inquiring whether the at least one target segment comprises a preset characteristic character string, and determining whether the application is injected into a system modification framework according to an inquiry result so as to determine whether the application is safe.
In an alternative way, the binary file comprises a plurality of optional fragments, and the executable instructions enable the android injection detection device to perform the following operations:
Reading file header information included in the binary file;
Determining fragment header table information according to the file header information;
And determining the target fragment from the plurality of optional fragments according to the fragment header table information.
In an optional manner, determining a segment header offset position corresponding to each optional segment according to the segment header table information;
Respectively determining segment header information corresponding to each optional segment according to the segment header offset position;
determining the fragment type of each optional fragment according to the fragment header information;
And determining the optional fragment with the fragment type being a character string type as the target fragment.
In an alternative manner, the executable instructions cause the android system injection detection device to:
Matching the characteristic character strings in the target fragments, and determining the successful times of matching;
determining the total number of segment heads according to the file head information;
comparing the successful times of the matching with the total number of the segment heads;
and when the number of successful matching times is larger than the total number of the segment heads, determining the injection detection result as that the injection is detected.
In an optional manner, function description character strings corresponding to a plurality of optional functions are stored in the target fragment, wherein the optional functions are functions included in the target android system, and the executable instructions enable the android system injection detection device to execute the following operations:
Respectively matching the characteristic character strings with the function description character strings;
the number of successful matches is incremented by one each time one of the function description strings is matched.
In an alternative manner, the executable instructions cause the android system injection detection device to:
When the successful times of matching is smaller than the total number of segment heads, determining a segment to be matched from the target segment according to a first file pointer, wherein the first file pointer is used for storing the segment head offset position corresponding to the target segment which is currently queried;
matching the characteristic character string with the function description character string in the fragment to be matched;
And after the matching is completed, updating the first file pointer according to a second file pointer and the fragment head offset positions corresponding to all the target fragments, wherein the second file pointer is used for storing the fragment head offset positions corresponding to the target fragments of the historical query.
In an alternative way, the characteristic character string comprises Xposed characteristic function character strings, and the executable instructions enable the android injection detection device to execute the following operations:
matching the Xposed feature function strings with the function description strings respectively;
and when the function character string is matched, determining the injection detection result as that the injection is detected.
The computer readable storage medium of the embodiment of the invention obtains a binary file corresponding to a system starting process of an application in a target android system after the application is started, analyzes the binary file, reads out at least one segment with a character string type in the binary file as a target segment, inquires in the target segment according to a preset characteristic character string, and determines an injection detection result of the target android system according to an inquiry result.
Therefore, in the scheme of detecting whether the current java environment is loaded with the Xposed related class library through the detection function, the accuracy and the safety of injection detection caused by the Xposed frame hook of the detection function are lower, and the accuracy and the safety of injection detection of the android system can be improved by detecting injection traces on the level of binary files which are not easy to modify and forge through the computer readable storage medium in the embodiment of the invention.
The embodiment of the invention provides an android system injection detection device which is used for executing the android system injection detection method.
The embodiment of the invention provides a computer program which can be called by a processor to enable android system injection detection equipment to execute the android system injection detection method in any method embodiment.
An embodiment of the present invention provides a computer program product, where the computer program product includes a computer program stored on a computer readable storage medium, where the computer program includes program instructions, when the program instructions are executed on a computer, cause the computer to execute the android system injection detection method in any of the above method embodiments.
The algorithms or displays presented herein are not inherently related to any particular computer, virtual system, or other apparatus. Various general-purpose systems may also be used with the teachings herein. The required structure for a construction of such a system is apparent from the description above. In addition, embodiments of the present invention are not directed to any particular programming language. It will be appreciated that the teachings of the present invention described herein may be implemented in a variety of programming languages, and the above description of specific languages is provided for disclosure of enablement and best mode of the present invention.
In the description provided herein, numerous specific details are set forth. However, it is understood that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the above description of exemplary embodiments of the invention, various features of the embodiments of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects. This method of disclosure, however, is not to be interpreted as reflecting an intention that the claimed invention requires more features than are expressly recited in each claim.
Those skilled in the art will appreciate that the modules in the apparatus of the embodiments may be adaptively changed and disposed in one or more apparatuses different from the embodiments. The modules or units or components of the embodiments may be combined into one module or unit or component, and they may be divided into a plurality of sub-modules or sub-units or sub-components. Any combination of all features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or units of any method or apparatus so disclosed, may be used in combination, except insofar as at least some of such features and/or processes or units are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings), may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The use of the words first, second, third, etc. do not denote any order. These words may be interpreted as names. The steps in the above embodiments should not be construed as limiting the order of execution unless specifically stated.

Claims (8)

1. An application security detection method, the method comprising:
after an application is started, acquiring a binary file corresponding to a system starting process of the application in a target android system;
Analyzing the binary file to obtain at least one target segment, wherein the type of the target segment is a character string type, and function description character strings corresponding to a plurality of selectable functions are stored in the target segment, wherein the selectable functions are functions included in the target android system;
whether the at least one target segment comprises a preset characteristic character string or not is inquired, whether the application is injected into a system modification framework or not is determined according to an inquiry result, so that whether the application is safe or not is determined, the characteristic character string is respectively matched with each function description character string, and the matching success times are determined;
The method comprises the steps of respectively matching the characteristic character strings with function description character strings, determining the number of successful matching times, wherein the number of successful matching times is smaller than the total number of segment heads of target segments, determining segments to be matched from the target segments according to a first file pointer, storing segment head offset positions corresponding to the target segments which are currently queried, matching the characteristic character strings with the function description character strings in the segments to be matched, and updating the first file pointer according to second file pointers and segment head offset positions corresponding to all the target segments after the matching is completed, wherein the second file pointer is used for storing segment head offset positions corresponding to the target segments which are historically queried;
the method comprises the steps of inquiring whether at least one target segment comprises a preset characteristic character string, determining whether the application is injected into a system modification framework according to an inquiring result to determine whether the application is safe, and further comprises the steps of matching the characteristic character string in the target segment, determining the number of times of matching success, determining the total number of segment heads according to file header information, comparing the number of times of matching success with the total number of segment heads, and determining an injection detection result as injection detection when the number of times of matching success is larger than the total number of segment heads.
2. The method of claim 1, wherein the method is implemented based on a native layer of the target android system, the binary file comprises a plurality of optional fragments, the parsing of the binary file to obtain target fragments further comprises:
Reading file header information included in the binary file;
Determining fragment header table information according to the file header information;
And determining the target fragment from the plurality of optional fragments according to the fragment header table information.
3. The method of claim 2, wherein said determining the target segment from the selectable segments based on the segment header table information further comprises:
Determining the segment head offset positions corresponding to the optional segments according to the segment head table information;
Respectively determining segment header information corresponding to each optional segment according to the segment header offset position;
determining the fragment type of each optional fragment according to the fragment header information;
and determining the optional fragment with the fragment type being the character string type as the target fragment.
4. The method of claim 1, wherein the matching the feature string in the target segment determines a number of matches success, further comprising:
the number of successful matches is incremented by one each time one of the function description strings is matched.
5. The method of claim 1, wherein the feature string comprises Xposed feature function strings, wherein the querying whether the at least one target segment comprises a preset feature string, and wherein determining whether the application is injected into a system modification framework based on the query result to determine whether the application is safe further comprises:
matching the Xposed feature function strings with the function description strings respectively;
And when the function character string is matched, determining an injection detection result as detecting injection.
6. An android system injection detection device, the device comprising:
the acquisition module is used for acquiring a binary file corresponding to a system starting process of the application in the target android system after the application is started;
the system comprises a binary file, an analysis module, a target segment, a function description string, a function analysis module and a function analysis module, wherein the binary file is analyzed to obtain at least one target segment, the type of the target segment is a character string type, function description character strings corresponding to a plurality of selectable functions are stored in the target segment, and the selectable functions are functions included in a target android system;
The determining module is used for inquiring whether the at least one target segment comprises a preset characteristic string, determining whether the application is injected into a system modification framework according to an inquiring result so as to determine whether the application is safe or not, and comprises the steps of respectively matching the characteristic string with each function description string, and determining the successful times of matching;
The method comprises the steps of respectively matching the characteristic character strings with function description character strings, determining the number of successful matching times, wherein the number of successful matching times is smaller than the total number of segment heads of target segments, determining segments to be matched from the target segments according to a first file pointer, storing segment head offset positions corresponding to the target segments which are currently queried, matching the characteristic character strings with the function description character strings in the segments to be matched, and updating the first file pointer according to second file pointers and segment head offset positions corresponding to all the target segments after the matching is completed, wherein the second file pointer is used for storing segment head offset positions corresponding to the target segments which are historically queried;
the method comprises the steps of inquiring whether at least one target segment comprises a preset characteristic character string, determining whether the application is injected into a system modification framework according to an inquiring result to determine whether the application is safe, and further comprises the steps of matching the characteristic character string in the target segment, determining the number of times of matching success, determining the total number of segment heads according to file header information, comparing the number of times of matching success with the total number of segment heads, and determining an injection detection result as injection detection when the number of times of matching success is larger than the total number of segment heads.
7. The android system injection detection device is characterized by comprising a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete communication with each other through the communication bus;
The memory is configured to store at least one executable instruction that causes the processor to perform the operations of applying the security detection method of any one of claims 1-5.
8. A computer readable storage medium, wherein at least one executable instruction is stored in the storage medium, the executable instruction when executed on an android injection detection device causes the android injection detection device to perform the operations of applying the security detection method according to any one of claims 1-5.
CN202110907927.3A 2021-08-09 2021-08-09 Android system injection detection method, device, equipment and computer storage medium Active CN113590133B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110907927.3A CN113590133B (en) 2021-08-09 2021-08-09 Android system injection detection method, device, equipment and computer storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110907927.3A CN113590133B (en) 2021-08-09 2021-08-09 Android system injection detection method, device, equipment and computer storage medium

Publications (2)

Publication Number Publication Date
CN113590133A CN113590133A (en) 2021-11-02
CN113590133B true CN113590133B (en) 2024-12-13

Family

ID=78256355

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110907927.3A Active CN113590133B (en) 2021-08-09 2021-08-09 Android system injection detection method, device, equipment and computer storage medium

Country Status (1)

Country Link
CN (1) CN113590133B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113901483A (en) * 2021-11-09 2022-01-07 广州博冠信息科技有限公司 Application detection method and device, computer storage medium and electronic equipment
CN114519043B (en) * 2021-12-31 2024-05-24 北京握奇数据股份有限公司 Executable binary file format reverse analysis method
CN115809465B (en) * 2022-12-29 2025-07-25 杭州默安科技有限公司 Implementation method and system of android IAST

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101751273A (en) * 2008-12-15 2010-06-23 中国科学院声学研究所 Safety guide device and method for embedded system

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9317710B2 (en) * 2013-12-27 2016-04-19 Xerox Corporation System and method for specification and enforcement of a privacy policy in online services
US10262081B2 (en) * 2014-08-29 2019-04-16 Alvin Roy Reed Method and apparatus for improved database searching
CN106909833A (en) * 2015-12-23 2017-06-30 北京奇虎科技有限公司 A kind of safety protecting method and device
CN107808096B (en) * 2017-11-23 2019-12-17 厦门安胜网络科技有限公司 method for detecting malicious codes injected during APK running, terminal equipment and storage medium
CN109814948B (en) * 2018-12-29 2022-04-22 奇安信安全技术(珠海)有限公司 Method, device and electronic device for hooking native layer functions based on xposed framework

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101751273A (en) * 2008-12-15 2010-06-23 中国科学院声学研究所 Safety guide device and method for embedded system

Also Published As

Publication number Publication date
CN113590133A (en) 2021-11-02

Similar Documents

Publication Publication Date Title
CN113590133B (en) Android system injection detection method, device, equipment and computer storage medium
US10372594B2 (en) Method and device for retrieving test case based on code coverage
US8201026B1 (en) Fault-resistant just-in-time compiler
US8694966B2 (en) Identifying test cases to be run after changes to modules of a software application
US7275239B2 (en) Run-time wait tracing using byte code insertion
US8516589B2 (en) Apparatus and method for preventing virus code execution
US20130185708A1 (en) Determining compatibility of an application with different versions of an operating system
KR101979329B1 (en) Method and apparatus for tracking security vulnerable input data of executable binaries thereof
US8572579B2 (en) Break on next called function or method in java debugger agent
CN106371940A (en) Solution method and device for program crash
CN105630463A (en) Method and device for detecting JAR packet collision
US10275595B2 (en) System and method for characterizing malware
CN112445706A (en) Program abnormal code acquisition method and device, electronic equipment and storage medium
US6363521B1 (en) Process for processing programs, process for detecting depth of frame associated with specified method, detection method, and computer
US11157249B1 (en) Method and system for identifying and extracting independent services from a computer program
US7188279B2 (en) Method, program, and storage medium for acquiring logs
CN116962017A (en) Windows system callback detection method and system based on PIN instrumentation
CN114625646B (en) A method and device for detecting system memory out of bounds
CN118094533A (en) Application risk identification method and device
CN111209135A (en) A log processing method and device
US11599342B2 (en) Pathname independent probing of binaries
US11182182B2 (en) Calling arbitrary functions in the kernel via a probe script
US20060161896A1 (en) Performing debug requests that are within the debug domain of a class loader
KR102421394B1 (en) Apparatus and method for detecting malicious code using tracing based on hardware and software
CN109426546A (en) Using starting method and device, computer storage medium and equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant