CN114449089A - Mobile phone application accessory automatic association method, terminal equipment and storage medium - Google Patents
Mobile phone application accessory automatic association method, terminal equipment and storage medium Download PDFInfo
- Publication number
- CN114449089A CN114449089A CN202111550917.5A CN202111550917A CN114449089A CN 114449089 A CN114449089 A CN 114449089A CN 202111550917 A CN202111550917 A CN 202111550917A CN 114449089 A CN114449089 A CN 114449089A
- Authority
- CN
- China
- Prior art keywords
- mobile phone
- phone application
- program
- analyzed
- message digest
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 27
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 24
- 230000006870 function Effects 0.000 claims description 20
- 238000004590 computer program Methods 0.000 claims description 17
- 238000012856 packing Methods 0.000 claims description 6
- 230000007246 mechanism Effects 0.000 claims description 3
- 230000001960 triggered effect Effects 0.000 claims description 3
- 230000008569 process Effects 0.000 description 4
- 238000010586 diagram Methods 0.000 description 3
- 238000011161 development Methods 0.000 description 2
- 239000008186 active pharmaceutical agent Substances 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 239000000470 constituent Substances 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 239000000243 solution Substances 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M1/00—Substation equipment, e.g. for use by subscribers
- H04M1/72—Mobile telephones; Cordless telephones, i.e. devices for establishing wireless links to base stations without route selection
- H04M1/724—User interfaces specially adapted for cordless or mobile telephones
- H04M1/72403—User interfaces specially adapted for cordless or mobile telephones with means for local support of applications that increase the functionality
- H04M1/72406—User interfaces specially adapted for cordless or mobile telephones with means for local support of applications that increase the functionality by software upgrading or downloading
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/24—Querying
- G06F16/245—Query processing
- G06F16/2455—Query execution
- G06F16/24552—Database cache management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04M—TELEPHONIC COMMUNICATION
- H04M1/00—Substation equipment, e.g. for use by subscribers
- H04M1/72—Mobile telephones; Cordless telephones, i.e. devices for establishing wireless links to base stations without route selection
- H04M1/724—User interfaces specially adapted for cordless or mobile telephones
- H04M1/72403—User interfaces specially adapted for cordless or mobile telephones with means for local support of applications that increase the functionality
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/03—Protecting confidentiality, e.g. by encryption
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Theoretical Computer Science (AREA)
- Human Computer Interaction (AREA)
- Databases & Information Systems (AREA)
- Computer Security & Cryptography (AREA)
- Data Mining & Analysis (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Computational Linguistics (AREA)
- Telephone Function (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention relates to a method for automatically associating mobile phone application accessories, a terminal device and a storage medium, wherein the method comprises the following steps: writing a JS script for calculating a message abstract based on a Hook bottom layer; writing a Python master control program end, newly building a Python program, importing a Frida module, writing a program for mounting mobile phone applications, and loading a JS script; operating a Frida server and a mobile phone application program to be analyzed, and starting a Python program to receive a data source object and a corresponding message digest algorithm sent by Send; the Python program calculates the message digest value and stores the message digest value in a list file; and extracting the file name of the accessory to be analyzed according to the accessory to be analyzed, searching a message abstract value which is the same as the file name from the list file by taking the file name as a searching condition, and taking a data source object corresponding to the searched message abstract value as an associated data source of the accessory to be analyzed. The invention can effectively reduce the reverse analysis of evidence collection workers.
Description
Technical Field
The invention relates to the field of mobile phone electronic data forensics, in particular to a mobile phone application accessory automatic association method, terminal equipment and a storage medium.
Background
In recent years, with the development of smart phones, more and more people use smart phones, smart phones become indispensable tools for people's life and work, more and more applications are also born, and some people also use the software to perform illegal activities, such as telecom fraud, while providing convenience for people's life and work.
When a user uses a mobile phone application program to browse, shop and chat a website, data operated by the user can be stored locally, for example, the user sends a picture when chatting, a local database can record information such as a Uniform Resource Locator (URL) and a picture size of the picture, an attachment directory can store the picture, and a mainstream correlation mode at present is that a hash value is calculated by a common message digest algorithm according to related information of the picture and is used as a file name of the picture. For example, a mainstream picture loading library Glide under an Android platform, and the cached picture name is obtained through an SHA-1 algorithm.
Although the message digest algorithm for calculating the file name of the attachment can be determined according to the length of the file name, the data source for calculating the message digest is unknown, and the evidence obtaining staff needs to reversely analyze the code to obtain the corresponding relationship, which not only needs to have professional reverse knowledge, but also needs to spend a lot of time reversely analyzing the code.
Disclosure of Invention
In order to solve the above problems, the present invention provides a method for automatically associating mobile phone application accessories, a terminal device and a storage medium.
The specific scheme is as follows:
a method for automatically associating mobile phone application accessories comprises the following steps:
s1: writing a JS script for calculating a message abstract based on a Hook bottom layer;
s2: writing a Python master control program end, newly building a Python program, importing a Frida module, writing a program for mounting the mobile phone application, and loading the JS script written in the step S1;
s3: operating a Frida server and a mobile phone application program to be analyzed, and starting a Python program to receive a data source object and a corresponding message digest algorithm sent by Send;
s4: the Python program calculates according to the data source object and the corresponding message digest algorithm to obtain a corresponding message digest value, and stores the data source object and the corresponding message digest value into a list file;
s5: and extracting the file name of the accessory to be analyzed according to the accessory to be analyzed, searching a message abstract value which is the same as the file name from the list file by taking the file name as a searching condition, and taking a data source object corresponding to the searched message abstract value as an associated data source of the accessory to be analyzed.
Further, the execution principle of the JS script for calculating the message digest based on the Hook bottom layer is as follows: when a JS script is operated, the update (byte [ ] input) function of a Hook 'java.securityMessagedigest' class utilizes a Java reflection mechanism, and when a 'java.securityMessagedigest' class object is triggered to execute the update function, a corresponding message digest algorithm is obtained by calling a getAlgorithm () mode of the object; packing the object and the corresponding message digest algorithm into a Json character string, and sending a packing result to a Python main control program end through an API (application program interface) Send of Frida.
Further, the mobile phone application accessories comprise pictures, audio and video.
Further, the file name of the attachment to be analyzed is extracted from the locally stored directory of the attachment.
The mobile phone application accessory automatic association terminal equipment comprises a processor, a memory and a computer program which is stored in the memory and can run on the processor, wherein the processor executes the computer program to realize the steps of the method of the embodiment of the invention.
A computer-readable storage medium, in which a computer program is stored, which, when being executed by a processor, carries out the steps of the method as described above for an embodiment of the invention.
By adopting the technical scheme, the invention provides the method for associating the locally cached accessories such as the pictures, the audios, the videos and the like of the application program with the local data, so that the reverse analysis of evidence obtaining workers can be effectively reduced, and the working efficiency of electronic evidence obtaining can be improved.
Drawings
Fig. 1 is a flowchart illustrating a first embodiment of the present invention.
Fig. 2 is a schematic diagram showing the storage location of the personal information in this embodiment.
Fig. 3 is a schematic diagram showing a storage location of the picture attachment in this embodiment.
Fig. 4 is a schematic diagram showing data contents from Hook in this embodiment.
Detailed Description
To further illustrate the various embodiments, the invention provides the accompanying drawings. The accompanying drawings, which are incorporated in and constitute a part of this disclosure, illustrate embodiments of the invention and, together with the description, serve to explain the principles of the embodiments. Those skilled in the art will appreciate still other possible embodiments and advantages of the present invention with reference to these figures.
The invention will now be further described with reference to the accompanying drawings and detailed description.
The first embodiment is as follows:
at present, two main operating systems of a mobile terminal are Android and IOS respectively, algorithms for calculating message digests at the bottom layer are fixed, for example, a Java class providing a message digest function for an application under an Android platform is named as "Java.
Based on the principle, the embodiment of the invention provides an automatic association method for mobile phone application accessories, which is used for searching an association relation between the mobile phone application accessories and a local data source and takes an Android platform as an example for explanation. As shown in fig. 1, the method comprises the steps of:
s1: and writing a JS script for calculating the message digest based on the Hook bottom layer.
The Hook technology is also called Hook function, before the system does not call the function, the Hook program captures the message, the Hook function obtains control right first, and the Hook function can process (change) the execution behavior of the function and can also forcibly end the transfer of the message.
The main characteristics of the message digest algorithm are that no key is needed in the encryption process, and the encrypted data cannot be decrypted, and currently, only the CRC32 algorithm can be decrypted, and only the same plaintext data is input and passes through the same message digest algorithm to obtain the same ciphertext.
The message digest algorithm is characterized in that: (1) the length of the calculated message digest is always fixed regardless of how long the incoming message is. (2) As long as the input messages are different, the summary messages generated after the input messages are summarized are also different, and the same input can generate the same output. (3) The message digest function is a trapdoor-free one-way function, i.e., only forward information digest can be performed, and no message can be recovered from the digest.
Common message summarization algorithms are: MD5(Message Digest Algorithm version 5), SHA (Secure Hash Algorithm), MAC (Hash Message Authentication Code).
The execution principle of the JS script in this embodiment is as follows: when a JS script is operated, the update (byte [ ] input) function of a hook class of 'java.securityMessagedigest', utilizes a Java reflection mechanism, and when the object of the class of 'java.securityMessagedigest' is triggered to execute the update function, a corresponding message digest algorithm is obtained by calling a getAlgorithm () mode of the object; packing the object and the corresponding message digest algorithm into a Json character string, and sending the packing result to a Python program through an API function Send of Frida.
Frida is a lightweight level Hook framework, the core of Frida is written in C language, and Google's V8 engine is injected into the target processes where JS can fully access memory, Hook functions, and even call native functions within the process to execute. Using Python and JS allows for rapid development using risk-free APIs. The Frida framework is divided into two parts: one part is an interaction tool Frida CLI running on the system; the other part is a code injection tool Frida-server (Frida server) running on the target machine.
S2: writing a Python master control program end, newly building a Python program, importing a Frida module, writing a program for mounting the mobile phone application, and loading the JS script written in the step S1.
S3: and operating the Frida server and the mobile phone application program to be analyzed, and starting a Python program to receive the data source object and the corresponding message digest algorithm sent by the Send.
S4: the Python program calculates to obtain a corresponding message digest value according to the data source object and a corresponding message digest algorithm, and stores the data source object and the corresponding message digest value into a list file.
S5: and extracting the file name of the accessory to be analyzed according to the accessory to be analyzed, searching a message abstract value which is the same as the file name from the list file by taking the file name as a searching condition, and taking a data source object corresponding to the searched message abstract value as an associated data source of the accessory to be analyzed.
Taking a certain application as an example, a head portrait picture of personal information is taken as an attachment, and the association relation between the file name of the attachment and a data source object is searched. The storage location of the personal information is in the "cross _ account.db" database under the data directory of the application, as shown in fig. 2. All picture resources are stored in the directory of "cache \ ok _ http _ cache" in the data directory of the application, as shown in fig. 3. By running the Python program, the data from Hook is shown in fig. 4. Finding the message digest value identical to the file name from the list file shown in fig. 4 under the condition that the file name in fig. 3 is the finding condition, and using the data source object corresponding to the found message digest value (i.e. the profile _ pic field of the "accounts" table) as the associated data source of the applied picture attachment, wherein the specific association relationship is as follows: the value of the "profile _ pic" field is read from the "accounts" table, and then MD5 is calculated.
The embodiment of the invention provides a method for associating the local data with the locally cached accessories such as pictures, audio and video of the application program, which can effectively reduce the reverse analysis of evidence collection workers and further improve the working efficiency of electronic evidence collection.
Example two:
the invention also provides a mobile phone application accessory automatic association terminal device, which comprises a memory, a processor and a computer program which is stored in the memory and can run on the processor, wherein the steps in the method embodiment of the first embodiment of the invention are realized when the processor executes the computer program.
Further, as an executable scheme, the mobile phone application accessory automatic association terminal device may be a desktop computer, a notebook, a palm computer, a cloud server, and other computing devices. The mobile phone application accessory automatic association terminal equipment can comprise, but is not limited to, a processor and a memory. It is understood by those skilled in the art that the above-mentioned constituent structure of the mobile phone application accessory automatic association terminal device is only an example of the mobile phone application accessory automatic association terminal device, and does not constitute a limitation on the mobile phone application accessory automatic association terminal device, and may include more or less components than the above, or combine some components, or different components, for example, the mobile phone application accessory automatic association terminal device may further include an input/output device, a network access device, a bus, and the like, which is not limited in this embodiment of the present invention.
Further, as an executable solution, the Processor may be a Central Processing Unit (CPU), other general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, a discrete Gate or transistor logic device, a discrete hardware component, and the like. The general processor can be a microprocessor or the processor can be any conventional processor and the like, the processor is a control center of the mobile phone application accessory automatic association terminal device, and various interfaces and lines are used for connecting various parts of the whole mobile phone application accessory automatic association terminal device.
The memory can be used for storing the computer program and/or the module, and the processor realizes various functions of the automatic association terminal equipment of the mobile phone application accessory by running or executing the computer program and/or the module stored in the memory and calling the data stored in the memory. The memory can mainly comprise a program storage area and a data storage area, wherein the program storage area can store an operating system and an application program required by at least one function; the storage data area may store data created according to the use of the mobile phone, and the like. In addition, the memory may include high speed random access memory, and may also include non-volatile memory, such as a hard disk, a memory, a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), at least one magnetic disk storage device, a Flash memory device, or other volatile solid state storage device.
The invention also provides a computer-readable storage medium, in which a computer program is stored, which, when being executed by a processor, carries out the steps of the above-mentioned method of an embodiment of the invention.
The integrated module/unit of the mobile phone application accessory automatic association terminal device can be stored in a computer readable storage medium if the integrated module/unit is realized in the form of a software functional unit and is sold or used as an independent product. Based on such understanding, all or part of the flow of the method according to the embodiments of the present invention may also be implemented by a computer program, which may be stored in a computer-readable storage medium, and when the computer program is executed by a processor, the steps of the method embodiments may be implemented. Wherein the computer program comprises computer program code, which may be in the form of source code, object code, an executable file or some intermediate form, etc. The computer-readable medium may include: any entity or device capable of carrying the computer program code, recording medium, usb disk, removable hard disk, magnetic disk, optical disk, computer Memory, Read-Only Memory (ROM), Random Access Memory (RAM), software distribution medium, and the like.
While the invention has been particularly shown and described with reference to a preferred embodiment, it will be understood by those skilled in the art that various changes in form and detail may be made therein without departing from the spirit and scope of the invention as defined by the appended claims.
Claims (6)
1. A method for automatically associating mobile phone application accessories is characterized by comprising the following steps:
s1: writing a JS script for calculating a message abstract based on a Hook bottom layer;
s2: writing a Python master control program end, newly building a Python program, importing a Frida module, writing a program for mounting the mobile phone application, and loading the JS script written in the step S1;
s3: operating a Frida server and a mobile phone application program to be analyzed, and starting a Python program to receive a data source object and a corresponding message digest algorithm sent by Send;
s4: the Python program calculates according to the data source object and the corresponding message digest algorithm to obtain a corresponding message digest value, and stores the data source object and the corresponding message digest value into a list file;
s5: and extracting the file name of the accessory to be analyzed according to the accessory to be analyzed, searching a message abstract value which is the same as the file name from the list file by taking the file name as a searching condition, and taking a data source object corresponding to the searched message abstract value as an associated data source of the accessory to be analyzed.
2. The method for automatically associating mobile phone application accessories according to claim 1, wherein: the execution principle of the JS script for calculating the message abstract based on the Hook bottom layer is as follows: when a JS script is operated, the update (byte [ ] input) function of a Hook 'java.securityMessagedigest' class utilizes a Java reflection mechanism, and when a 'java.securityMessagedigest' class object is triggered to execute the update function, a corresponding message digest algorithm is obtained by calling a getAlgorithm () mode of the object; packing the object and the corresponding message digest algorithm into a Json character string, and sending a packing result to a Python main control program end through an API function Send of Frida.
3. The method for automatically associating mobile phone application accessories according to claim 1, wherein: the mobile phone application accessories comprise pictures, audio and video.
4. The method for automatically associating mobile phone application accessories according to claim 1, wherein: the file name of the attachment to be analyzed is extracted from the locally stored directory of the attachment.
5. A mobile phone application accessory automatic association terminal device is characterized in that: comprising a processor, a memory and a computer program stored in the memory and running on the processor, the processor implementing the steps of the method according to any of claims 1 to 4 when executing the computer program.
6. A computer-readable storage medium storing a computer program, characterized in that: the computer program when executed by a processor implementing the steps of the method as claimed in any one of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111550917.5A CN114449089A (en) | 2021-12-17 | 2021-12-17 | Mobile phone application accessory automatic association method, terminal equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111550917.5A CN114449089A (en) | 2021-12-17 | 2021-12-17 | Mobile phone application accessory automatic association method, terminal equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114449089A true CN114449089A (en) | 2022-05-06 |
Family
ID=81363668
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111550917.5A Pending CN114449089A (en) | 2021-12-17 | 2021-12-17 | Mobile phone application accessory automatic association method, terminal equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114449089A (en) |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110177150A (en) * | 2019-06-06 | 2019-08-27 | 北京金山安全软件有限公司 | Data acquisition method and device, electronic equipment and readable storage medium |
| CN111061776A (en) * | 2019-12-10 | 2020-04-24 | 智器云南京信息科技有限公司 | Method, system, terminal device and storage medium for realizing automatic data analysis |
-
2021
- 2021-12-17 CN CN202111550917.5A patent/CN114449089A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110177150A (en) * | 2019-06-06 | 2019-08-27 | 北京金山安全软件有限公司 | Data acquisition method and device, electronic equipment and readable storage medium |
| CN111061776A (en) * | 2019-12-10 | 2020-04-24 | 智器云南京信息科技有限公司 | Method, system, terminal device and storage medium for realizing automatic data analysis |
Non-Patent Citations (1)
| Title |
|---|
| LUOYESIQIU: "Hook Java API以获得MD5计算前数据", Retrieved from the Internet <URL:https://www.cnblogs.com/luoyesiqiu/p/11527676.html> * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| WO2019201003A1 (en) | File packing and file package unpacking method and apparatus, and network device | |
| CN109564566B (en) | Discovery of calling applications for controlling file hydration behavior | |
| US20180107686A1 (en) | Search method and apparatus | |
| US10917484B2 (en) | Identifying and managing redundant digital content transfers | |
| US11800201B2 (en) | Method and apparatus for outputting information | |
| US20210042150A1 (en) | Method-call-chain tracking method, electronic device, and computer readable storage medium | |
| US8352442B2 (en) | Determination of an updated data source from disparate data sources | |
| US20240004917A1 (en) | Data processing method and device, terminal, and storage medium | |
| US11048668B2 (en) | Sensitive data management | |
| WO2021082661A1 (en) | Webpage screenshot capturing method, apparatus and device | |
| CN112183045A (en) | Online document processing method and device and electronic equipment | |
| CN112817657A (en) | Application program starting item loading method, device and system and storage medium | |
| CN111737718A (en) | Encryption and decryption method and device for jar packet, terminal equipment and storage medium | |
| WO2017096826A1 (en) | Method and device for controlling mobile terminal | |
| CN107241446B (en) | File transmission method and device of application program, terminal equipment and storage medium | |
| WO2023143545A1 (en) | Resource processing method and apparatus, electronic device, and computer-readable storage medium | |
| CN111753141B (en) | Data management method and related equipment | |
| CN112559913A (en) | Data processing method and device, computing equipment and readable storage medium | |
| CN109271543B (en) | Thumbnail display method and device, terminal and computer-readable storage medium | |
| CN113051231A (en) | File analysis method and device, computer equipment and storage medium | |
| CN114449089A (en) | Mobile phone application accessory automatic association method, terminal equipment and storage medium | |
| JP6178119B2 (en) | Data migration system and data migration method | |
| CN107749892B (en) | Network reading method and device for conference record, intelligent tablet and storage medium | |
| CN111447298A (en) | Method, device, equipment and medium for acquiring network address in application program | |
| CN111353170A (en) | File privacy information processing method and device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |