CN108874658A - A kind of sandbox analysis method, device, electronic equipment and storage medium - Google Patents
A kind of sandbox analysis method, device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN108874658A CN108874658A CN201711426404.7A CN201711426404A CN108874658A CN 108874658 A CN108874658 A CN 108874658A CN 201711426404 A CN201711426404 A CN 201711426404A CN 108874658 A CN108874658 A CN 108874658A
- Authority
- CN
- China
- Prior art keywords
- timed task
- creation
- described program
- program sample
- monitoring
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/3604—Software analysis for verifying properties of programs
- G06F11/3612—Software analysis for verifying properties of programs by runtime analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Quality & Reliability (AREA)
- Debugging And Monitoring (AREA)
Abstract
The embodiment of the present invention discloses a kind of sandbox analysis method, device, electronic equipment and storage medium, is related to field of information security technology, can greatly reduce the probability that sample escapes detection, effectively promote sandbox detectability.The method includes:The program sample of operation input sandbox simultaneously monitors the operation in the operation of described program sample with the presence or absence of creation timed task;In the case where there is the operation of creation timed task in the operation of described program sample, the timed task for triggering creation executes in advance.The present invention can be used in sandbox analysis.
Description
Technical field
The present invention relates to Internet technical field more particularly to a kind of sandbox analysis method, device, electronic equipment and storages
Medium.
Background technique
Sandbox is a kind of performing environment according to security strategy limiting program behavior, can be used for testing suspect software etc.,
Variation caused by operation can be deleted then.By running program in sandbox environment, can detecte in program whether there is
Malicious act, when there are can issue alarm when malicious act in discovery program.
In current sandbox detection, for program sample analysis when limit with a maximum value, such as analysis duration
It is up to ten minutes, if sample is ten minutes later without end of run, sandbox system can force to terminate to analyze.
Malware usually makes itself or itself by creating timed task using the limitation of this analysis duration
Certain critical behaviors execute again after a certain time (such as ten minutes), to escape the detection of sandbox.
Summary of the invention
In view of this, the embodiment of the present invention provides a kind of sandbox analysis method, device, electronic equipment and storage medium, energy
Enough greatly reduce the probability that sample escapes detection, effectively promotes sandbox detectability.
In a first aspect, the embodiment of the present invention provides a kind of sandbox analysis method, including:The program sample of operation input sandbox
And monitor the operation in the operation of described program sample with the presence or absence of creation timed task;There is wound in the operation of described program sample
In the case where the operation for building timed task, the timed task for triggering creation executes in advance.
With reference to first aspect, in the first possible implementation of the first aspect, the monitoring described program sample
Include with the presence or absence of the operation for creating timed task in operation:Described program sample is monitored to default API (Application
Programming Interface, application programming interface) function and/or predetermined system order calling;According to monitoring
Calling situation, determine described program sample operation in the presence or absence of creation timed task operation.
The possible implementation of with reference to first aspect the first, in second of possible implementation of first aspect
In, the monitoring described program sample includes to the calling of default api function and/or predetermined system order:By to described pre-
If the monitoring function of api function registration, calling of the monitoring described program sample to the default api function;It is described according to monitoring
The calling situation arrived determines that the operation that whether there is creation timed task in the operation of described program sample includes:In the monitoring
In the case that function is called, determine there is the operation of creation timed task in the operation of described program sample.
The possible implementation of with reference to first aspect the first, in the third possible implementation of first aspect
In, the monitoring described program sample includes to the calling of default api function and/or predetermined system order:By to default system
The monitoring for the derivative process ordered of uniting, calling of the monitoring described program sample to the predetermined system order;It is described according to monitoring
The calling situation arrived determines that the operation that whether there is creation timed task in the operation of described program sample includes:In the derivative
In the case where order including creation timed task in process, determine there is creation timed task in the operation of described program sample
Operation.
With reference to first aspect, in a fourth possible implementation of the first aspect, described to be transported in described program sample
In the case where the operation that there is creation timed task in row, the timed task for triggering creation executes in advance includes:Described
In the case where the operation that there is creation timed task in the operation of program sample, the API letter for realizing the timed task is called directly
Number, is executed in advance with triggering the timed task, or the timing parameters of the modification timed task, is appointed with triggering the timing
Business executes in advance, or sends simulation trigger signal to the timed task, is executed in advance with triggering the timed task, or
System time is modified, is executed in advance with triggering the timed task.
Second aspect, the embodiment of the present invention also provide a kind of sandbox analytical equipment, including:Monitoring unit, operation input
The program sample of sandbox simultaneously monitors the operation in the operation of described program sample with the presence or absence of creation timed task;Trigger unit is used
In in the case where the monitoring unit monitors to have the operation of creation timed task in the operation of described program sample, triggering is created
The timed task built executes in advance.
In conjunction with second aspect, in the first possible implementation of the second aspect, the monitoring unit includes:Monitoring
Module, for monitoring described program sample to the calling of default api function and/or predetermined system order;Determining module is used for root
According to the calling situation monitored, the operation in the operation of described program sample with the presence or absence of creation timed task is determined.
In conjunction with the first possible implementation of second aspect, in second of possible implementation of second aspect
In, the monitoring modular, specifically for monitoring described program sample by the monitoring function to the default api function registration
To the calling of the default api function;The determining module is specifically used in the case where the monitoring function is called, really
Determine the operation that there is creation timed task in the operation of described program sample.
In conjunction with the first possible implementation of second aspect, in the third possible implementation of second aspect
In, the monitoring modular monitors described program sample pair specifically for the monitoring by the derivative process to predetermined system order
The calling of the predetermined system order;The determining module is specifically used in the derivative process including creation timed task
Order in the case where, determine described program sample operation in exist creation timed task operation.
In conjunction with second aspect, in the fourth possible implementation of the second aspect, the trigger unit is specifically used for
In the case where there is the operation of creation timed task in determining the operation of described program sample, calls directly and realize that the timing is appointed
The api function of business is executed in advance with triggering the timed task, or the timing parameters of the modification timed task, with triggering
The timed task executes in advance, or sends simulation trigger signal to the timed task, is mentioned with triggering the timed task
Preceding execution, or modification system time, are executed in advance with triggering the timed task.
The third aspect, the embodiment of the present invention also provide a kind of electronic equipment, and the electronic equipment includes:Shell, processing
Device, memory, circuit board and power circuit, wherein circuit board is placed in the space interior that shell surrounds, processor and memory
Setting is on circuit boards;Power circuit, for each circuit or the device power supply for above-mentioned electronic equipment;Memory is for storing
Executable program code;Processor is run and executable program generation by reading the executable program code stored in memory
The corresponding program of code, the sandbox analysis method provided for executing any embodiment of the present invention.
Fourth aspect, the embodiment of the present invention also provide a kind of computer readable storage medium, described computer-readable to deposit
Storage media is stored with one or more program, and one or more of programs can be executed by one or more processor,
To realize the sandbox analysis method of any embodiment offer of the present invention.
Sandbox analysis method, device, electronic equipment and the storage medium that the embodiment of the present invention provides, are capable of detecting when sand
With the presence or absence of the operation of creation timed task when program sample in case is run, wound can be then triggered if there is such operation
The timed task built executes in advance, to greatly reduce the probability that sample escapes detection, effectively improves sandbox detectability.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
Some embodiments of invention for those of ordinary skill in the art without creative efforts, can be with
Other attached drawings are obtained according to these attached drawings.
Fig. 1 is a kind of flow chart for the sandbox analysis method that the embodiment of the present invention provides;
Fig. 2 is another flow chart for the sandbox analysis method that the embodiment of the present invention provides;
Fig. 3 is a kind of structural schematic diagram for the sandbox analytical equipment that the embodiment of the present invention provides;
Fig. 4 is a kind of structural schematic diagram for the electronic equipment that the embodiment of the present invention provides.
Specific embodiment
The embodiment of the present invention is described in detail with reference to the accompanying drawing.
It will be appreciated that described embodiments are only a part of the embodiments of the present invention, instead of all the embodiments.Base
Embodiment in the present invention, it is obtained by those of ordinary skill in the art without making creative efforts it is all its
Its embodiment, shall fall within the protection scope of the present invention.
In a first aspect, the embodiment of the present invention provides a kind of sandbox analysis method, can effectively detect to utilize creation timing
The means of task escape the program sample of sandbox analysis, to greatly reduce the probability that sample escapes detection, effectively improve
Sandbox detectability.
Fig. 1 is a kind of flow chart for the sandbox analysis method that the embodiment of the present invention provides, as shown in Figure 1, the present invention is real
Applying the sandbox analysis method that example provides may include:
S11, operation input the program sample of sandbox and monitor in the operation of described program sample with the presence or absence of creation timing times
The operation of business;
In sandbox analysis, certain analyzed samples may have the feelings of creation timing business in its operational process
Condition, that is, executable file derived from itself or its is added in timed task, so that malicious act is delayed execution, thus
Achieve the purpose that the analysis (because the analysis time of sandbox is limited) for escaping sandbox.
Due to the timed task of creation can indicate future some time point or just start to hold after preset duration
The certain rogue programs of row, it is therefore prevented that the key that program sample escapes sandbox detection is to need to monitor that program sample is transported
With the presence or absence of the operation of creation timed task in row.
S12 triggers the described of creation in the case where there is the operation of creation timed task in the operation of described program sample
Timed task executes in advance.
In this step, if there is the operation of creation timed task in the operation of program sample, the timing can be triggered and appointed
Business executes in advance, to detect within the sandbox detection time limit to the timed task.
Whether sandbox analysis method provided in an embodiment of the present invention, the program sample being capable of detecting when in sandbox are deposited when running
In the operation of creation timed task, the timed task that can then trigger creation if there is such operation executes in advance, thus
The probability that sample escapes detection is greatly reduced, sandbox detectability is effectively improved.
Optionally, in step s 11, the operation in the operation of monitoring described program sample with the presence or absence of creation timed task can
To include:
Described program sample is monitored to the calling of default api function and/or predetermined system order;
According to the calling situation monitored, the behaviour in the operation of described program sample with the presence or absence of creation timed task is determined
Make.
Specifically, due to program sample create timed task when, it is often necessary to calling system order (such as cmd order) or
Specific API is called, therefore, in one embodiment of the invention, can be sent out by the monitoring to specific API or system command
Now create the operation of timed task.
It, optionally, in one embodiment of the invention, can be by right in terms of the calling for monitoring default api function
The monitoring function of default api function registration, calling of the monitoring described program sample to the default api function;Based on this, according to
The calling situation monitored determines that the operation that whether there is creation timed task in the operation of described program sample may include:?
In the case that the monitoring function is called, determine there is the operation of creation timed task in the operation of described program sample.
Specifically, the monitoring function may include hook letter to the monitoring function of monitored default api function registration
Number, by registering hook function, the specific API of hook.The hook function that registration can be triggered when the API is called executes, this says
The bright behavior for detecting creation timed task, otherwise without the behavior of discovery creation timed task.Optionally, can be used to real
Now the api function of creation timed task may include a variety of, according to the different and different of operating system.
For example, under Windows system timed task can be created by SetTimer () function.SetTimer is
A kind of api function is located in user32.dll, can create or a timer is arranged, and interval executes one at regular intervals
A movement.When the time interval of timer setting is greater than the maximum time limitation of sandbox analysis, it will result in and sandbox is detected
Escape.
At linux, timed task can be realized by Alarm ()+signal () function.Specifically, Alarm is also referred to as
For alarm clock function, a timer can be arranged in it in process, when reaching the time that timer is specified, send to process
SIGALRM signal, and signal () function receives specified signal, therefore can use the combination of the two functions, realizes one
The logic of a timed task.
Optionally, under linux, timed task can also be created by setitimer ().Specifically, setitimer
() is the API of Linux, not the java standard library of C language, compares the timed task that alarm ()+signal () is realized,
The timing of setitimer () is more accurate.
Respectively to SetTimer () function, alarm () and signal () function or setitimer () function registration
After hook function, if these API are invoked, the hook function that can trigger registration is executed, to find in program sample
In the presence of the operation of creation timed task.
It, optionally, in one embodiment of the invention, can be by default in terms of the calling of monitoring system command
The monitoring of the derivative process of system command, calling of the monitoring described program sample to the predetermined system order;Correspondingly, according to
The calling situation monitored determines that the operation that whether there is creation timed task in the operation of described program sample may include:?
In the case where order including creation timed task in the derivative process, determine that there is creation in the operation of described program sample determines
When task operation.That is, the behavior for using system command creation timed task, can monitor the sample and run
Derivative process in the process, if it is to create the order of timed task that some, which derives process, then it is assumed that it is fixed that the sample has creation
When task behavior, otherwise without discovery creation timed task behavior.
According to the difference of operating system, the system command for creating timed task is also not quite similar.For example, in Windows system
Under system, the operation of creation timed task can be whether there is come monitoring program sample according to Schtasks.exe.Wherein,
Schtasks.exe is the included program means for governing plan task of windows system, it is possible to specify program is periodically transported
Capable or specified time point executes, and addition and deletion plan target start and stop intended services etc..That is,
If it find that the process of the entitled Schtasks.exe of process, then explanation has in the monitoring and tracking of derivative process in windows
Create the behavior of timed task.
At unix or linux system, creation timed task can be whether there is come monitoring program sample according to Crontab
Operation.Specifically, Crontab is in unix and linux system for the instruction of the operation periodically executed to be arranged.It should
Order can read from standard input device and instruct, and be deposited in " crontab " file, for reading and executing later.
That is, then explanation has the behavior of creation timed task if it find that it has invoked crontab process in linux.It is optional
, in Linux can also according to program sample whether to file "/etc/crontab " or "/var/spool/cron/* " into
Write operation of having gone is judged, if there is write operation then illustrates which are added timed tasks, otherwise has creation timing without discovery
Task behavior.This is because by crontab order create timed task be usually all stored in "/etc/crontab " and "/
In var/spool/cron/* " file.
After the operation that determines program sample in commission and whether there is creation timed task, it can in step s 12
It takes appropriate measures, the operation to there is creation timed task triggers the timed task and executes in advance.
Specifically, for the timed task created by API, it, can basis after hook function is triggered calling
The calling detailed information for the API that hook is arrived obtains the temporal information and call back function of timing.Wherein, temporal information may include
Time interval or time point.For example, third parameter is time interval for SetTimer () function under windows,
4th parameter is call back function;For alarm () function under Linux, only one parameter is time interval, signal
First parameter of () function is signal value, and second parameter is call back function, and only when the value of first parameter is
The call back function obtained when SIGALRM is only the call back function really needed.
For the timed task created by system command, can by parse it is specific execute parameter obtain timing when
Between be spaced and timing execute process.For example, for the schtasks/create****** under Windows, create is subsequent
" * " parameter represents the process specifically executed, wherein the last one parameter is the time point of timing, can pass through reading under Linux
Take/etc/crontab file and parse time point and executive process.
The information such as the process executed based on the temporal information, call back function or the timing that obtain above, at of the invention one
In embodiment, in the case where there is the operation of creation timed task in the operation of described program sample, the described fixed of creation is triggered
When task execute in advance and may include:
In the case where there is the operation of creation timed task in the operation of described program sample, it is described fixed to call directly realization
When task api function, executed in advance with triggering the timed task.For example, after hook function is triggered calling, Ke Yigen
According to the calling detailed information of the hook API arrived, it is easy to acquisition timing temporal information and call back function, only need at this time
Corresponding call back function is called directly in hook function i.e. can trigger timed task execution, rather than until timed task is original
Time just execute.For example, its call back function can be called directly in the hook function of the function under Windows, it is right
SIGALRM can be sent using kill () function directly in hook function under linux, enable signal () function at once
Signal is received, the execution of call back function is triggered.
Optionally, in another embodiment of the present invention, there is creation timed task in the operation of described program sample
Operation in the case where, the timed task for triggering creation executes in advance may include:
In the case where there is the operation of creation timed task in the operation of described program sample, the timed task is modified
Timing parameters are executed in advance with triggering the timed task.
That is, if it is the timed task created with API, then can modify hook to the parameter of API change
The time interval of timing, for example, time interval can be changed to a very small number, such as 1 second, then it can automatic trigger after 1 second
Call back function.For example, can change the third parameter of SetTimer () function in Windows to realize.
Optionally, in another embodiment of the present invention, there is creation timed task in the operation of described program sample
Operation in the case where, the timed task for triggering creation executes in advance may include:
In the case where there is the operation of creation timed task in the operation of described program sample, sent to the timed task
Trigger signal is simulated, is executed in advance with triggering the timed task.That is, hook function intercepts the triggering of call back function
After condition, a false trigger signal can be simulated to trigger the execution in advance of call back function.
Optionally, in another embodiment of the present invention, there is creation timed task in the operation of described program sample
Operation in the case where, the timed task for triggering creation executes in advance may include:System time is modified, described in triggering
Timed task executes in advance.That is, reaching the execution time advance of timed task by the system time for modifying sandbox.
For example, if provide that start to execute some task at 8 points in the timed task of creation, but be at this time 5 points, at this time will not for normal
The task is executed, but by modification system time, sets at 8 points for the current time of system, then task is triggered.Optionally,
The approach for modifying system time is different according to the difference of operating system.For example, can be by ordering time to repair at Windows
Change the time, system time can be arranged by order date order under linux.
It should be noted that appointing in the above four kinds methods for triggering timed task in advance for the timing that is created by API
Business, these four methods are all suitable for, and for the timed task created by system command, the mode of modification system time can be used
To realize the triggering in advance of timed task.
Sandbox analysis method provided in an embodiment of the present invention is described in detail below by specific embodiment.
As shown in Fig. 2, sandbox analysis method provided in this embodiment may include:
S201, described program sample is monitored to the calling of default api function and/or predetermined system order;
Optionally, hook function can be registered to the default api function such as SetTimer () to monitor preset api function tune
With monitoring the tune of predetermined system order by the derivative process (i.e. process call relation and subprocess) of monitoring program sample
With.
The calling situation that S202, basis monitor determines in the operation of described program sample with the presence or absence of creation timed task
Operation;
In this step, if hook function is performed, or monitor in some derivative process of program sample containing fixed
When task setting related command, it is determined that described program sample operation in exist creation timed task operation, otherwise it is assumed that
There is no the operations of creation timed task.
S203, described program sample operation in exist creation timed task operation in the case where, obtain determining for creation
When task detailed information;
Optionally, it after hook function is triggered calling, according to the calling detailed information of the hook API arrived, can be easy
Acquisition timing time interval and call back function.
Optionally, it when detecting that program sample is the timed task created by order, can specifically be held by parsing
The process that row parameter obtains the time interval of timing and timing executes.
S204, the detailed information according to the timed task of acquisition, call directly realize the api function of the timed task with
It triggers the timed task to execute in advance, or the timing parameters of the modification timed task shift to an earlier date to trigger the timed task
It executes, perhaps sends simulation trigger signal to the timed task and execute or modify in advance system to trigger the timed task
The system time is executed in advance with triggering the timed task.
Second aspect, the embodiment of the present invention provide a kind of sandbox analytical equipment, and it is fixed using creation effectively to detect
When task means escape sandbox analysis program sample, thus greatly reduce sample escape detection probability, effectively promoted
Sandbox detectability.
As shown in figure 3, sandbox analytical equipment provided in an embodiment of the present invention, may include:
Monitoring unit 31, the program sample of operation input sandbox simultaneously monitor in the operation of described program sample with the presence or absence of creation
The operation of timed task;
Trigger unit 32, for monitoring there is creation timed task in the operation of described program sample in the monitoring unit
Operation in the case where, the timed task for triggering creation executes in advance.
The embodiment of the present invention provide sandbox analytical equipment, be capable of detecting when in sandbox program sample operation when whether
In the presence of the operation of creation timed task, the timed task that can then trigger creation if there is such operation executes in advance, from
And the probability that sample escapes detection is greatly reduced, effectively improve sandbox detectability.
Optionally, monitoring unit 31 may include:
Monitoring modular can be used for monitoring described program sample to the calling of default api function and/or predetermined system order;
Determining module can be used for being determined in the operation of described program sample according to the calling situation monitored with the presence or absence of wound
Build the operation of timed task.
Optionally, the monitoring modular can be specifically used for through the monitoring function to the default api function registration, prison
Described program sample is surveyed to the calling of the default api function;
Optionally, the determining module can be specifically used for determining the journey in the case where the monitoring function is called
There is the operation of creation timed task in the operation of sequence sample.
Optionally, the monitoring modular can be specifically used for the monitoring by the derivative process to predetermined system order, monitoring
Calling of the described program sample to the predetermined system order;
Optionally, the determining module can be specifically used for including the order for creating timed task in the derivative process
In the case where, determine there is the operation of creation timed task in the operation of described program sample.
Optionally, trigger unit 32 can be specifically used for the presence of creation timed task in determining the operation of described program sample
Operation in the case where, call directly the api function for realizing the timed task, executed in advance with triggering the timed task,
Or the timing parameters of the modification timed task, it is executed in advance with triggering the timed task, or to the timed task
Simulation trigger signal is sent, is executed in advance with triggering the timed task, or modification system time, is appointed with triggering the timing
Business executes in advance.
The third aspect, the embodiment of the present invention provide a kind of electronic equipment, can effectively detect to utilize creation timed task
Means escape sandbox analysis program sample, thus greatly reduce sample escape detection probability, effectively improve sandbox
Detectability.
As shown in figure 4, the electronic equipment that the embodiment of the present invention provides, may include:Shell 41, processor 42, storage
Device 43, circuit board 44 and power circuit 45, wherein circuit board 44 is placed in the space interior that shell 41 surrounds, 42 He of processor
Memory 43 is arranged on circuit board 44;Power circuit 45, for each circuit or the device power supply for above-mentioned electronic equipment;It deposits
Reservoir 43 is for storing executable program code;Processor 42 by read in memory 43 executable program code that stores come
Program corresponding with executable program code is run, for executing sandbox analysis method described in aforementioned any embodiment.
Processor 42 to the specific implementation procedures of above-mentioned steps and processor 42 by operation executable program code come
The step of further executing may refer to the description of previous embodiment, and details are not described herein.
The electronic equipment exists in a variety of forms, including but not limited to:
(1) mobile communication equipment:The characteristics of this kind of equipment is that have mobile communication function, and to provide speech, data
Communication is main target.This Terminal Type includes:Smart phone (such as iPhone), multimedia handset, functional mobile phone and low
Hold mobile phone etc..
(2) super mobile personal computer equipment:This kind of equipment belongs to the scope of personal computer, there is calculating and processing function
Can, generally also have mobile Internet access characteristic.This Terminal Type includes:PDA, MID and UMPC equipment etc., such as iPad.
(3) portable entertainment device:This kind of equipment can show and play multimedia content.Such equipment includes:Audio,
Video player (such as iPod), handheld device, e-book and intelligent toy and portable car-mounted navigation equipment.
(4) server:There is provided the equipment of the service of calculating, the composition of server includes that processor, hard disk, memory, system are total
Line etc., server is similar with general computer architecture, but due to needing to provide highly reliable service, in processing energy
Power, stability, reliability, safety, scalability, manageability etc. are more demanding.
(5) other electronic equipments with data interaction function.
Fourth aspect, the embodiment of the present invention also provide a kind of computer readable storage medium, described computer-readable to deposit
Storage media is stored with one or more program, and one or more of programs can be executed by one or more processor,
To realize any sandbox analysis method of previous embodiment offer, therefore it is also able to achieve corresponding technical effect, above
It is described in detail, details are not described herein again.
It should be noted that, in this document, relational terms such as first and second and the like are used merely to a reality
Body or operation are distinguished with another entity or operation, are deposited without necessarily requiring or implying between these entities or operation
In any actual relationship or order or sequence.Moreover, the terms "include", "comprise" or its any other variant are intended to
Non-exclusive inclusion, so that the process, method, article or equipment including a series of elements is not only wanted including those
Element, but also including other elements that are not explicitly listed, or further include for this process, method, article or equipment
Intrinsic element.In the absence of more restrictions, the element limited by sentence " including one ... ", it is not excluded that
There is also other identical elements in the process, method, article or apparatus that includes the element.
Each embodiment in this specification is all made of relevant mode and describes, same and similar portion between each embodiment
Dividing may refer to each other, and each embodiment focuses on the differences from other embodiments.
For Installation practice, since it is substantially similar to the method embodiment, so the comparison of description is simple
Single, the relevent part can refer to the partial explaination of embodiments of method.
For convenience of description, description apparatus above is to be divided into various units/modules with function to describe respectively.Certainly, exist
Implement to realize each unit/module function in the same or multiple software and or hardware when the present invention.
Those of ordinary skill in the art will appreciate that realizing all or part of the process in above-described embodiment method, being can be with
Relevant hardware is instructed to complete by computer program, the program can be stored in a computer-readable storage medium
In, the program is when being executed, it may include such as the process of the embodiment of above-mentioned each method.Wherein, the storage medium can be magnetic
Dish, CD, read-only memory (Read-Only Memory, ROM) or random access memory (RandomAccess
Memory, RAM) etc..
The above description is merely a specific embodiment, but scope of protection of the present invention is not limited thereto, any
In the technical scope disclosed by the present invention, any changes or substitutions that can be easily thought of by those familiar with the art, all answers
It is included within the scope of the present invention.Therefore, protection scope of the present invention should be subject to the protection scope in claims.
Claims (12)
1. a kind of sandbox analysis method, which is characterized in that including:
The program sample of operation input sandbox simultaneously monitors the operation in the operation of described program sample with the presence or absence of creation timed task;
In the case where there is the operation of creation timed task in the operation of described program sample, the timed task of creation is triggered
It executes in advance.
2. the method according to claim 1, wherein with the presence or absence of wound in monitoring described program sample operation
The operation for building timed task includes:
Described program sample is monitored to the calling of default api function and/or predetermined system order;
According to the calling situation monitored, the operation in the operation of described program sample with the presence or absence of creation timed task is determined.
3. according to the method described in claim 2, it is characterized in that, the monitoring described program sample to default api function and/
Or the calling of predetermined system order includes:
Pass through the monitoring function to the default api function registration, tune of the monitoring described program sample to the default api function
With;
The calling situation that the basis monitors determines the operation in the operation of described program sample with the presence or absence of creation timed task
Including:
In the case where the monitoring function is called, determine there is the behaviour of creation timed task in the operation of described program sample
Make.
4. according to the method described in claim 2, it is characterized in that, the monitoring described program sample to default api function and/
Or the calling of predetermined system order includes:
By the monitoring of the derivative process to predetermined system order, described program sample is monitored to the tune of the predetermined system order
With;
The calling situation that the basis monitors determines the operation in the operation of described program sample with the presence or absence of creation timed task
Including:
It include determining and existing in the operation of described program sample in the case where creating the order of timed task in the derivative process
Create the operation of timed task.
5. the method according to claim 1, wherein described have creation timing in the operation of described program sample
In the case where the operation of task, the timed task for triggering creation executes in advance includes:
In the case where there is the operation of creation timed task in the operation of described program sample, calls directly and realize that the timing is appointed
The api function of business is executed in advance with triggering the timed task, or the timing parameters of the modification timed task, with triggering
The timed task executes in advance, or sends simulation trigger signal to the timed task, is mentioned with triggering the timed task
Preceding execution, or modification system time, are executed in advance with triggering the timed task.
6. a kind of sandbox analytical equipment, which is characterized in that including:
Monitoring unit, operation input the program sample of sandbox and monitor in the operation of described program sample with the presence or absence of creation timing times
The operation of business;
Trigger unit, the operation for monitoring to have creation timed task in the operation of described program sample in the monitoring unit
In the case where, the timed task for triggering creation executes in advance.
7. device according to claim 6, which is characterized in that the monitoring unit includes:
Monitoring modular, for monitoring described program sample to the calling of default api function and/or predetermined system order;
Determining module, for determining in the operation of described program sample with the presence or absence of creation timing according to the calling situation monitored
The operation of task.
8. device according to claim 7, which is characterized in that the monitoring modular is specifically used for by described default
The monitoring function of api function registration, calling of the monitoring described program sample to the default api function;
The determining module is specifically used for determining in the operation of described program sample in the case where the monitoring function is called
In the presence of the operation of creation timed task.
9. device according to claim 7, which is characterized in that the monitoring modular is specifically used for by predetermined system
The monitoring of the derivative process of order, calling of the monitoring described program sample to the predetermined system order;
The determining module determines in the case where specifically for including the order of creation timed task in the derivative process
There is the operation of creation timed task in the operation of described program sample.
10. device according to claim 7, which is characterized in that the trigger unit, specifically for determining described program
In the case where the operation that there is creation timed task in sample operation, the api function for realizing the timed task is called directly, with
It triggers the timed task to execute in advance, or the timing parameters of the modification timed task, be mentioned with triggering the timed task
Preceding execution, or simulation trigger signal is sent to the timed task, it is executed in advance with triggering the timed task, or modification
System time is executed in advance with triggering the timed task.
11. a kind of electronic equipment, which is characterized in that the electronic equipment includes:Shell, processor, memory, circuit board and electricity
Source circuit, wherein circuit board is placed in the space interior that shell surrounds, and processor and memory setting are on circuit boards;Power supply
Circuit, for each circuit or the device power supply for above-mentioned electronic equipment;Memory is for storing executable program code;Processing
Device runs program corresponding with executable program code by reading the executable program code stored in memory, for holding
The described in any item sandbox analysis methods of row preceding claims 1 to 5.
12. a kind of computer readable storage medium, which is characterized in that the computer-readable recording medium storage have one or
Multiple programs, one or more of programs can be executed by one or more processor, with realize preceding claims 1 to
Sandbox analysis method described in any one of 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711426404.7A CN108874658A (en) | 2017-12-25 | 2017-12-25 | A kind of sandbox analysis method, device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711426404.7A CN108874658A (en) | 2017-12-25 | 2017-12-25 | A kind of sandbox analysis method, device, electronic equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN108874658A true CN108874658A (en) | 2018-11-23 |
Family
ID=64325626
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201711426404.7A Pending CN108874658A (en) | 2017-12-25 | 2017-12-25 | A kind of sandbox analysis method, device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108874658A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110135160A (en) * | 2019-04-29 | 2019-08-16 | 北京邮电大学 | The method, apparatus and system of software detection |
| CN110399716A (en) * | 2019-06-27 | 2019-11-01 | 苏州浪潮智能科技有限公司 | A kind of cryptographic validity test method, system and electronic equipment and storage medium |
| CN111614519A (en) * | 2020-05-20 | 2020-09-01 | 深圳忆联信息***有限公司 | SSH channel-based batch start concurrency test method and device |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102662967A (en) * | 2012-03-09 | 2012-09-12 | 浪潮通信信息***有限公司 | J2EE-technology-based design method for analysis scheme of China Unicom fixed network traffic |
| CN103530179A (en) * | 2013-09-30 | 2014-01-22 | 大唐移动通信设备有限公司 | Method and device for processing timed task |
| CN104200161A (en) * | 2014-08-05 | 2014-12-10 | 杭州安恒信息技术有限公司 | Method for achieving intelligent sandbox file detection and intelligent sandbox detection system based on method |
| CN104598214A (en) * | 2013-11-01 | 2015-05-06 | 中国石油天然气股份有限公司 | Method and device for timed task management of oil-gas pipeline system application service |
| CN105678164A (en) * | 2014-11-20 | 2016-06-15 | 华为技术有限公司 | Method and device for detecting malicious software |
| CN106021005A (en) * | 2016-05-10 | 2016-10-12 | 北京金山安全软件有限公司 | Method and device for providing application service and electronic equipment |
| US20160342499A1 (en) * | 2015-05-21 | 2016-11-24 | International Business Machines Corporation | Error diagnostic in a production environment |
| CN106201808A (en) * | 2015-05-04 | 2016-12-07 | 北京畅游天下网络技术有限公司 | The automation interface method of testing of a kind of server end and system |
| CN106230795A (en) * | 2016-07-22 | 2016-12-14 | 北京近颐科技有限公司 | A kind of network safety system under mobile internet environment |
| CN106227564A (en) * | 2016-07-22 | 2016-12-14 | 浪潮软件集团有限公司 | Timed task system based on Linux |
-
2017
- 2017-12-25 CN CN201711426404.7A patent/CN108874658A/en active Pending
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102662967A (en) * | 2012-03-09 | 2012-09-12 | 浪潮通信信息***有限公司 | J2EE-technology-based design method for analysis scheme of China Unicom fixed network traffic |
| CN103530179A (en) * | 2013-09-30 | 2014-01-22 | 大唐移动通信设备有限公司 | Method and device for processing timed task |
| CN104598214A (en) * | 2013-11-01 | 2015-05-06 | 中国石油天然气股份有限公司 | Method and device for timed task management of oil-gas pipeline system application service |
| CN104200161A (en) * | 2014-08-05 | 2014-12-10 | 杭州安恒信息技术有限公司 | Method for achieving intelligent sandbox file detection and intelligent sandbox detection system based on method |
| CN105678164A (en) * | 2014-11-20 | 2016-06-15 | 华为技术有限公司 | Method and device for detecting malicious software |
| CN106201808A (en) * | 2015-05-04 | 2016-12-07 | 北京畅游天下网络技术有限公司 | The automation interface method of testing of a kind of server end and system |
| US20160342499A1 (en) * | 2015-05-21 | 2016-11-24 | International Business Machines Corporation | Error diagnostic in a production environment |
| CN106021005A (en) * | 2016-05-10 | 2016-10-12 | 北京金山安全软件有限公司 | Method and device for providing application service and electronic equipment |
| CN106230795A (en) * | 2016-07-22 | 2016-12-14 | 北京近颐科技有限公司 | A kind of network safety system under mobile internet environment |
| CN106227564A (en) * | 2016-07-22 | 2016-12-14 | 浪潮软件集团有限公司 | Timed task system based on Linux |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110135160A (en) * | 2019-04-29 | 2019-08-16 | 北京邮电大学 | The method, apparatus and system of software detection |
| CN110135160B (en) * | 2019-04-29 | 2021-11-30 | 北京邮电大学 | Software detection method, device and system |
| CN110399716A (en) * | 2019-06-27 | 2019-11-01 | 苏州浪潮智能科技有限公司 | A kind of cryptographic validity test method, system and electronic equipment and storage medium |
| CN111614519A (en) * | 2020-05-20 | 2020-09-01 | 深圳忆联信息***有限公司 | SSH channel-based batch start concurrency test method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103632096B (en) | A kind of method and apparatus that safety detection is carried out to equipment | |
| US20150371040A1 (en) | Method, Device And System For Processing Notification Bar Message | |
| CN103971056B (en) | A kind ofly prevent the unloaded method and apparatus of application program in operating system | |
| US20160283356A1 (en) | Event-driven automation testing for mobile devices | |
| CN103186740A (en) | Automatic detection method for Android malicious software | |
| CN104115117A (en) | Automatic synthesis of unit tests for security testing | |
| CN108874658A (en) | A kind of sandbox analysis method, device, electronic equipment and storage medium | |
| CN105653946A (en) | Android malicious behavior detection system based on combined event behavior triggering and detection method of Android malicious behavior detection system | |
| US11055416B2 (en) | Detecting vulnerabilities in applications during execution | |
| CN103268448B (en) | The method and system of the security of detection of dynamic Mobile solution | |
| CN110365641A (en) | Cross-site scripting attack leak detection method, equipment and computer-readable medium | |
| CN113792341A (en) | Privacy compliance automation detection method, device, equipment and medium for application program | |
| CN111191243A (en) | Vulnerability detection method and device and storage medium | |
| CN105512562B (en) | Vulnerability mining method and device and electronic equipment | |
| CN109190373A (en) | Using detection method, device, computer storage medium and computer equipment | |
| CN111128139B (en) | Non-invasive voice test method and device | |
| CN111767548A (en) | Vulnerability capturing method, device, equipment and storage medium | |
| CN112306826A (en) | Method and apparatus for processing information for terminal | |
| CN110889116A (en) | Advertisement blocking method and device and electronic equipment | |
| CN116595523A (en) | Multi-engine file detection method, system, equipment and medium based on dynamic arrangement | |
| CN108874462B (en) | Browser behavior acquisition method and device, storage medium and electronic equipment | |
| CN108133123B (en) | Application program identification method and system | |
| CN115292716A (en) | Security analysis method, device, equipment and medium for third-party software package | |
| CN105787302B (en) | A kind of processing method of application program, device and electronic equipment | |
| CN114185773A (en) | Program testing method, program testing device, electronic equipment and computer readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |