CN114662062A

CN114662062A - Application program tampering detection method, device, equipment and storage medium

Info

Publication number: CN114662062A
Application number: CN202011572290.9A
Authority: CN
Inventors: 李鹤仙; 曹阳
Original assignee: Beijing Qihoo Technology Co Ltd
Current assignee: Beijing Qihoo Technology Co Ltd
Priority date: 2020-12-23
Filing date: 2020-12-23
Publication date: 2022-06-24
Also published as: WO2022134419A1

Abstract

The invention relates to the technical field of security detection, and discloses a tamper detection method, device, equipment and storage medium for an application program, wherein the method comprises the steps of acquiring built-in signature information and a signature certificate in the application program to be detected when the application program to be detected is started; generating current signature information according to the signature certificate; comparing the built-in signature information with the current signature information to obtain a comparison result; and determining whether the application program to be detected is tampered based on the comparison result. In the invention, the built-in signature information is set in advance, and when the application program to be detected is started, whether the current signature information corresponding to the signature certificate of the application program to be detected is the original built-in signature information is verified, so that whether the application program to be detected is tampered or not is determined, the safety of the application program is enhanced, the interests of an original developer are maintained, and the technical problem that the interests of the original developer are seriously damaged due to the fact that the tampering of the application program is difficult to detect in the prior art is solved.

Description

Application program tampering detection method, device, equipment and storage medium

Technical Field

The present invention relates to the field of security detection technologies, and in particular, to a method, an apparatus, a device, and a storage medium for tamper detection of an application.

Background

The Android application is cracked and pirated, and an attacker cracks the Android application firstly and then packages the Android application into a new Android application in the forms of trojan implantation, advertisement insertion, payment link tampering and the like, so that the benefit of an original developer is seriously damaged, and therefore, the method for detecting whether the Android application is tampered maliciously is very important.

The above is only for the purpose of assisting understanding of the technical aspects of the present invention, and does not represent an admission that the above is prior art.

Disclosure of Invention

The invention mainly aims to provide a method, a device, equipment and a storage medium for detecting tampering of an application program, and aims to solve the technical problem that the tampering of the application program is difficult to detect and the interests of an original developer are seriously damaged in the prior art.

In order to achieve the above object, the present invention provides a tamper detection method for an application program, including the steps of:

when an application program to be detected is started, acquiring built-in signature information and a signature certificate in the application program to be detected;

generating current signature information according to the signature certificate;

comparing the built-in signature information with the current signature information to obtain a comparison result;

and determining whether the application program to be detected is tampered or not based on the comparison result.

Optionally, the step of generating current signature information according to the signature certificate specifically includes:

determining a signature file to be detected according to the signature certificate;

analyzing the signature file to be detected to obtain a hash value of the certificate to be detected corresponding to the signature certificate;

and taking the hash value of the certificate to be detected as current signature information.

Optionally, the step of determining the signature file to be detected according to the signature certificate specifically includes:

acquiring an installation path of the application program to be detected according to the signature certificate, and acquiring an application program file to be detected according to the installation path;

and analyzing the application program file to be detected through a preset analysis library to obtain a signature file to be detected.

Optionally, the step of comparing the built-in signature information with the current signature information to obtain a comparison result specifically includes:

extracting a built-in certificate hash value from the built-in signature information;

and comparing the built-in certificate hash value with the certificate hash value to be detected to obtain a comparison result.

determining code constant region data according to the signature certificate;

calculating the code constant region data based on an HMAC algorithm to obtain a constant hash value to be detected corresponding to the signature certificate;

and taking the constant hash value to be detected as current signature information.

Optionally, the step of determining the code constant region data according to the signature certificate specifically includes:

searching a code constant region starting address and a code constant region ending address according to the signature certificate;

and determining code constant region data according to the code constant region starting address and the code constant region ending address.

extracting a built-in constant hash value from the built-in signature information;

and comparing the built-in constant hash value with the constant hash value to be detected to obtain a comparison result.

determining code execution area data according to the signature certificate;

calculating the code execution area data based on an HMAC algorithm to obtain an execution hash value to be detected corresponding to the signature certificate;

and taking the to-be-detected execution hash value as current signature information.

Optionally, the step of determining the code execution region data according to the signature certificate specifically includes:

searching a code execution starting function and a code execution ending function according to the signature certificate, and operating the code execution starting function and the code execution ending function;

receiving a code execution starting address fed back after the code execution starting function runs;

receiving a code execution ending address fed back after the code execution ending function runs;

and determining code execution area data according to the code execution starting address and the code execution ending address.

Optionally, the step of comparing the built-in signature information with the current signature information to obtain a comparison result includes:

extracting a built-in execution hash value from the built-in signature information;

and comparing the built-in execution hash value with the execution hash value to be detected to obtain a comparison result.

Optionally, the step of obtaining the built-in signature information and the signature certificate in the application program to be detected specifically includes:

acquiring a dynamic link library in the application program to be detected;

searching a built-in certificate hash value, a built-in constant hash value and a built-in execution hash value from the dynamic link library;

taking the built-in certificate hash value, the built-in constant hash value and the built-in execution hash value as built-in signature information;

and acquiring the signature certificate of the application program to be detected.

Optionally, the step of searching for a built-in certificate hash value, a built-in constant hash value, and a built-in execution hash value from the dynamic link library specifically includes:

acquiring a dynamic link byte file from the dynamic link library;

acquiring a built-in execution hash value and a built-in constant hash value according to the dynamic link byte file;

determining constant area data according to the dynamic link byte file;

and searching a built-in certificate hash value from the constant area data.

Optionally, the step of obtaining a built-in execution hash value and a built-in constant hash value according to the dynamic link byte file specifically includes:

searching a built-in execution hash value address in the dynamic link byte file, and acquiring a built-in execution hash value according to the built-in execution hash value address;

and searching a built-in constant hash value address in the dynamic link byte file, and acquiring a built-in constant hash value according to the built-in constant hash value address.

In order to achieve the above object, the present invention also provides a tamper detection device for an application program, including:

the system comprises an acquisition module, a verification module and a verification module, wherein the acquisition module is used for acquiring built-in signature information and a signature certificate in an application program to be detected when the application program to be detected is started;

the generating module is used for generating current signature information according to the signature certificate;

the comparison module is used for comparing the built-in signature information with the current signature information to obtain a comparison result;

and the determining module is used for determining whether the application program to be detected is tampered based on the comparison result.

Optionally, the generating module is further configured to determine a signature file to be detected according to the signature certificate;

the generation module is further configured to analyze the signature file to be detected and obtain a hash value of the certificate to be detected corresponding to the signature certificate;

the generation module is further configured to use the hash value of the certificate to be detected as current signature information.

Optionally, the generating module is further configured to obtain an installation path of the application to be detected according to the signature certificate, and obtain an application file to be detected according to the installation path;

the generation module is further used for analyzing the application program file to be detected through a preset analysis library to obtain a signature file to be detected.

Optionally, the comparing module is further configured to extract a built-in certificate hash value from the built-in signature information;

the comparison module is further configured to compare the built-in certificate hash value with the to-be-detected certificate hash value to obtain a comparison result.

Optionally, the generating module is further configured to determine code constant region data according to the signature certificate;

the generation module is further configured to calculate the code constant region data based on an HMAC algorithm to obtain a constant hash value to be detected corresponding to the signature certificate;

and the generating module is further configured to use the constant hash value to be detected as current signature information.

In addition, in order to achieve the above object, the present invention further provides a tamper detection device for an application program, including: memory, a processor and a program stored on the memory and executable on the processor, which when executed by the processor implements the steps of the tamper detection method of an application as described above.

In addition, in order to achieve the above object, the present invention further provides a storage medium, in which a tampering detection program of an application program is stored, and the tampering detection program of the application program realizes the steps of the tampering detection method of the application program as described above when executed by a processor.

In the invention, when an application program to be detected is started, built-in signature information and a signature certificate in the application program to be detected are acquired; generating current signature information according to the signature certificate; comparing the built-in signature information with the current signature information to obtain a comparison result; and determining whether the application program to be detected is tampered or not based on the comparison result. By the method, the built-in signature information is set in advance for the application program to be detected, and when the application program to be detected is started, whether the current signature information corresponding to the signature certificate of the application program to be detected is the original built-in signature information is verified, so that whether the application program to be detected is tampered is determined, the safety of the application program is enhanced, the interests of an original developer are maintained, and the technical problem that the interests of the original developer are seriously damaged due to the fact that the application program is difficult to be detected to be tampered in the prior art is solved.

Drawings

Fig. 1 is a schematic structural diagram of a tamper detection device for an application program in a hardware operating environment according to an embodiment of the present invention;

FIG. 2 is a flowchart illustrating a tamper detection method for an application according to a first embodiment of the present invention;

FIG. 3 is a flowchart illustrating a tamper detection method for an application according to a second embodiment of the present invention;

FIG. 4 is a flowchart illustrating a tamper detection method for an application according to a third embodiment of the present invention;

FIG. 5 is a flowchart illustrating a tamper detection method for an application according to a fourth embodiment of the present invention;

FIG. 6 is a flowchart illustrating a tamper detection method for an application according to a fifth embodiment of the present invention;

fig. 7 is a block diagram showing the configuration of a tamper detection device according to a first embodiment of the application program of the present invention.

The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.

Detailed Description

It should be understood that the specific embodiments described herein are merely illustrative of the invention and do not limit the invention.

Referring to fig. 1, fig. 1 is a schematic structural diagram of a tamper detection device for an application program in a hardware operating environment according to an embodiment of the present invention.

As shown in fig. 1, the tamper detection device of the application program may include: a processor 1001, such as a Central Processing Unit (CPU), a communication bus 1002, a user interface 1003, a network interface 1004, and a memory 1005. Wherein a communication bus 1002 is used to enable connective communication between these components. The user interface 1003 may include a Display screen (Display), and the optional user interface 1003 may further include a standard wired interface and a wireless interface, and the wired interface for the user interface 1003 may be a USB interface in the present invention. The network interface 1004 may optionally include a standard wired interface, a WIreless interface (e.g., a WIreless-FIdelity (WI-FI) interface). The Memory 1005 may be a Random Access Memory (RAM) Memory or a Non-volatile Memory (NVM), such as a disk Memory. The memory 1005 may alternatively be a storage device separate from the processor 1001.

Those skilled in the art will appreciate that the configuration shown in fig. 1 does not constitute a limitation of the tamper detection device of the application, and may include more or fewer components than those shown, or some components in combination, or a different arrangement of components.

As shown in fig. 1, a memory 1005, which is a kind of computer storage medium, may include therein a tamper detection program of an operating system, a network communication module, a user interface module, and an application program.

In the tampering detection device for application programs shown in fig. 1, the network interface 1004 is mainly used for connecting a backend server and performing data communication with the backend server; the user interface 1003 is mainly used for connecting user equipment; the tamper detection device of the application calls the tamper detection program of the application stored in the memory 1005 through the processor 1001, and executes the tamper detection method of the application provided by the embodiment of the present invention.

Based on the hardware structure, the embodiment of the tamper detection method of the application program is provided.

Referring to fig. 2, fig. 2 is a flowchart illustrating a tamper detection method for an application according to a first embodiment of the present invention.

In a first embodiment, the tamper detection method of an application includes the steps of:

step S10: when an application program to be detected is started, acquiring built-in signature information and a signature certificate in the application program to be detected.

It should be noted that the execution subject of this embodiment is the tampering detection device of the application program, and the tampering detection device of the application program may be an electronic device such as a personal computer or a server, which is not limited in this embodiment. When an application program to be detected is started, acquiring built-in signature information and a signature certificate in the application program to be detected, where the built-in signature information in the application program to be detected is acquired, the built-in signature information may include multiple hash values, and three hash values are described below as an example, the built-in signature information may include a built-in certificate hash value, a built-in constant hash value, and a built-in execution hash value, and of course, at least two hash values may be used in combination. In addition, the built-in signature information may further include other hash values according to actual needs, which is not limited in this embodiment.

It can be understood that, when the application program to be detected is started, acquiring the built-in signature information and the signature certificate in the application program to be detected may include: acquiring a dynamic link library in the application program to be detected; searching a built-in certificate hash value, a built-in constant hash value and a built-in execution hash value from the dynamic link library; taking the built-in certificate hash value, the built-in constant hash value and the built-in execution hash value as built-in signature information; and acquiring the signature certificate of the application program to be detected.

Specifically, the application program can be written by various coding languages, the code written by C/C + + is called native code, and compared with the code written by Java code, the reverse difficulty of the native code is higher. The method comprises the steps that a final target compiled by native codes is a dynamic link library, a dynamic link byte file, namely a so file, is obtained from the dynamic link library, the so file can comprise a rodata area and a text area, the rodata area is constant area data, the text area is execution area data, a built-in certificate hash value can be searched from the constant area data, a built-in execution hash value address can be searched from the so file, and the built-in execution hash value is obtained according to the built-in execution hash value address; and searching a built-in constant hash value address in the so file, and acquiring the built-in constant hash value according to the built-in constant hash value address.

Step S20: and generating current signature information according to the signature certificate.

It is easy to understand that the current signature information is generated according to the signature certificate, where the current signature information may include a plurality of information, and three hash values are described below as an example, and the current signature information may include a hash value of the certificate to be detected, a constant hash value to be detected, and an execution hash value to be detected, and of course, at least two hash values may be used to implement the combination. In addition, the current signature information may further include other hash values according to actual needs, which is not limited in this embodiment.

Specifically, the step of generating the current signature information according to the signature certificate may include: determining a signature file to be detected according to the signature certificate; analyzing the signature file to be detected to obtain a hash value of the certificate to be detected corresponding to the signature certificate; and taking the hash value of the certificate to be detected as current signature information.

Specifically, the step of generating current signature information according to the signature certificate may include: determining code constant region data according to the signature certificate; calculating the code constant region data based on an HMAC algorithm to obtain a constant hash value to be detected corresponding to the signature certificate; and taking the constant hash value to be detected as the current signature information.

Specifically, the step of generating current signature information according to the signature certificate may include: determining code execution area data according to the signature certificate; calculating the code execution area data based on an HMAC algorithm to obtain an execution hash value to be detected corresponding to the signature certificate; and taking the to-be-detected execution hash value as current signature information.

Step S30: and comparing the built-in signature information with the current signature information to obtain a comparison result.

It should be noted that, comparing the built-in signature information with the current signature information to obtain a comparison result, where comparing the built-in signature information with the current signature information may be performed in a variety of ways, and three ways are described as examples below, and of course, at least two ways may also be used in combination. In addition, the current signature information and the built-in signature information may further include other hash values according to actual needs, and other comparison manners may be adopted according to actual needs, which is not limited in this embodiment.

In a first aspect, the step of comparing the built-in signature information with the current signature information to obtain a comparison result may include: extracting a built-in certificate hash value from the built-in signature information; and comparing the built-in certificate hash value with the certificate hash value to be detected to obtain a comparison result.

In a second mode, the step of comparing the built-in signature information with the current signature information to obtain a comparison result may include: extracting a built-in constant hash value from the built-in signature information; and comparing the built-in constant hash value with the constant hash value to be detected to obtain a comparison result.

In a third aspect, the step of comparing the built-in signature information with the current signature information to obtain a comparison result may include: extracting a built-in execution hash value from the built-in signature information; and comparing the built-in execution hash value with the execution hash value to be detected to obtain a comparison result.

Step S40: and determining whether the application program to be detected is tampered or not based on the comparison result.

It is easy to understand that whether the application program to be detected is tampered is determined based on the comparison result, and when the built-in signature information is consistent with the current signature information, the application program to be detected is determined not to be tampered; and when the built-in signature information is inconsistent with the current signature information, determining that the application program to be detected is tampered.

It should be noted that, if the built-in signature information is inconsistent with the current signature information, the user may be further prompted to perform corresponding processing, for example: forbidding the application program to be detected to use all authorities related to the charge, including network communication, telephone, short messages and the like; or the user is informed that the installed application program is falsified by a third party through the pop-up prompt box, a download button of the safe installation package is provided, and when the user clicks the download button, the safe installation package starts to be downloaded, so that the method is very convenient and quick, the user does not need to search for the correct installation package by himself, and a large amount of time is saved for the user.

In this embodiment, when an application program to be detected is started, acquiring built-in signature information and a signature certificate in the application program to be detected; generating current signature information according to the signature certificate; comparing the built-in signature information with the current signature information to obtain a comparison result; and determining whether the application program to be detected is tampered or not based on the comparison result. By the method, the built-in signature information is set in advance for the application program to be detected, and when the application program to be detected is started, whether the current signature information corresponding to the signature certificate of the application program to be detected is the original built-in signature information is verified, so that whether the application program to be detected is tampered is determined, the safety of the application program is enhanced, the interests of an original developer are maintained, and the technical problem that the interests of the original developer are seriously damaged due to the fact that the application program is difficult to be detected to be tampered in the prior art is solved.

Referring to fig. 3, fig. 3 is a flowchart illustrating a tamper detection method for an application according to a second embodiment of the present invention, and the tamper detection method for an application according to the second embodiment of the present invention is proposed based on the first embodiment illustrated in fig. 2.

In the second embodiment, the step S20 includes:

step S201: and determining the signature file to be detected according to the signature certificate.

It should be noted that the step of determining the signature file to be detected according to the signature certificate may include: acquiring an installation path of the application program to be detected according to the signature certificate, and acquiring an application program file to be detected according to the installation path; and analyzing the application program file to be detected through a preset analysis library to obtain a signature file to be detected.

Specifically, an installation path of the application program to be detected is obtained, the application program file to be detected of the application program to be detected below the installation path may be analyzed through a libzip library, and a signature file to be detected is obtained, where the signature file to be detected is a cert.

Step S202: and analyzing the signature file to be detected to obtain a hash value of the certificate to be detected corresponding to the signature certificate.

It is easy to understand that the signature file to be detected can be analyzed through a C language certificate analysis library to obtain a hash value of the certificate to be detected corresponding to the signature certificate, where the C language certificate analysis library can be opennsl, mbedtls, or the like.

Specifically, for example, the cert.rsa file is parsed according to a C language certificate parsing library openssl, a hash value of a public key of the developer signature certificate is obtained, and the hash value of the public key of the developer signature certificate is used as a hash value of the certificate to be detected.

Step S203: and taking the hash value of the certificate to be detected as current signature information.

It should be noted that the hash value of the certificate to be detected is used as current signature information, and the hash value of the built-in certificate is extracted from the built-in signature information; and comparing the built-in certificate hash value with the certificate hash value to be detected to obtain a comparison result. Determining whether the application program to be detected is tampered based on the comparison result, and determining that the application program to be detected is not tampered when the built-in certificate hash value is consistent with the certificate hash value to be detected; and when the built-in certificate hash value is inconsistent with the certificate hash value to be detected, determining that the application program to be detected is tampered.

In the embodiment, the signature file to be detected is determined according to the signature certificate; analyzing the signature file to be detected to obtain a hash value of the certificate to be detected corresponding to the signature certificate; and taking the hash value of the certificate to be detected as current signature information. Through the method, the built-in certificate hash value is set in advance for the application program to be detected, and when the application program to be detected is started, whether the hash value of the certificate to be detected corresponding to the signature certificate of the application program to be detected is the original built-in certificate hash value is checked, so that whether the application program to be detected is tampered is determined, the safety of the application program is enhanced, the interests of an original developer are maintained, and the technical problem that the interests of the original developer are seriously damaged due to the fact that the application program is difficult to be detected to be tampered in the prior art is solved.

Referring to fig. 4, fig. 4 is a flowchart illustrating a tamper detection method for an application according to a third embodiment of the present invention, and the third embodiment of the tamper detection method for an application according to the present invention is proposed based on the first embodiment shown in fig. 2. This embodiment is explained based on the first embodiment.

In the third embodiment, the step S20 includes:

step S204: and determining code constant region data according to the signature certificate.

It should be noted that, the step of determining code constant region data according to the signature certificate may include: searching a code constant region starting address and a code constant region ending address according to the signature certificate; and determining code constant region data according to the code constant region starting address and the code constant region ending address.

Specifically, a code constant region start address rodata _ start [ ] and a code constant region end address rodata _ end [ ] are obtained, and the difference between the two addresses is to be protected.

Step S205: and calculating the code constant region data based on an HMAC algorithm to obtain a constant hash value to be detected corresponding to the signature certificate.

It is easy to understand that HMAC is an abbreviation of Hash-based Message Authentication Code (Hash-based Message Authentication Code) and the HMAC algorithm is an algorithm proposed by h.krawezyk, m.bellare, r.canetti in 1996 for performing Message Authentication based on a Hash function and a key. The HMAC algorithm is a mechanism for message authentication using a hash function in cryptography, and the provided message authentication includes two aspects: message integrity authentication: it can be proven that the message content has not been modified during the delivery process. And (3) information source identity authentication: because both parties share the authenticated key, the receiver can authenticate that the source sending the data is identical to what is claimed, i.e., can reliably confirm that the received message is identical to what was sent.

Specifically, the code constant region data is calculated based on an HMAC algorithm, and a constant hash value to be detected corresponding to the signature certificate is obtained. The HMAC algorithm based on the Hash algorithm has a much higher security strength than the Hash algorithm, and the HMAC-MD5 algorithm constructed based on the MD5 message digest algorithm may be used in this embodiment, where the HMAC-MD5 algorithm includes K: a secret key; m: the message content; h: a hash function, the hash function H being selected from MD 5; opad and ipad: respectively, a character string composed of several 0x5c and 0x 36. Adding 0 after the key K to create a string of length B; carrying out XOR operation on the generated character string with the length of B and the ipad to form a first result character string; adding the data stream of the message M to the end of the first result character string to generate a first data stream; applying the MD5 algorithm to the generated first data stream; carrying out XOR operation on the generated character string with the length of B and the opad to form a second result character string; adding the first data stream to the end of the second result character string to generate a second data stream; and applying the MD5 algorithm to the generated second data stream, and finally outputting a result which is the constant hash value to be detected corresponding to the signature certificate.

Step S206: and taking the constant hash value to be detected as current signature information.

It should be noted that the constant hash value to be detected is used as current signature information, and a built-in constant hash value is extracted from the built-in signature information; and comparing the built-in constant hash value with the constant hash value to be detected to obtain a comparison result. Determining whether the application program to be detected is tampered or not based on the comparison result, and determining that the application program to be detected is not tampered when the built-in constant hash value is consistent with the constant hash value to be detected; and when the built-in constant hash value is inconsistent with the constant hash value to be detected, determining that the application program to be detected is tampered.

In the embodiment, code constant region data is determined according to the signature certificate; calculating the code constant region data based on an HMAC algorithm to obtain a constant hash value to be detected corresponding to the signature certificate; and taking the constant hash value to be detected as current signature information. By the method, the built-in constant hash value is set in advance for the application program to be detected, and when the application program to be detected is started, whether the constant hash value to be detected corresponding to the signature certificate of the application program to be detected is the original built-in constant hash value is checked, so that whether the application program to be detected is tampered is determined, the safety of the application program is enhanced, the interests of an original developer are maintained, and the technical problem that the interests of the original developer are seriously damaged due to the fact that the application program is difficult to be detected to be tampered in the prior art is solved.

Referring to fig. 5, fig. 5 is a flowchart illustrating a tamper detection method for an application according to a fourth embodiment of the present invention, and the tamper detection method for an application according to the fourth embodiment of the present invention is proposed based on the first embodiment shown in fig. 2. This embodiment is explained based on the first embodiment.

In the fourth embodiment, the step S20 includes:

step S207: and determining code execution area data according to the signature certificate.

It should be noted that the step of determining code execution region data according to the signature certificate may include: searching a code execution starting function and a code execution ending function according to the signature certificate, and operating the code execution starting function and the code execution ending function; receiving a code execution starting address fed back after the code execution starting function runs; receiving a code execution ending address fed back after the code execution ending function runs; and determining code execution area data according to the code execution starting address and the code execution ending address.

Specifically, a code execution starting function text _ start and a code execution ending function text _ end are searched according to the signature certificate, the code execution starting function text _ start and the code execution ending function text _ end are run, and the difference between addresses returned by the two functions, namely the text area data, is to be protected.

Step S208: and calculating the code execution area data based on an HMAC algorithm to obtain an execution hash value to be detected corresponding to the signature certificate.

It is easy to understand that HMAC is an abbreviation of Hash-based Message Authentication Code (Hash-based Message Authentication Code) related to a key, and the HMAC algorithm is an algorithm for performing Message Authentication based on a Hash function and a key, proposed by h.krawezyk, m.bellare, r.canetti in 1996. The HMAC algorithm is a mechanism for message authentication using a hash function in cryptography, and the provided message authentication includes two aspects: and (3) message integrity authentication: it can be proven that the message content has not been modified during the delivery process. And (3) information source identity authentication: because both parties share the authenticated key, the receiver can authenticate that the source sending the data is identical to what is claimed, i.e., can reliably confirm that the received message is identical to what was sent.

Specifically, the code execution region data is calculated based on an HMAC algorithm, and an execution hash value to be detected corresponding to the signature certificate is obtained. The HMAC algorithm based on the Hash algorithm has a much higher security strength than the Hash algorithm, and the HMAC-MD5 algorithm constructed based on the MD5 message digest algorithm may be used in this embodiment, where the HMAC-MD5 algorithm includes K: a secret key; m: the content of the message; h: a hash function, the hash function H being selected from MD 5; opad and ipad: respectively, a character string composed of several 0x5c and 0x 36. Adding 0 after the key K to create a string of length B; carrying out XOR operation on the generated character string with the length of B and the ipad to form a first result character string; adding the data stream of the message M to the end of the first result character string to generate a first data stream; applying the MD5 algorithm to the generated first data stream; carrying out XOR operation on the generated character string with the length of B and the opad to form a second result character string; adding the first data stream to the end of the second result character string to generate a second data stream; and applying the MD5 algorithm to the generated second data stream, and finally outputting a result to be the to-be-detected execution hash value corresponding to the signature certificate.

Step S209: and taking the to-be-detected execution hash value as current signature information.

It should be noted that, taking the to-be-detected execution hash value as current signature information, and extracting a built-in execution hash value from the built-in signature information; and comparing the built-in execution hash value with the to-be-detected execution hash value to obtain a comparison result. Determining whether the application program to be detected is tampered or not based on the comparison result, and determining that the application program to be detected is not tampered when the built-in execution hash value is consistent with the hash value to be detected; and when the built-in execution hash value is inconsistent with the to-be-detected execution hash value, determining that the application program to be detected is tampered.

In the present embodiment, code execution region data is determined from the signature certificate; calculating the code execution area data based on an HMAC algorithm to obtain an execution hash value to be detected corresponding to the signature certificate; and taking the to-be-detected execution hash value as current signature information. By the method, the built-in execution hash value is set for the application program to be detected in advance, and when the application program to be detected is started, whether the built-in execution hash value to be detected corresponding to the signature certificate of the application program to be detected is the original built-in execution hash value is checked, so that whether the application program to be detected is tampered is determined, the safety of the application program is enhanced, the interests of an original developer are maintained, and the technical problem that the interests of the original developer are seriously damaged due to the fact that the application program is difficult to be detected to be tampered in the prior art is solved.

Referring to fig. 6, fig. 6 is a flowchart illustrating a fifth embodiment of the tamper detection method for an application program according to the present invention, and the fifth embodiment of the tamper detection method for an application program according to the present invention is proposed based on the first embodiment illustrated in fig. 2. This embodiment is explained based on the first embodiment.

In the fifth embodiment, the step S10 includes:

step S101: and acquiring a dynamic link library in the application program to be detected.

It should be noted that, when the dynamic link library in the application program to be detected is obtained, the application program may be written by multiple coding languages, a code written by C/C + + is called a native code, and compared with a code written by a Java code, the native code has higher reverse difficulty. The method comprises the steps that a final target compiled by native codes is a dynamic link library, a dynamic link byte file, namely a so file, is obtained from the dynamic link library, the so file can comprise a rodata area and a text area, the rodata area is constant area data, the text area is execution area data, a built-in certificate hash value can be searched from the constant area data, a built-in execution hash value address can be searched from the so file, and the built-in execution hash value is obtained according to the built-in execution hash value address; and searching a built-in constant hash value address in the so file, and acquiring the built-in constant hash value according to the built-in constant hash value address.

Specifically, the dynamic link library may include a native layer detection device and an offline update processing device. The native layer detection device can comprise libs, CMakeLists, core.c, empty.c, marker _ start.c, marker _ end.c and marker.h; wherein, libs is a third-party open source static library which is depended by the dynamic link library; CMakeLists are used to compile dynamically linked byte files, namely so files; the marker _ start.c is used for marking in text and data of a so file, and is used as a start marker, the constant data _ hash is an HMAC value of the data in the so file, can be filled arbitrarily, the constant data _ hash is used for enabling an offline updating processing device to find conveniently, the constant data _ start is a start marker in a data area, and represents that the next data is a range to be protected, and the function text _ start () is a start marker of a text area, and represents that the next data is a range to be protected; marker _ end.c: the method comprises the steps that marks are made in text and data of a so file and are end marks, and a constant data _ end is an end mark in a data area and represents that data to be protected end; the function text _ startend () is an end flag of the text region, which represents that the text data to be protected ends up; marker.h is a head file of marker _ start.c and marker _ end.c, and is used for other c files to call constants and functions in the marker _ start.c and the marker _ end.c; empty.c is empty file, in order to compile into the final so file; and c, when the application program to be detected is started, generating current signature information according to the signature certificate.

It should be understood that CMakeLists are used for compiling dynamic link byte files, i.e., so files, and include add _ library, where execution of add _ library requires setting the type of text _ start.c text _ end.c core.c to be OBJECT, otherwise unused functions are optimized by the compiler when executing add _ library (detect _ pointer SHARED reduced.c).

Step S102: and searching a built-in certificate hash value, a built-in constant hash value and a built-in execution hash value from the dynamic link library.

It is easy to understand that the step of searching the built-in certificate hash value, the built-in constant hash value and the built-in execution hash value from the dynamic link library may include: acquiring a dynamic link byte file from the dynamic link library; acquiring a built-in execution hash value and a built-in constant hash value according to the dynamic link byte file; determining constant area data according to the dynamic link byte file; and searching a built-in certificate hash value from the constant area data.

It should be noted that the step of obtaining the built-in execution hash value and the built-in constant hash value according to the dynamic link byte file may include: searching a built-in execution hash value address in the dynamic link byte file, and acquiring a built-in execution hash value according to the built-in execution hash value address; and searching a built-in constant hash value address in the dynamic link byte file, and acquiring a built-in constant hash value according to the built-in constant hash value address.

Specifically, the HMAC values of the text region and the data region cannot be calculated during the compilation of the so file, i.e., the built-in constant hash value and the built-in execution hash value cannot be calculated during the compilation, and a tool, which is an offline update processing device, is required to be calculated after the compilation of the so file is successful. Reading the so file into a memory by the offline updating processing device, and recording the so file as sobytes; analyzing sobytes, and finding out file offset addresses of the text and the rodata sections in the so file, wherein the file offset addresses are respectively marked as base _ text and base _ rodata; analyzing sobytes, acquiring a symtab symbol table, and finding out symbol items with symbol names of 'text _ start', 'text _ end', 'rodata _ start', 'rodata _ end', wherein addresses of 'text _ start', 'text _ end' are respectively the address of the symbol item minus base _ text, and are recorded as addr _ text _ start and addr _ text _ end, and addresses of 'rodata _ start', 'rodata _ end' are respectively the address of the symbol item minus base _ data, and are recorded as addr _ rodata _ start and addr _ rodata _ end; randomly generating a key value of the HMAC algorithm, and recording the key value as key [32 ]; calculating data between addr _ text _ start and addr _ text _ end based on an HMAC algorithm to obtain an HMAC value of the text area, namely a built-in execution hash value: a new _ text _ hash [32] is used for searching the position of the text _ hash [32] in the sobytes (the value of the text _ hash [32] can be searched directly), and the value is replaced by the value of the new _ text _ hash [32 ]; searching the position of the hmac _ key [32] in the sobytes (the hmac _ key [32] can be searched directly), and replacing the hmac _ key [32] with the value of the key [32 ]; calculating data between addr _ rodata _ start and addr _ rodata _ end based on an HMAC algorithm to obtain an HMAC value of a rodata area, namely a built-in constant hash value: new _ rodata _ hash [32], searching the position of the rodata _ hash [32] in the sobytes (directly searching the value of the rodata _ hash [32] can be searched), and replacing the position with the value of the new _ rodata _ hash [32 ]; writing the sobytes back to the so file; the so file is processed using a strip-R.comment-s-strip-unconnected command, removing comments and unused symbol tables in the so file.

It should be understood that the HMAC value of the text region, i.e., the built-in execution hash value, is calculated first, and the new _ text _ hash [32] and key [32] are written to the sobytes, before the HMAC value of the rodata region, i.e., the built-in constant hash value, is calculated. Because the new _ text _ hash [32] and the key [32] are values of the text _ hash [32] and the HMAC _ key [32] in the so file to be replaced, and the text _ hash [32] and the HMAC _ key [32] are located in the data area in the so file, the value of the data area is updated without fail after the replacement, and at this time, the corresponding HMAC value of the data area, i.e., the built-in constant hash value, is also changed, and the HMAC value of the data area, i.e., the built-in constant hash value, needs to be calculated first. The use of strip-R.comment-s-strip-unconnected commands to process so files is to delete the not-externally-derived symbol table in so that an attacker cannot find the positions of 'text _ start', 'text _ end', 'data _ start' and 'data _ end' in the above manner, i.e. cannot recalculate the HMAC values of the text area and the data area, i.e. cannot recalculate the built-in constant hash value and the built-in execution hash value.

Step S103: and taking the built-in certificate hash value, the built-in constant hash value and the built-in execution hash value as built-in signature information.

It should be noted that the built-in certificate hash value, the built-in constant hash value, and the built-in execution hash value are used as built-in signature information, and the built-in signature information may include a plurality of hash values. In addition, the built-in signature information may further include other hash values according to actual needs, which is not limited in this embodiment.

Step S104: and acquiring the signature certificate of the application program to be detected.

It will be readily appreciated that a signing certificate provides a software developer with an ideal solution to enabling a software developer to digitally sign its software code. The software source and the real identity of a software developer are identified by digitally signing the code, so that the code is prevented from being maliciously tampered after signing, and the credibility of the code can be effectively verified when a user downloads the signed code.

Specifically, a signature certificate of the application program to be detected is obtained, current signature information may be generated according to the signature certificate, the current signature information may include a hash value of the certificate to be detected, a constant hash value to be detected, and an execution hash value to be detected, the built-in signature information and the current signature information are compared to obtain a comparison result, whether the application program to be detected is tampered is determined based on the comparison result, and when the built-in signature information and the current signature information are consistent, it is determined that the application program to be detected is not tampered; and when the built-in signature information is inconsistent with the current signature information, determining that the application program to be detected is tampered.

It should be noted that the dynamic link library protects the integrity of the Android application, and increases the difficulty of cracking by an attacker. All codes of the dynamic link library are native codes, so that the reverse difficulty is increased; and the signature of the developer certificate is acquired by using the C function, so that an attacker is prevented from changing a return value for acquiring the signature of the certificate through a hook key Java function. The dynamic link library can comprise a native layer detection device and an off-line updating processing device,

it should be understood that the native layer detection device embeds the built-in certificate hash value of the developer and calculates the HMAC values of the text and the rodata section areas in the so file, namely the embedded constant hash value and the embedded execution hash value, so that an attacker is prevented from attacking the native layer code by tampering the built-in certificate hash value or tampering the native layer code. Once the hash value of the built-in certificate is located in the rodata area of the so file, the built-in constant hash value of the rodata area is calculated by the offline updating processing device, and once the application program to be detected is tampered, the hash values calculated by the native layer detection device are different when the application program to be detected is started, so that tampering can be detected; meanwhile, the code of the hash value calculated by the native layer detection device is located in the text region of the so file, and the hash value of the text region is also calculated by the offline updating processing device, so that once the code of the native layer detection device is tampered, the native layer detection device can also detect the code.

In this embodiment, a dynamic link library in the application program to be detected is obtained; searching a built-in certificate hash value, a built-in constant hash value and a built-in execution hash value from the dynamic link library; taking the built-in certificate hash value, the built-in constant hash value and the built-in execution hash value as built-in signature information; and acquiring the signature certificate of the application program to be detected. Through the method, the built-in certificate hash value, the built-in constant hash value and the built-in execution hash value are set in advance for the application program to be detected, and when the application program to be detected is started, whether the hash value to be detected corresponding to the signature certificate of the application program to be detected is the original built-in hash value is checked, so that whether the application program to be detected is tampered or not is determined, the safety of the application program is enhanced, the interests of an original developer are maintained, and the technical problem that the interests of the original developer are seriously damaged due to the fact that the application program is difficult to detect to be tampered in the prior art is solved.

In addition, an embodiment of the present invention further provides a storage medium, where a tampering detection program of an application program is stored on the storage medium, and when the tampering detection program of the application program is executed by a processor, the steps of the method for detecting tampering of the application program are implemented as described above.

Since the storage medium adopts all technical solutions of all the above embodiments, at least all the beneficial effects brought by the technical solutions of the above embodiments are achieved, and details are not repeated herein.

In addition, referring to fig. 7, an embodiment of the present invention further provides a tamper detection device for an application program, where the tamper detection device for an application program includes:

the acquiring module 10 is configured to acquire built-in signature information and a signature certificate in an application program to be detected when the application program to be detected is started.

It should be noted that when the application program to be detected is started, the built-in signature information and the signature certificate in the application program to be detected are obtained, where the built-in signature information in the application program to be detected is obtained, and the built-in signature information may include multiple hash values, and three hash values are described below as an example, and the built-in signature information may include a built-in certificate hash value, a built-in constant hash value, and a built-in execution hash value, and certainly, at least two hash values may also be used in combination. In addition, the built-in signature information may further include other hash values according to actual needs, which is not limited in this embodiment.

Specifically, the application program can be written by various coding languages, the code written by C/C + + is called native code, and compared with the code written by Java code, the reverse difficulty of the native code is higher. The method comprises the steps that a final target compiled by native codes is a dynamic link library, a dynamic link byte file, namely a so file, is obtained from the dynamic link library, the so file can comprise a rodata region and a text region, the rodata region is constant region data, the text region is execution region data, a built-in certificate hash value can be searched from the constant region data, a built-in execution hash value address can be searched from a so file, and the built-in execution hash value is obtained according to the built-in execution hash value address; and searching a built-in constant hash value address in the so file, and acquiring the built-in constant hash value according to the built-in constant hash value address.

And a generating module 20, configured to generate current signature information according to the signature certificate.

Specifically, the step of generating current signature information according to the signature certificate may include: determining code constant region data according to the signature certificate; calculating the code constant region data based on an HMAC algorithm to obtain a constant hash value to be detected corresponding to the signature certificate; and taking the constant hash value to be detected as current signature information.

And the comparison module 30 is configured to compare the built-in signature information with the current signature information to obtain a comparison result.

It should be noted that, comparing the built-in signature information with the current signature information to obtain a comparison result, where comparing the built-in signature information with the current signature information may be performed in multiple ways, and three ways are described as examples below, and certainly, at least two ways may also be used in combination. In addition, the current signature information and the built-in signature information may further include other hash values according to actual needs, and other comparison manners may be adopted according to actual needs, which is not limited in this embodiment.

In a first mode, the step of comparing the built-in signature information with the current signature information to obtain a comparison result may include: extracting a built-in certificate hash value from the built-in signature information; and comparing the built-in certificate hash value with the certificate hash value to be detected to obtain a comparison result.

A determining module 40, configured to determine whether the application to be detected is tampered based on the comparison result.

In this embodiment, an apparatus for detecting tampering of an application program is provided, including: the system comprises an acquisition module 10, a signature module and a verification module, wherein the acquisition module is used for acquiring built-in signature information and a signature certificate in an application program to be detected when the application program to be detected is started; a generating module 20, configured to generate current signature information according to the signature certificate; a comparison module 30, configured to compare the built-in signature information with the current signature information to obtain a comparison result; a determining module 40, configured to determine whether the application to be detected is tampered based on the comparison result. By the method, the built-in signature information is set in advance for the application program to be detected, and when the application program to be detected is started, whether the current signature information corresponding to the signature certificate of the application program to be detected is the original built-in signature information is verified, so that whether the application program to be detected is tampered is determined, the safety of the application program is enhanced, the interests of an original developer are maintained, and the technical problem that the interests of the original developer are seriously damaged due to the fact that the application program is difficult to be detected to be tampered in the prior art is solved.

Other embodiments or specific implementation manners of the tamper detection device for an application program according to the present invention may refer to the above method embodiments, and are not described herein again.

It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or system that comprises the element.

The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The use of the words first, second, third and the like do not denote any order, but rather the words first, second and the like may be interpreted as indicating any order.

Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solutions of the present invention or portions thereof that contribute to the prior art may be embodied in the form of a software product, where the computer software product is stored in a storage medium (e.g., a Read Only Memory (ROM)/Random Access Memory (RAM), a magnetic disk, an optical disk), and includes several instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the method according to the embodiments of the present invention.

The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.

The invention discloses A1 and a method for detecting the tampering of an application program, which comprises the following steps:

A2, the method for detecting tampering of an application program according to a1, wherein the step of generating current signature information according to the signature certificate specifically includes:

A3, the method for detecting tampering of an application program as described in a2, wherein the step of determining the signature file to be detected according to the signature certificate specifically includes:

A4, the method for detecting tampering of an application program according to A3, wherein the step of comparing the built-in signature information with the current signature information to obtain a comparison result specifically includes:

A5, the method for tamper detection of an application program according to claim a1, wherein the step of generating current signature information according to the signature certificate specifically includes:

determining code constant region data according to the signature certificate;

A6, the method for detecting tampering of an application program according to a5, wherein the step of determining the code constant region data according to the signature certificate specifically includes:

A7, the method for detecting tampering of an application program according to a6, wherein the step of comparing the built-in signature information with the current signature information to obtain a comparison result specifically includes:

A8, the method for detecting tampering of an application program according to a1, wherein the step of generating current signature information according to the signature certificate specifically includes:

determining code execution area data according to the signature certificate;

A9, the method for detecting tampering of an application program according to A8, wherein the step of determining code execution area data according to the signature certificate specifically includes:

A10, the method for detecting tampering with an application program according to a9, wherein the step of comparing the built-in signature information with the current signature information to obtain a comparison result includes:

A11, in the tampering detection method for an application program according to any one of a1 to a10, the step of obtaining the built-in signature information and the signature certificate in the application program to be detected specifically includes:

acquiring a dynamic link library in the application program to be detected;

A12, the method for detecting tampering of an application program as described in a11, wherein the step of searching the hash value of the built-in certificate, the hash value of the built-in constant, and the hash value of the built-in execution from the dynamic link library specifically includes:

acquiring a dynamic link byte file from the dynamic link library;

determining constant area data according to the dynamic link byte file;

and searching a built-in certificate hash value from the constant area data.

A13, the method for detecting tampering of an application program according to a12, wherein the step of obtaining the hash value of the built-in execution and the hash value of the built-in constant according to the dynamic link byte file, specifically includes:

and searching a built-in constant hash value address in the dynamic link byte file, and acquiring the built-in constant hash value according to the built-in constant hash value address.

The invention also discloses B14, a tamper detection device of the application program, the tamper detection device of the application program comprises:

B15, the tamper detection device of the application program as described in B14, the generation module being further configured to determine the signature file to be detected according to the signature certificate;

B16, the tamper detection device for an application program according to B15, where the generating module is further configured to obtain an installation path of the application program to be detected according to the signed certificate, and obtain an application program file to be detected according to the installation path;

B17, the tamper detection device for an application program according to B16, wherein the comparison module is further configured to extract a built-in certificate hash value from the built-in signature information;

B18, the tamper detection device of the application program as described in B14, the generating module being further configured to determine code constant region data according to the signature certificate;

C19, a tamper detection device for an application, the tamper detection device for an application comprising: memory, a processor and a program stored on the memory and executable on the processor, which when executed by the processor implements the steps of the tamper detection method of an application as described above.

D20, a storage medium having stored thereon a tamper detection program for an application program, which when executed by a processor implements the steps of the method for tamper detection of an application program as described above.

Claims

1. A method for detecting tampering of an application program, the method comprising:

and determining whether the application program to be detected is tampered based on the comparison result.

2. The method for detecting tampering of an application program according to claim 1, wherein the step of generating current signature information according to the signature certificate specifically includes:

3. The method for detecting tampering of an application program according to claim 2, wherein the step of determining the signature file to be detected according to the signature certificate specifically includes:

4. The method for detecting tampering of an application program according to claim 3, wherein the step of comparing the built-in signature information with the current signature information to obtain a comparison result specifically includes:

5. The method for detecting tampering of an application program according to claim 1, wherein the step of generating current signature information according to the signature certificate specifically includes:

determining code constant region data according to the signature certificate;

6. The method for detecting tampering of an application program according to claim 5, wherein the step of determining the code constant region data according to the signature certificate specifically includes:

7. The method for detecting tampering of an application program according to claim 6, wherein the step of comparing the built-in signature information with the current signature information to obtain a comparison result specifically includes:

8. An application tamper detection device, comprising:

9. A tamper detection device for an application program, characterized in that the tamper detection device for an application program comprises: memory, processor and program stored on the memory and executable on the processor, which when executed by the processor implements the steps of the tamper detection method of an application program according to any of claims 1 to 7.

10. A storage medium, characterized in that the storage medium has stored thereon a tamper detection program of an application program, which when executed by a processor implements the steps of the tamper detection method of an application program according to any one of claims 1 to 7.