CN108920943A - The method and device of installation binding behavior is detected for application software - Google Patents

The method and device of installation binding behavior is detected for application software Download PDF

Info

Publication number
CN108920943A
CN108920943A CN201810430169.9A CN201810430169A CN108920943A CN 108920943 A CN108920943 A CN 108920943A CN 201810430169 A CN201810430169 A CN 201810430169A CN 108920943 A CN108920943 A CN 108920943A
Authority
CN
China
Prior art keywords
application software
api
virtual machine
engine
analysis
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201810430169.9A
Other languages
Chinese (zh)
Inventor
袁静
李政
赵淳璐
范乐君
吴志敏
喻梁文
王�琦
王晖
颜靖华
赵怀瑾
李蒙阳
王智勇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
National Computer Network and Information Security Management Center
Original Assignee
National Computer Network and Information Security Management Center
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by National Computer Network and Information Security Management Center filed Critical National Computer Network and Information Security Management Center
Priority to CN201810430169.9A priority Critical patent/CN108920943A/en
Publication of CN108920943A publication Critical patent/CN108920943A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/51Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/565Static detection by checking file integrity
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/031Protect user input by software means
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/033Test or assess software

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Stored Programmes (AREA)

Abstract

The invention discloses a kind of method and devices that installation binding behavior is detected for application software, quick analysis engine and dynamic sandbox engine is arranged in the embodiment of the present invention, wherein, dynamic sandbox engine uses virtual machine environment multiple sample operating analyses therein to application software, installation binding behavior is determined whether according to operating analysis result, if so, then confirming that application software has installation binding behavior;If do not had, carry out the intermediate file looked into shell processing and get no shell sample therein and the release of all samples to application software by the quick analysis engine again, the scanning for carrying out application programming interface (API) determines whether application software has installation binding behavior according to scanning result.In this way, method and device provided in an embodiment of the present invention guarantees the accuracy and completeness of detection, so that testing result is accurate just for the detection of the installation binding behavior of application software.

Description

The method and device of installation binding behavior is detected for application software
Technical field
The present invention relates to field of computer technology, in particular to a kind of side that installation binding behavior is detected for application software Method and device.
Background technique
It can be installed in a local computer when local computer runs application software not by illegal infringement in order to prevent Antivirus software, such as, the black ice computer fire proof wall that Ou Aisi installations and facilities management service Co., Ltd (ISS) provides (BlackICE PC Protection), McAfee company provide anti-virus software (McAfee VirusScan) and 360 security guards etc. that 360 companies provide.Wherein, ISS BlackICE PC Protection is integrated with very powerful inspection Survey and analysis engine can identify more than 200 kinds of invasion skills, carry out overall network detection and protecting computer system, can be immediately Monitoring network port and protocol intercepts all suspicious network intrusions.Mcfee VirusScan provides complete trustworthy The anti-virus solution of desktop environment can accurately and effectively remove floppy disk, loading internet document, Email and various pressures There may be virus in contracting file, the function having has the inspection and removing of memory, file and leading viruses, real time scan Technology can rename in disk access, file duplication, document creation, file, journey in the file operation of background monitoring operating system Bundled software is checked when sequence executes and system starts, and is further answered unwelcome by " harmful program control function " realization It is set as harmful application software with software, to prevent binding installation in advance.There is 360 security guards checking and killing Trojan, cleaning to insert Part, patching bugs, computer physical examination, computer rescue, protection privacy, computer elite, cleaning rubbish and cleaning trace etc. are more Kind function.
Currently, can be carried out using antivirus software described above for application software detection installation binding behavior, binding Installation software action refers in application software installation process, will be installed and some other executes without dependence with application software The software of relationship, this behavior are known as bundling installation behavior.It is corresponding that the antivirus software is normally applied secure black box detection method It is detected with the installation of software binding behavior, detailed process is:Step 1, antivirus software establish network on a target computer Agency intercepts the data that computer is received and dispatched in runs software, and as network agent, antivirus software is mounted on non-targeted computer Another computer on, have storage, intercept, modification and network Secure Socket Layer (SSL) mediating function;Step 2 is right The file system that computer currently runs application software carries out snapshot, to create during safety analysis process to application software Which file;Step 3, according to snapshot, antivirus software installs corresponding application software, can be by under official market Installation is carried, may can also be encrypted by other installation approach, the application software of the installation;Step 4, to installation By encryption application software be decrypted, with so that subsequent analysis process can be carried out;Step 5 again works as computer The file system of preceding operation application software carries out snapshot, to obtain during installing corresponding application software, which increases A little files;Step 6 is analyzed the application software of installation and increased file using analysis engine, so that it is determined that using soft Part whether there is installation binding behavior in the process of running.
As can be seen that this can exist for application software detection installation binding behavior using existing antivirus software Many defects:
Defect one, existing antivirus software are more the safeties of application software in computer-oriented, and for detection compared with For shallow-layers, the modes such as scanning and the comparison of application software have been installed merely by analysis engine and have been carried out, inspecting force compared with Low, the accuracy of detection and completeness are all poor;
Defect two, currently used is dynamic detection mode, this dynamic detection process is depended on to computer system Simulation or virtualization technology are realized completely, but in simulation process, the triggering behavior for detecting application software is not thorough, Or deficiency is analyzed to the subprogram of application software, cause testing result inaccurate;
Defect three, static detection method lack, and existing antivirus software is directed to pacify to the static analysis of application software Quan Xing, and static analysis is then lacked to specific behavior, such as installation binding behavior;
Defect four, lacks targeted testing process, existing antivirus software all just for application program respectively into Then Mobile state or static analysis obtain antivirus as a result, all there are the various problems of static analysis or dynamic analysis in this way, imitate Fruit is bad for the installation binding behavioral value analytical effect of application.
To sum up, lack the detection scheme just for application software installation binding behavior at present, not can guarantee the accurate of detection Degree and completeness, so as to cause testing result inaccuracy.
Summary of the invention
An embodiment provides a kind of method for detecting installation binding behavior for application software, this method The detection that binding behavior can be installed just for application software, guarantees the accuracy and completeness of detection, so that testing result is quasi- Really.
Another embodiment of the present invention provides a kind of device that installation binding behavior is detected for application software, the device The detection that binding behavior can be installed just for application software, guarantees the accuracy and completeness of detection, so that testing result is quasi- Really.
The embodiments of the present invention are implemented as follows:
A method of installation binding behavior being detected for application software, quick analysis engine is set and dynamic sandbox draws It holds up, this method further includes:
A, the dynamic sandbox engine virtual machine constructor environment multiple sample operating analyses therein to application software, according to Operating analysis result determines whether installation binding behavior, if there is, it is determined that application software has installation binding behavior, otherwise, Execute step B;
B, the quick analysis engine is after carrying out application software to look into shell processing, using the application programming of setting Interface API rule base carries out the API of the release intermediate file for the API and all samples without shell sample being applied in software Scanning, when the API rule being arranged in the API rule base that API therein meets setting, confirmation has the installation of application software to bundle Behavior;Otherwise, it determines application software is fitted without binding behavior.
Quick analysis engine described in step B look into shell processing to application software is executed in step A, or in step Rapid B executes volume.
The quick analysis engine carries out looking into shell processing:Scan application software whether shell adding, and point out the type of shell adding.
The API of the release intermediate file of the described couple of API and all samples without shell sample being applied in software is carried out The process of scanning is:
By the API in set API rule base combine corresponding API feature respectively be applied in software without shell The API of the release intermediate file of the API of sample and all samples is matched, if successful match, confirmation has application software Installation bundle behavior.
The API rule base updates.
The process of dynamic sandbox engine virtual machine constructor environment described in step A is:Central processing virtual machine and each visitor are set Family end virtual machine, wherein
Central processing virtual machine multiple samples therein to application software are allocated, and distribute to each client virtual machine It executes, obtains the operating analysis result that each client obtains;
Client virtual machine receives the distribution of central processing virtual machine, and operating analysis knot is obtained after the sample run Fruit is sent to the processing of central processing virtual machine.
A kind of device detecting installation binding behavior for application software, described device include:Engine unit, application are set Software obtaining unit, static analysis unit and dynamic analysis unit, wherein
Engine unit is set, for quick analysis engine and dynamic sandbox engine to be arranged;
Application software acquiring unit is sent to dynamic analysis unit for obtaining the application software of operation on computers;
Dynamic analysis unit is used for the dynamic sandbox engine virtual machine constructor environment multiple samples therein to application software This operating analysis determines whether installation binding behavior according to operating analysis result, if it is, confirmation application software has bundle Tie up installation behavior;Otherwise, by dynamic sandbox engine confirmation application software, there is no binding installation behaviors to be sent to static point Analyse unit;
Static analysis unit carries out application software for the quick analysis engine to look into shell processing, and be applied software In the release intermediate file without shell sample and all samples, the dynamic sandbox engine confirmation application software there is no binding When installation behavior, by the quick analysis engine using setting API rule base to be applied in software without shell sample The API of the release intermediate file of API and all samples is scanned, and is arranged when in the API rule base that API therein meets setting API rule when, confirmation have application software installation binding behavior;Otherwise, there is no binding installation behaviors for confirmation application software.
The setting engine unit, the quick analysis engine for being also used to be arranged also set up API rule base, the API rule It include API combination and corresponding API feature in library, and API rule base dynamic updates.
It is therein to application software to be also used to the dynamic sandbox engine virtual machine constructor environment for the dynamic analysis unit During multiple sample operating analyses, the virtual machine environment is:
Central processing virtual machine and each client virtual machine are set, wherein central processing virtual machine, for application software Multiple samples therein are allocated, and are distributed to each client virtual machine and are executed, and the operation point that each client obtains is obtained Analyse result etc.;Client virtual machine obtains operation point for receiving the distribution of central processing virtual machine after the sample run Analysis is as a result, be sent to the processing of central processing virtual machine.
Described device is the generation of computers reason computer for running application program.
As above as it can be seen that quick analysis engine and dynamic sandbox engine is arranged in the embodiment of the present invention, wherein dynamic sandbox engine Using virtual machine environment multiple sample operating analyses therein to application software, determine whether to install according to operating analysis result Binding behavior, if so, then confirming that application software has installation binding behavior;If not provided, again by the quick analysis engine pair Application software carries out the intermediate file looked into shell processing and get no shell sample therein and the release of all samples, carries out using journey The scanning of sequence programming interface (API) determines whether application software has installation binding behavior according to scanning result.In this way, of the invention The method and device that embodiment provides guarantees the accuracy and complete of detection just for the detection of the installation binding behavior of application software Cheng Du, so that testing result is accurate.
Detailed description of the invention
Fig. 1 is a kind of method flow diagram that installation binding behavior is detected for application software provided in an embodiment of the present invention;
Fig. 2 is dynamic sandbox engine structure schematic diagram provided in an embodiment of the present invention;
Fig. 3 is that a kind of apparatus structure for detecting installation binding behavior for application software provided in an embodiment of the present invention is illustrated Figure.
Specific embodiment
To make the objectives, technical solutions, and advantages of the present invention more comprehensible, right hereinafter, referring to the drawings and the embodiments, The present invention is further described.
From background technique as can be seen that existing antivirus software to the safety detection of application software not only just for answering With the detection of software installation binding behavior, so detection sophistication is low, there are wide and shallow safety detection defects.Therefore, it moves State sandbox engine uses virtual machine environment multiple sample operating analyses therein to application software, is determined according to operating analysis result Whether installation binding behavior is had, if so, then confirming that application software has installation binding behavior;If not provided, again by described quick Analysis engine carries out the intermediate file looked into shell processing and get no shell sample therein and the release of all samples to application software, The scanning for carrying out API determines whether application software has installation binding behavior according to scanning result.Therefore, the embodiment of the present invention mentions The method and device of confession guarantees the accuracy and completeness of detection, makes just for the detection of the installation binding behavior of application software It is accurate to obtain testing result.
In this way, the embodiment of the present invention is achieved that the automatic detection of the installation binding behavior for application software.
Fig. 1 is the method flow diagram provided in an embodiment of the present invention for application software detection installation binding behavior, setting Quick analysis engine and dynamic sandbox engine, the specific steps are that:
Step 101, the quick analysis engine look into shell processing to application software, be applied in software without shell sample The release intermediate file of this and all samples;
The multiple sample operations point therein to application software of step 102, the dynamic sandbox engine virtual machine constructor environment Analysis determines whether installation binding behavior according to operating analysis result, if so, thening follow the steps 103;If it is not, then executing Step 104;
Step 103, the dynamic sandbox engine determine that application software has installation binding behavior;
Step 104, the quick analysis engine using setting API rule base to be applied in software without shell sample API and the API of release intermediate file of all samples be scanned, set when in the API rule base that API therein meets setting When the API rule set, confirmation has the installation binding behavior of application software;Otherwise, it determines application software is fitted without binding behavior.
In the method, the quick analysis engine in step 101 carries out application software to look into shell processing, is applied The release intermediate file without shell sample and all samples in software can carry out after step 103, with step 102~step There is no precedences between 103.
In the method, the quick analysis engine is the static inspection whether for application software with installation binding behavior It surveys, and the dynamic sandbox engine is the dynamic detection whether to application software with installation binding behavior.
In the method, the sample is the executable file set in application software, is in most cases .exe The file of suffix.
In the method, the quick analysis engine can be formed using ClamAV antivirus software.ClamAV be it is a by The open source antivirus engine of Sourcefire organization development, Sourcefire are also the owner of Snort intrusion detection engine simultaneously. ClamAV provides a kind of frame of more fast and flexible to detect malicious code and software product, can be used as existing desk-top The supplemental tool of antivirus scanning software in machine, file server, mail server and other scanning software scenes that need to kill virus Or substitute products.
In the method, the quick analysis engine, which look into shell and handle, is:Scan application software whether shell adding, and point out The type of shell adding.There is one section to be responsible for specially protecting software not to be illegally modified or the program of decompiling in some application software, one As be all prior to application software run, take control, then complete they protect softwares task.The quick analysis engine Look into shell processing one section of python program based on setting, feature be based on portable executable program (PEID) the library dll.
In the method, the API rule base of the quick analysis engine setting can be formed using ClamAV antivirus software. Since ClamAB can be with the feature in custom rule library, so API rule base, API rule are arranged using ClamAV antivirus software Then there is in library API combination and corresponding API feature, the API feature can be API special field etc..For in application software The API of release intermediate file of the API and all samples without shell sample be scanned.
In the method, the API rule base of the quick analysis engine setting can update, can in subsequent scanning To be made a concrete analysis of to application program, to establish API rule base more perfectly.
In the method, text among the release of the described couple of API and all samples without shell sample being applied in software The process that the API of part is scanned is:
By the API in set API rule base combine corresponding API feature respectively be applied in software without shell The API of the release intermediate file of the API of sample and all samples is matched, if successful match, confirmation has application software Installation bundle behavior.Subsequent, the corresponding API combination of the API feature of successful match can be returned to the upper layer tune of setting Platform is spent, so that dispatcher knows;Otherwise, null value is returned.
The embodiment of the present invention is in the quick analysis engine realization for looking into the exploitation of shell side sequence and to the API of binding installation Combined judgement.
In the method, based on the Cuckoo sandbox of the dynamic sandbox engine using open source, to sandbox into The customization of row depth, the analysis work of each sample with management application software, such as starting analysis work, behavior dump and life At report etc., completes the analysis of the installation binding behavior to application software and report operating analysis knot to set dispatching platform The functions such as fruit.The dynamic sandbox engine virtual machine constructor environment is exactly to be handled using multiple virtual machines, each virtual and be One relatively independent clean performing environment, the operating analysis of the energy each sample of security isolation.
When sample is run in dynamic sandbox engine, some behaviors of oneself can be triggered.And in the method, side Weight is analyzed binding installation software action.
In the method, as shown in Fig. 2, Fig. 2 is dynamic sandbox engine structure schematic diagram provided in an embodiment of the present invention, such as Shown in figure, the process of the dynamic sandbox engine virtual machine constructor environment is:Central processing virtual machine is set and each client is empty Quasi- machine, wherein central processing virtual machine distributes to each client for being allocated to application software multiple samples therein It holds virtual machine to execute, obtains the operating analysis result etc. that each client obtains;Client virtual machine, for receiving central processing The distribution of virtual machine obtains operating analysis after the sample run as a result, being sent to the processing of central processing virtual machine.
Herein, central processing virtual machine is properly termed as Host Machine, and load distribution manages the operation of each sample Analysis, such as starting operating analysis, behavior dump (dump) and generation report;Client virtual machine is properly termed as Guest Machine, the main operating analysis completed to distribute sample and reports operating analysis result etc., often to central processing virtual machine A client virtual machine is all a relatively independent clean performing environment, and the energy each sample of security isolation executes analysis.
In Fig. 2, guest machine includes to sample operating analysis:To static data therein and file behavior point Staticaanalysis results are verified after analysis, the analysis of operation screenshot, API analysis, TCPDUMP intercepts and captures analysis network behavior, Yi Jijin Row memory mirror carries out memory analysis.
In this way, since open source sandbox itself is more plain for the behavioural analysis of executable file, and the application to Chinese Software support is very bad, and is customized using set dynamic sandbox engine to sandbox, if detection is a peace Dress packet, the then executable file that can be released are carrying out depth analysis, detect so more comprehensive.For example, some application software It is the binding installation software in uninstall process, some are the execution that binding installation software package is carried out when executing main program.
Fig. 3 is the apparatus structure schematic diagram provided in an embodiment of the present invention for application software detection installation binding behavior, As shown, including:Engine unit, application software acquiring unit, static analysis unit and dynamic analysis unit are set, wherein
Engine unit is set, for quick analysis engine and dynamic sandbox engine to be arranged;
Application software acquiring unit is sent to dynamic analysis unit for obtaining the application software of operation on computers;
Dynamic analysis unit is used for the dynamic sandbox engine virtual machine constructor environment multiple samples therein to application software This operating analysis determines whether installation binding behavior according to operating analysis result, if it is, confirmation application software has bundle Tie up installation behavior;Otherwise, by dynamic sandbox engine confirmation application software, there is no binding installation behaviors to be sent to static point Analyse unit;
Static analysis unit carries out application software for the quick analysis engine to look into shell processing, and be applied software In the release intermediate file without shell sample and all samples, the dynamic sandbox engine confirmation application software there is no binding When installation behavior, by the quick analysis engine using setting API rule base to be applied in software without shell sample The API of the release intermediate file of API and all samples is scanned, and is arranged when in the API rule base that API therein meets setting API rule when, confirmation have application software installation binding behavior;Otherwise, there is no binding installation behaviors for confirmation application software.
Wherein, the setting engine unit, the quick analysis engine for being also used to be arranged also set up API rule base, the API It include API combination and corresponding feature in rule base, and API rule base dynamic updates.
Wherein, the dynamic analysis unit is also used to the dynamic sandbox engine virtual machine constructor environment to application software In multiple sample operating analyses therein, the virtual machine environment is:
Central processing virtual machine and each client virtual machine are set, wherein central processing virtual machine, for application software Multiple samples therein are allocated, and are distributed to each client virtual machine and are executed, and the operation point that each client obtains is obtained Analyse result etc.;Client virtual machine obtains operation point for receiving the distribution of central processing virtual machine after the sample run Analysis is as a result, be sent to the processing of central processing virtual machine.
The device of setting of the embodiment of the present invention does not reside at the computer of operation application program, and is mounted in other calculating Machine, the generation of computers as operation application program manage computer, realize the binding installation software action for being directed to application program Dynamic analysis and static analysis.
The embodiment of the present invention provides for user feels at ease easily to use physical examination, before application software is issued or can calculate Carry out to it monitoring of binding installation software action before machine operation application software, detection while including that application software looks into shell Quickly analysis, API analysis and the analysis of dynamic sandbox.The wherein complementation between API analysis and dynamic sandbox, ensure that the mistake of detection Report rate and rate of failing to report are all very low.
As can be seen that the embodiment of the present invention is that have following excellent for the detection of the binding installation software action of application software Point:
1) detection refinement
After analyzing the feature of environmental protection of computer application, the embodiment of the present invention confirms that row is installed in the binding of application software To detect the emphasis detected as the feature of environmental protection, and in terms of behavioral value is installed in binding, then by the detection of dynamic sandbox engine As emphasis.This opposite detection depth for using the antivirus software of background technique to be unable to satisfy binding installation behavior, the present invention Embodiment then using on the basis of dynamic sandbox engine carries out dynamic detection, carries out static detection using quick analysis engine, Refinement and in-depth.
2) to the dynamic detection of the sample release intermediate file of application program
Whether the existing Staticasoftware detection means of background technique can only determine in the additional data of application software containing attached Add binding installation software register, and dynamic analysis means cannot execution route complete traversal to application software.And use this hair Bright embodiment uses static detection and dynamic to improve the detection accuracy for bundling installation software action to application software The detection method combined is detected, and cycle detection is carried out to the intermediate file discharged during Dynamic Execution, while to unloading The process of application software is also taken precautions against, such behavior, can make the detection of application software binding installation behavior more It is careful.
3) testing process
The detection of background technique is all much to carry out dynamic analysis and static risk respectively, and the result of the two carried out comprehensive It closes, not certain testing process, waste of resource.And use detection provided in an embodiment of the present invention, it is first determined application software Whether shell adding, if shell adding is to look into shell analysis by quick analysis engine, the shell adding feelings for the software that can soon be applied Condition.Secondly, determining whether application software has binding installation behavior in actual installation implementation procedure, mainly in installation process In, program execute during and uninstall process it is medium, if so, then directly determined binding installation behavior;Otherwise, further into Row static state API combinatory analysis, to finally determine whether binding installation behavior.Compared with the antivirus software of background technique, number Higher according to coverage, wrong report rate of failing to report is lower.
The foregoing is merely illustrative of the preferred embodiments of the present invention, is not intended to limit the invention, all in essence of the invention Within mind and principle, any modification, equivalent substitution, improvement and etc. done be should be included within the scope of the present invention.

Claims (10)

1. a kind of method for detecting installation binding behavior for application software, which is characterized in that quick analysis engine is arranged and moves State sandbox engine, this method further include:
A, the dynamic sandbox engine virtual machine constructor environment multiple sample operating analyses therein to application software, according to operation Analysis result determines whether installation binding behavior, if there is, it is determined that application software has installation binding behavior, otherwise, execute Step B;
B, the quick analysis engine is after carrying out application software to look into shell processing, using the application programming interface of setting API rule base sweeps the API of the release intermediate file for the API and all samples without shell sample being applied in software It retouches, when the API rule being arranged in the API rule base that API therein meets setting, confirmation has the installation binding row of application software For;Otherwise, it determines application software is fitted without binding behavior.
2. the method as described in claim 1, which is characterized in that quick analysis engine described in step B is carried out to application software Looking into shell processing is to execute in step A, or execute volume in step B.
3. method according to claim 1 or 2, which is characterized in that the quick analysis engine, which look into shell and handle, is:Scanning Application software whether shell adding, and point out the type of shell adding.
4. the method as described in claim 1, which is characterized in that the described couple of API without shell sample being applied in software and The process that the API of the release intermediate file of all samples is scanned is:
By the API in set API rule base combine corresponding API feature respectively be applied in software without shell sample API and the API of release intermediate file of all samples matched, if successful match, confirmation has the peace of application software Fill binding behavior.
5. method as described in claim 1 or 4, which is characterized in that the API rule base updates.
6. the method as described in claim 1, which is characterized in that dynamic sandbox engine virtual machine constructor environment described in step A Process is:Central processing virtual machine and each client virtual machine are set, wherein
Central processing virtual machine multiple samples therein to application software are allocated, and are distributed to each client virtual machine and are held Row, obtains the operating analysis result that each client obtains;
Client virtual machine receives the distribution of central processing virtual machine, obtains operating analysis after the sample run as a result, hair Give the processing of central processing virtual machine.
7. a kind of device for detecting installation binding behavior for application software, which is characterized in that described device includes:Engine is set Unit, application software acquiring unit, static analysis unit and dynamic analysis unit, wherein
Engine unit is set, for quick analysis engine and dynamic sandbox engine to be arranged;
Application software acquiring unit is sent to dynamic analysis unit for obtaining the application software of operation on computers;
Dynamic analysis unit, for the dynamic sandbox engine virtual machine constructor environment multiple sample fortune therein to application software Row analysis determines whether installation binding behavior according to operating analysis result, if it is, confirmation application software has binding peace Dress behavior;Otherwise, by dynamic sandbox engine confirmation application software, there is no binding installation behaviors to be sent to static analysis list Member;
Static analysis unit carries out application software for the quick analysis engine to look into shell processing, be applied in software Release intermediate file without shell sample and all samples, in dynamic sandbox engine confirmation application software, there is no binding installations When behavior, by the quick analysis engine using the API rule base of setting to the API without shell sample being applied in software and The API of the release intermediate file of all samples is scanned, as the API being arranged in the API rule base that API therein meets setting When regular, confirmation has the installation binding behavior of application software;Otherwise, there is no binding installation behaviors for confirmation application software.
8. device as claimed in claim 7, which is characterized in that the setting engine unit is also used to the quick analysis being arranged Engine also sets up API rule base, includes API combination and corresponding API feature in the API rule base, and the API rule base Dynamic updates.
9. device as claimed in claim 7, which is characterized in that the dynamic analysis unit is also used to the dynamic sandbox and draws During holding up multiple sample operating analyses therein to application software of virtual machine constructor environment, the virtual machine environment is:
Central processing virtual machine and each client virtual machine are set, wherein central processing virtual machine is used for application software wherein Multiple samples be allocated, distribute to each client virtual machine and execute, obtain the operating analysis knot that each client obtains Fruit etc.;Client virtual machine obtains operating analysis knot for receiving the distribution of central processing virtual machine after the sample run Fruit is sent to the processing of central processing virtual machine.
10. device as described in claim 1, which is characterized in that described device is to run the generation of computers reason of application program Computer.
CN201810430169.9A 2018-05-08 2018-05-08 The method and device of installation binding behavior is detected for application software Pending CN108920943A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810430169.9A CN108920943A (en) 2018-05-08 2018-05-08 The method and device of installation binding behavior is detected for application software

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810430169.9A CN108920943A (en) 2018-05-08 2018-05-08 The method and device of installation binding behavior is detected for application software

Publications (1)

Publication Number Publication Date
CN108920943A true CN108920943A (en) 2018-11-30

Family

ID=64403647

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810430169.9A Pending CN108920943A (en) 2018-05-08 2018-05-08 The method and device of installation binding behavior is detected for application software

Country Status (1)

Country Link
CN (1) CN108920943A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111639331A (en) * 2020-05-11 2020-09-08 珠海豹趣科技有限公司 Installation package monitoring method and device and computer readable storage medium

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103235913A (en) * 2013-04-03 2013-08-07 北京奇虎科技有限公司 System, equipment and method used for identifying and intercepting bundled software
CN103646209A (en) * 2013-12-20 2014-03-19 北京奇虎科技有限公司 Cloud-security-based bundled software blocking method and device
CN106055975A (en) * 2016-05-16 2016-10-26 杭州华三通信技术有限公司 Document detection method and sandbox
CN106295353A (en) * 2016-08-08 2017-01-04 腾讯科技(深圳)有限公司 A kind of method of engine Hole Detection and detection device
CN106778268A (en) * 2016-11-28 2017-05-31 广东省信息安全测评中心 Malicious code detecting method and system
CN106778247A (en) * 2016-12-15 2017-05-31 江苏通付盾科技有限公司 The method and device that application program is dynamically analyzed
CN107729748A (en) * 2017-09-20 2018-02-23 杭州安恒信息技术有限公司 A kind of method for describing file running orbit figure in sandbox

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103235913A (en) * 2013-04-03 2013-08-07 北京奇虎科技有限公司 System, equipment and method used for identifying and intercepting bundled software
CN103646209A (en) * 2013-12-20 2014-03-19 北京奇虎科技有限公司 Cloud-security-based bundled software blocking method and device
CN106055975A (en) * 2016-05-16 2016-10-26 杭州华三通信技术有限公司 Document detection method and sandbox
CN106295353A (en) * 2016-08-08 2017-01-04 腾讯科技(深圳)有限公司 A kind of method of engine Hole Detection and detection device
CN106778268A (en) * 2016-11-28 2017-05-31 广东省信息安全测评中心 Malicious code detecting method and system
CN106778247A (en) * 2016-12-15 2017-05-31 江苏通付盾科技有限公司 The method and device that application program is dynamically analyzed
CN107729748A (en) * 2017-09-20 2018-02-23 杭州安恒信息技术有限公司 A kind of method for describing file running orbit figure in sandbox

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111639331A (en) * 2020-05-11 2020-09-08 珠海豹趣科技有限公司 Installation package monitoring method and device and computer readable storage medium

Similar Documents

Publication Publication Date Title
US11960605B2 (en) Dynamic analysis techniques for applications
US11604878B2 (en) Dynamic analysis techniques for applications
Martignoni et al. A layered architecture for detecting malicious behaviors
Bläsing et al. An android application sandbox system for suspicious software detection
Alzaylaee et al. DynaLog: An automated dynamic analysis framework for characterizing android applications
Carmony et al. Extract Me If You Can: Abusing PDF Parsers in Malware Detectors.
Spreitzenbarth et al. Mobile-sandbox: having a deeper look into android applications
US9251343B1 (en) Detecting bootkits resident on compromised computers
Maggi et al. Andrototal: A flexible, scalable toolbox and service for testing mobile malware detectors
US8290763B1 (en) Emulation system, method, and computer program product for passing system calls to an operating system for direct execution
US20090165135A1 (en) System and methods for detecting software vulnerabilities and malicious code
US10771477B2 (en) Mitigating communications and control attempts
US11157618B2 (en) Context-based analysis of applications
US10645099B1 (en) Malware detection facilitated by copying a memory range from an emulator for analysis and signature generation
CN106778246A (en) The detection method and detection means of sandbox virtualization
Pektaş et al. A dynamic malware analyzer against virtual machine aware malicious software
Bello et al. Ares: triggering payload of evasive android malware
EP3029595B1 (en) Apparatuses, mobile devices, methods and computer programs for evaluating runtime information of an extracted set of instructions based on at least a part of a computer program
US10970392B2 (en) Grouping application components for classification and malware detection
Costamagna et al. Identifying and evading android sandbox through usage-profile based fingerprints
Peiró et al. Detecting stack based kernel information leaks
US10880316B2 (en) Method and system for determining initial execution of an attack
CN108920943A (en) The method and device of installation binding behavior is detected for application software
Jurn et al. A survey of automated root cause analysis of software vulnerability
Gassen et al. HoneyAgent: Detecting malicious Java applets by using dynamic analysis

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20181130