CN110866251A - Extraction method and device of encrypted character string, electronic equipment and storage medium - Google Patents
Extraction method and device of encrypted character string, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN110866251A CN110866251A CN201811539786.9A CN201811539786A CN110866251A CN 110866251 A CN110866251 A CN 110866251A CN 201811539786 A CN201811539786 A CN 201811539786A CN 110866251 A CN110866251 A CN 110866251A
- Authority
- CN
- China
- Prior art keywords
- operation instruction
- instruction
- function
- simulating
- character string
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The embodiment of the invention discloses an extraction method and device of an encrypted character string and electronic equipment, relates to the technical field of information security, and can extract the encrypted character string under the condition of limited available conditions. The extraction method of the encrypted character string comprises the following steps: judging whether the sample file is an executable file or not; if the sample file is an executable file, locating an entry function of the executable file; simulating the operation of the operation instruction from the entry function, and putting the operation result into a simulated stack; extracting a string from the stack. The apparatus and electronic device include modules for performing the methods. The method is suitable for extracting the encrypted character string.
Description
Technical Field
The present invention relates to the field of information security technologies, and in particular, to a method and an apparatus for extracting an encrypted string, an electronic device, and a storage medium.
Background
The detection or identification of files by using features is a common means in the field of anti-virus. A character string is a common feature, and many viruses, shells, packages, tools, etc. can be detected or identified by the feature in the form of a character string. For example, detecting a Bulehero mining Trojan by a "Bulehero" string, by "UPX! The "string identifies the UPX shell, the NSIS package by the" NSIS "string, the deflate compression library by the" deflate "string, etc.
Therefore, effective extraction of the character strings in the sample file is a key step for detecting or identifying the sample file. The existing encrypted character string extraction method is dynamic extraction, a virtual machine or a sandbox is utilized to execute a sample, and then a character string in a memory range where a program is located in the execution process is obtained. Since the encrypted string is decrypted into the memory during execution of the sample, the encrypted string can be extracted by this method. Dynamic extraction has a number of limitations. Firstly, after a plurality of samples use the decrypted character string, the memory where the character string is located is cleaned, so that the decrypted character string cannot be obtained after the dynamic execution is finished; second, dynamic execution requires the use of virtual machines or sandboxes, and not all environments are able to deploy virtual machines or sandboxes, and thus conditions of use are limited.
Disclosure of Invention
In view of this, embodiments of the present invention provide a method, an apparatus, an electronic device, and a storage medium for extracting an encrypted character string, which can extract the encrypted character string under limited conditions.
In a first aspect, an embodiment of the present invention provides a method for extracting an encrypted character string, including: judging whether the sample file is an executable file or not; if the sample file is an executable file, locating an entry function of the executable file; simulating the operation of the operation instruction from the entry function, and putting the operation result into a simulated stack; extracting a string from the stack.
According to a specific implementation manner of the embodiment of the present invention, the simulating, from the entry function, an operation of an operation instruction, and placing an operation result in a simulated stack includes: judging whether a first operation instruction in the entry function is a preset key operation instruction or not; wherein, the key operation instruction is an operation instruction for executing decryption operation; if the first operation instruction in the entry function is a preset key operation instruction, simulating the operation of the first operation instruction, and putting the operation result into a simulated stack, otherwise, abandoning the operation of simulating the first operation instruction.
According to a specific implementation manner of the embodiment of the present invention, after simulating an operation of the first operation instruction and putting an operation result into a simulated stack, the extraction method further includes: judging whether a second operation instruction in the entry function is an instruction for calling a sub-function; if the second operation instruction in the entry function is an instruction for calling the sub-function, executing the calling operation on the sub-function; judging whether a third operation instruction in the subfunction is a preset key operation instruction or not; if the third operation instruction in the subfunction is a preset key operation instruction, simulating the operation of the third operation instruction, and putting the operation result into the simulated stack, otherwise, abandoning the operation of simulating the third operation instruction.
According to a specific implementation manner of the embodiment of the present invention, the extracting the character string from the stack includes: judging whether a fourth operation instruction in the entry function is a jump instruction, or is a sub-function calling instruction, or is a function ending operation instruction; and if the fourth operation instruction in the entry function is a jump instruction, or a call sub-function instruction, or a function end operation instruction, extracting the character string from the stack.
In a second aspect, an embodiment of the present invention provides an apparatus for extracting an encrypted character string, including: a first judgment module: the file processing device is used for judging whether the sample file is an executable file or not; an entry function positioning module: an entry function for locating to the executable file if the sample file is an executable file; the first simulation execution module: the system comprises an entry function, a simulation module and a stack module, wherein the entry function is used for simulating the operation of an operation instruction and putting an operation result into a simulated stack; an extraction module: for extracting character strings from the stack.
According to a specific implementation manner of the embodiment of the present invention, the first simulation execution module includes: a first judgment sub-module: the first operation instruction in the entry function is judged whether to be a preset key operation instruction or not; wherein, the key operation instruction is an operation instruction for executing decryption operation; a first simulation execution submodule: and if the first operation instruction in the entry function is a preset key operation instruction, simulating the operation of the first operation instruction, and putting an operation result into a simulated stack, otherwise, abandoning the operation of simulating the first operation instruction.
According to a specific implementation manner of the embodiment of the present invention, the first simulation execution module further includes: a second judgment sub-module: the second operation instruction is used for judging whether the second operation instruction in the entry function is an instruction for calling a sub-function; calling a submodule: the second operation instruction is used for executing the calling operation of the sub-function if the second operation instruction in the entry function is an instruction for calling the sub-function; the second simulation execution submodule: the device is used for judging whether a third operation instruction in the subfunction is a preset key operation instruction or not; if the third operation instruction in the subfunction is a preset key operation instruction, simulating the operation of the third operation instruction, and putting the operation result into the simulated stack, otherwise, abandoning the operation of simulating the third operation instruction.
According to a specific implementation manner of the embodiment of the present invention, the extraction module includes: a third judgment sub-module: the function execution unit is used for judging whether a fourth operation instruction in the entry function is a jump instruction or a call sub-function instruction or a function end operation instruction; extracting a submodule: and if the fourth operation instruction in the entry function is a jump instruction, or a call sub-function instruction, or a function end operation instruction, extracting the character string from the stack.
In a third aspect, an embodiment of the present invention provides an electronic device, where the electronic device includes: the device comprises a shell, a processor, a memory, a circuit board and a power circuit, wherein the circuit board is arranged in a space enclosed by the shell, and the processor and the memory are arranged on the circuit board; a power supply circuit for supplying power to each circuit or device of the electronic apparatus; the memory is used for storing executable program codes; the processor executes the program corresponding to the executable program code by reading the executable program code stored in the memory, and is used for executing the method of any one of the foregoing implementation modes.
In a fourth aspect, embodiments of the present invention also provide a computer-readable storage medium storing one or more programs, the one or more programs being executable by one or more processors to implement a method as described in any of the preceding implementations.
The embodiment of the invention provides an extraction method and device of an encrypted character string, electronic equipment and a storage medium, wherein whether a sample file is an executable file is judged; if the sample file is an executable file, locating an entry function of the executable file; simulating the operation of the operation instruction from the entry function, and putting the operation result into a simulated stack; extracting a string from the stack. In this way, the encrypted character string can be extracted even when the available conditions are limited, i.e., without using a virtual machine, a sandbox, or the like.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a flowchart of a first embodiment of a method for extracting encrypted strings according to the present invention;
FIG. 2 is a flowchart illustrating a second embodiment of a method for extracting encrypted strings according to the present invention;
FIG. 3 is a flowchart of a third embodiment of the method for extracting encrypted strings according to the present invention;
FIG. 4 is assembly instruction code for a program;
FIG. 5 is a schematic structural diagram of an apparatus for extracting an encrypted string according to a first embodiment of the present invention;
FIG. 6 is a schematic structural diagram of a second device for extracting encrypted strings according to the present invention;
FIG. 7 is a schematic structural diagram of a third embodiment of an apparatus for extracting an encrypted character string according to the present invention;
fig. 8 is a schematic structural diagram of an electronic device according to an embodiment of the invention.
Detailed Description
Embodiments of the present invention will be described in detail below with reference to the accompanying drawings.
It should be understood that the described embodiments are only some embodiments of the invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In a first aspect, an embodiment of the present invention provides an extraction method for an encrypted character string, which can extract the encrypted character string under a limited available condition.
Fig. 1 is a flowchart of a first embodiment of a method for extracting an encrypted character string according to the present invention, and referring to fig. 1, the method of this embodiment may include the steps of:
s101, judging whether the sample file is an executable file or not.
In this embodiment, the sample file is a program code that needs to be detected or identified; the executable file refers to a file which can be loaded and executed by an operating system, and under the windows operating system, the executable program can be a type file such as an exe file, a sys file, a com file and the like; unlike Windows, Linux does not distinguish file types according to extensions, and generally looks at whether the file attributes contain executable rights (x) through ls-l commands.
S102, if the sample file is an executable file, locating an entry function of the executable file.
In this embodiment, the entry function refers to a function that is called at the beginning when the program runs, and all subsequent processes are called under this function or indirectly called and executed. Typically the portal function is a main function.
A function is assigned an entry address at compile time and a pointer variable may be used to point to a function. The address of the function is assigned to a pointer variable in the program, and the pointer variable points to the function, i.e. is located at the entry of the function.
S103, simulating the operation of the operation instruction from the entry function, and putting the operation result into a simulated stack.
In this embodiment, the operation of the simulation operation instruction refers to an execution process of the operation instruction of the simulation sample file; and the simulated stack is used for storing local variables, instruction addresses, parameters of functions, intermediate results of function transfer, return data and the like in the execution process of the simulated operation instruction in the process of simulating the operation instruction. Each operation instruction in the function can be simulated, and information such as local variables, instruction addresses, various parameters of the function, intermediate results of function transfer, return data and the like in the whole function execution process can be stored in a simulated stack.
And S104, extracting character strings from the stack.
In this embodiment, during the process of simulating the operation instruction or after the function is finished, the character string may be searched and extracted from the simulated stack.
The embodiment of the invention provides an extraction method of an encrypted character string, which judges whether a sample file is an executable file; if the sample file is an executable file, locating an entry function of the executable file; simulating the operation of the operation instruction from the entry function, and putting the operation result into a simulated stack; extracting a string from the stack. Therefore, under the condition of limited using conditions, namely without using a virtual machine or a sandbox and the like, the encrypted character string can be extracted, and whether a file carries a virus, a certain shell or a packet or not is judged according to the extracted character string, so that the purpose of detecting or identifying the sample file is achieved.
Fig. 2 is a flowchart of a second embodiment of the method for extracting an encrypted character string according to the present invention, and referring to fig. 2, the method of the present embodiment may include the steps of:
s201, obtaining a sample file.
In this embodiment, the sample file is a program code that needs to be detected or identified.
S202, judging whether the sample file is an executable file or not;
in this embodiment, the criterion for determining whether the executable file is an executable file is the same as that in S101, and is not described herein again.
S203, if the sample file is an executable file, locating an entry function of the executable file;
in this embodiment, the method for locating the entry function of the executable file is the same as that in S102, and is not described herein again.
S204, judging whether the first operation instruction in the entry function is a preset key operation instruction or not; wherein, the key operation instruction is an operation instruction for executing decryption operation;
in this embodiment, an instruction related to the decryption operation instruction is referred to as a key operation instruction. The decryption operation of the string is usually performed by some fixed operation instructions, including but not limited to MOV, XOR, SUB, AND, SHL. In the process of extracting the character string from the sample file, a part of or all of the operation instructions capable of realizing the decryption operation instruction can be used as a predetermined key instruction, and on the basis of the key instruction, the operation instructions in the sample file are judged, which operation instructions are possibly the decryption instructions.
If the encrypted character string exists in the sample file, the sample file can decrypt the encrypted character string in the execution process, so that the sample file has an operation instruction for decrypting the character string. The common operation instruction for the decryption operation is identified, and which instructions in the sample file are possibly the instructions for decrypting the encrypted character string can be judged.
S205, if the first operation instruction in the entry function is a preset key operation instruction, simulating the operation of the first operation instruction, and putting the operation result into a simulated stack, otherwise, abandoning the operation of simulating the first operation instruction.
In this embodiment, starting from the entry function, it is determined, one by one, whether an operation instruction is a predetermined key operation instruction, such as MOV, XOR, SUB, AND, SHL, AND if the operation instruction is the predetermined key operation instruction, the operation instruction is simulated, AND if the operation instruction is not the predetermined key operation instruction, the operation is not performed.
And S206, extracting character strings from the stack.
In this embodiment, when the instruction runs, the stack provides storage of an instruction address and a parameter for instruction running, and similarly, a result of instruction execution is also in the stack. And after simulating the key operation instruction, searching and extracting the character string in the stack.
In this embodiment, by locating the entry function, it is determined one by one whether the operation instruction of the entry function is a predetermined key operation instruction, if so, the operation of the first operation instruction is simulated, and the operation result is put into a simulated stack, otherwise, the operation of simulating the first operation instruction is abandoned. Finally, the character strings are extracted from the stack. Therefore, under the condition of limited using conditions, the encrypted character strings can be extracted quickly, and whether a file carries a virus, a certain shell or a package is judged according to the extracted character strings, so that the purpose of detecting the sample file is achieved.
Fig. 3 is a flowchart of a third embodiment of the method for extracting an encrypted character string according to the present invention, and referring to fig. 3, the method according to this embodiment, based on the embodiment of the method shown in fig. 3, after S205, may further include the steps of:
s306, judging whether a second operation instruction in the entry function is an instruction for calling a sub-function;
in this embodiment, generally, in many programming languages, a piece of code that needs to be used frequently may be packaged, and may be called directly when needed, which is a function in a program. Moreover, a program may involve a plurality of functions, and a program may involve a main function and a plurality of function components. Other functions are called by the main function, and may also call each other. The same function may be called any number of times by one or more functions. Each programming language has an operation instruction for calling other functions, and whether the operation instruction in the entry function is an instruction for calling a sub-function is judged by identifying the operation instruction for calling the other functions.
S307, if the second operation instruction in the entry function is an instruction for calling a sub-function, executing a calling operation on the sub-function;
in this embodiment, if a certain instruction in the entry function is an instruction for calling a sub-function, the sub-function is called, and the following operations are performed on the sub-function.
S308, judging whether a third operation instruction in the subfunction is a preset key operation instruction or not;
in this embodiment, whether the operation instruction in the subfunction is the predetermined key operation instruction is determined one by one, and the predetermined key operation instruction is described in S204, which is not described herein again.
S309, if the third operation instruction in the subfunction is a preset key operation instruction, simulating the operation of the third operation instruction, and putting the operation result into the simulated stack, otherwise, abandoning the operation of simulating the third operation instruction.
In this embodiment, if an instruction in the subfunction is a predetermined key operation instruction, the instruction is simulated, and if the instruction is not the predetermined key operation instruction, no operation is performed.
S310, judging whether a fourth operation instruction in the entry function is a jump instruction, or whether the fourth operation instruction is a sub-function calling instruction, or whether the fourth operation instruction is a function ending operation instruction;
and if the fourth operation instruction in the entry function is a jump instruction, or a call sub-function instruction, or a function end operation instruction, extracting the character string from the stack.
In this embodiment, if a jump instruction, or a call sub-function instruction, or a function end operation instruction occurs in the entry function, before the jump instruction, or the call sub-function instruction, or after the function ends, a character string is searched in the stack and extracted.
In this embodiment, if the second operation instruction in the entry function is an instruction for calling a subfunction, the call for the subfunction is executed, and it is determined whether a third operation instruction in the subfunction is a predetermined key operation instruction, if the third operation instruction is the predetermined key operation instruction, the operation of the first operation instruction is simulated, and the operation result is put into a simulated stack, otherwise, the operation for simulating the first operation instruction is abandoned. And if a jump instruction appears in the entry function, or a sub-function instruction is called, or a function ending operation instruction is called, extracting the character string from the stack. Therefore, under the condition of limited usable conditions, all operation instructions related to a preset decryption instruction in a sample can be simulated and executed quickly, an encryption character string is searched and extracted from a simulated stack, whether a file carries a virus or a certain shell or a packet or not is judged according to the extracted character string, and the purpose of detecting the sample file is achieved.
The following describes in detail the technical solution of the method embodiment shown in any one of fig. 1 to 3, using a specific embodiment.
FIG. 4 is a block diagram of assembly instruction code of a simple decompiled program, as shown in FIG. 4.
Firstly, positioning a main function, and finding a first instruction push in the main function;
next, it is determined whether the predetermined key decryption instruction is a predetermined key decryption instruction, in this embodiment, the predetermined key decryption instruction is MOV, ADD, SUB. It is clear that the first instruction is not a predetermined critical decryption instruction;
then, the second instruction mov is judged to be a predetermined key instruction, and then the simulation executes the instruction. When simulating the instruction, the information of corresponding variables, parameter values of functions and the like is stored in the stack.
And analogizing to judge whether each subsequent instruction is a preset key decryption instruction, and if so, executing the operation instruction.
When a call f statement is judged, call is a call function instruction, before the call of the f function, a character string in a stack is searched in a simulated stack, the character string is extracted, then the operation of the f function is continued, in the f function, whether the operation instruction is a preset key instruction or not is judged according to the process in the main function, the operation instruction which is the preset key instruction is executed, when a leave instruction is found according to the sequence of the operation instruction in the function, the fact that the leave function is required is shown, and before the leave function f, the character string is searched and extracted in the simulated stack.
According to the process, each instruction in the g function is judged and simulated until ret, the running result of the g function is returned to the f function, and before the operation instruction is returned, the character string is searched and extracted in the simulated stack.
Similarly, before the operation result of the f function returns to the main function. In the simulated stack, the character string is searched and extracted.
Returning to the main function, judging and simulating the next operation instruction until the function is finished, and searching and extracting the character string in the simulated stack.
Up to this point, the operation instruction shown in fig. 4 has been judged one by one whether it is a predetermined key decryption instruction and simulates execution of the instruction, and before the sub-function instruction is called or when the operation instruction is finished, the character string is searched and extracted from the stack.
In a second aspect, the apparatus for extracting an encrypted character string according to the embodiment of the present invention can extract an encrypted character string under a limited available condition.
Fig. 5 is a schematic structural diagram of a first embodiment of an apparatus for extracting an encrypted character string provided by the present invention, as shown in fig. 5, the apparatus of the present embodiment may include: the system comprises a first judgment module 11, an entry function positioning module 12, a first simulation execution module 13 and an extraction module 14, wherein the first judgment module 11 is used for judging whether a sample file is an executable file; an entry function locating module 12, configured to locate an entry function of the executable file if the sample file is the executable file; a first simulation execution module 13, configured to simulate, starting from the entry function, an operation of an operation instruction, and place an operation result in a simulated stack; and the extraction module 14 is used for extracting the character strings from the stack.
The apparatus of this embodiment may be used to implement the technical solution of the method embodiment shown in fig. 1, and the implementation principle and the technical effect are similar, which are not described herein again.
Fig. 6 is a schematic structural diagram of a second embodiment of the device for extracting an encrypted character string provided by the present invention, as shown in fig. 6, the device of this embodiment further includes, on the basis of the device structure shown in fig. 5, before the first determining module, an obtaining module 10 for obtaining a sample file, and the first simulation executing module 13 may include: the first simulation execution module 13 includes: the first judgment submodule 131 and the first simulation execution submodule 132, wherein the first judgment submodule 131 is configured to judge whether a first operation instruction in an entry function is a predetermined key operation instruction; wherein, the key operation instruction is an operation instruction for executing decryption operation; the first simulation execution sub-module 132 is configured to simulate, if the first operation instruction in the entry function is a predetermined key operation instruction, an operation of the first operation instruction, and place an operation result in a simulated stack, otherwise, abandon the operation of simulating the first operation instruction.
The apparatus of this embodiment may be used to implement the technical solution of the method embodiment shown in fig. 2, and the implementation principle and the technical effect are similar, which are not described herein again.
Fig. 7 is a schematic structural diagram of a third embodiment of the device for extracting an encrypted character string provided by the present invention, as shown in fig. 7, the device of the present embodiment is based on the device structure shown in fig. 6, and further, the first simulation execution module further includes: the second judging submodule 133, the calling submodule 134, and the second simulation executing submodule 135, where the second judging submodule 133 is configured to judge whether the second operation instruction in the entry function is an instruction for calling a sub-function; the calling submodule 134 is configured to, if the second operation instruction in the entry function is an instruction for calling a subfunction, perform a calling operation on the subfunction; the second simulation execution submodule 135 is configured to determine whether the third operation instruction in the subfunction is a predetermined key operation instruction; if the third operation instruction in the subfunction is a preset key operation instruction, simulating the operation of the third operation instruction, and putting the operation result into the simulated stack, otherwise, abandoning the operation of simulating the third operation instruction.
The extraction module comprises: a third determining submodule 141 and an extracting submodule 142, wherein the third determining submodule 141 is configured to determine whether a fourth operation instruction in the entry function is a jump instruction, or is a call sub-function instruction, or is a function end operation instruction; the extracting submodule 142 is configured to extract the character string from the stack if the fourth operation instruction in the entry function is a jump instruction, or a call sub-function instruction, or a function end operation instruction.
The apparatus of this embodiment may be used to implement the technical solution of the method embodiment shown in fig. 3, and the implementation principle and the technical effect are similar, which are not described herein again.
In a third aspect, an embodiment of the present invention further provides an electronic device, where the electronic device includes the apparatus in any of the foregoing embodiments.
Fig. 8 is a schematic structural diagram of an electronic device according to an embodiment of the invention. The processes of the embodiments shown in fig. 1 to 3 of the present invention can be implemented, and as shown in fig. 8, the electronic device may include: the device comprises a shell 41, a processor 42, a memory 43, a circuit board 44 and a power circuit 45, wherein the circuit board 44 is arranged inside a space enclosed by the shell 41, and the processor 42 and the memory 43 are arranged on the circuit board 44; a power supply circuit 45 for supplying power to each circuit or device of the electronic apparatus; the memory 43 is used for storing executable program code; the processor 42 executes a program corresponding to the executable program code by reading the executable program code stored in the memory 43, for executing any of the embodiments described above.
The specific execution process of the above steps by the processor 42 and the steps further executed by the processor 42 by running the executable program code may refer to the description of the embodiment shown in fig. 1 to 3 of the present invention, and are not described herein again.
The electronic device exists in a variety of forms, including but not limited to:
(1) ultra mobile personal computer device: the equipment belongs to the category of personal computers, has calculation and processing functions and generally has the characteristic of mobile internet access. Such terminals include: PDA, MID, and UMPC devices, etc., such as ipads.
(2) A server: the device for providing the computing service comprises a processor, a hard disk, a memory, a system bus and the like, and the server is similar to a general computer architecture, but has higher requirements on processing capacity, stability, reliability, safety, expandability, manageability and the like because of the need of providing high-reliability service.
(3) And other electronic equipment with data interaction function.
In a fourth aspect, embodiments of the present invention also provide a computer-readable storage medium storing one or more programs, the one or more programs being executable by one or more processors to implement a method as described in any of the preceding implementations.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. The term "comprising", without further limitation, means that the element so defined is not excluded from the group consisting of additional identical elements in the process, method, article, or apparatus that comprises the element.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments.
In particular, as for the apparatus embodiment, since it is substantially similar to the method embodiment, the description is relatively simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
For convenience of description, the above devices are described separately in terms of functional division into various units/modules. Of course, the functionality of the units/modules may be implemented in one or more software and/or hardware implementations of the invention.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by a computer program, which can be stored in a computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. The storage medium may be a magnetic disk, an optical disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), or the like.
The above description is only for the specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (10)
1. A method for extracting an encrypted character string is characterized by comprising the following steps:
judging whether the sample file is an executable file or not;
if the sample file is an executable file, locating an entry function of the executable file;
simulating the operation of the operation instruction from the entry function, and putting the operation result into a simulated stack;
extracting a string from the stack.
2. The method for extracting encrypted character strings according to claim 1, wherein the simulating operation of the operation instruction from the entry function, and placing the operation result in a simulated stack comprises:
judging whether a first operation instruction in the entry function is a preset key operation instruction or not; wherein, the key operation instruction is an operation instruction for executing decryption operation;
if the first operation instruction in the entry function is a preset key operation instruction, simulating the operation of the first operation instruction, and putting the operation result into a simulated stack, otherwise, abandoning the operation of simulating the first operation instruction.
3. The method for extracting encrypted character strings according to claim 2, wherein after simulating the operation of the first operation instruction and putting the operation result into the simulated stack, the method further comprises:
judging whether a second operation instruction in the entry function is an instruction for calling a sub-function;
if the second operation instruction in the entry function is an instruction for calling the sub-function, executing the calling operation on the sub-function;
judging whether a third operation instruction in the subfunction is a preset key operation instruction or not;
if the third operation instruction in the subfunction is a preset key operation instruction, simulating the operation of the third operation instruction, and putting the operation result into the simulated stack, otherwise, abandoning the operation of simulating the third operation instruction.
4. The method for extracting encrypted character strings according to any one of claims 1 to 3, wherein the extracting character strings from the stack comprises:
judging whether a fourth operation instruction in the entry function is a jump instruction, or is a sub-function calling instruction, or is a function ending operation instruction;
and if the fourth operation instruction in the entry function is a jump instruction, or a call sub-function instruction, or a function end operation instruction, extracting the character string from the stack.
5. An extraction device of an encrypted character string, comprising:
the first judging module is used for judging whether the sample file is an executable file or not;
the entry function positioning module is used for positioning an entry function of the executable file if the sample file is the executable file;
the first simulation execution module is used for simulating the operation of the operation instruction from the entry function and putting the operation result into a simulated stack;
and the extraction module is used for extracting the character strings from the stack.
6. The apparatus for extracting encrypted character string according to claim 5, wherein the first simulation executing module includes:
the first judgment submodule is used for judging whether a first operation instruction in the entry function is a preset key operation instruction or not; wherein, the key operation instruction is an operation instruction for executing decryption operation;
and the first simulation execution sub-module is used for simulating the operation of the first operation instruction if the first operation instruction in the entry function is a preset key operation instruction, and putting the operation result into a simulated stack, otherwise, abandoning the operation of simulating the first operation instruction.
7. The apparatus for extracting encrypted character string according to claim 6, wherein the first simulation executing module further includes:
the second judgment submodule is used for judging whether a second operation instruction in the entry function is an instruction for calling a subfunction;
the calling submodule is used for executing calling operation on the subfunction if the second operation instruction in the entry function is an instruction for calling the subfunction;
the second simulation execution submodule is used for judging whether a third operation instruction in the subfunction is a preset key operation instruction or not; if the third operation instruction in the subfunction is a preset key operation instruction, simulating the operation of the third operation instruction, and putting the operation result into the simulated stack, otherwise, abandoning the operation of simulating the third operation instruction.
8. The apparatus for extracting encrypted character string according to any one of claims 5 to 7, wherein the extraction module comprises:
the third judgment submodule is used for judging whether a fourth operation instruction in the entry function is a jump instruction or a call sub-function instruction or a function end operation instruction;
and the extraction submodule is used for extracting the character string from the stack if the fourth operation instruction in the entry function is a jump instruction, or a call sub-function instruction, or a function end operation instruction.
9. An electronic device, characterized in that the electronic device comprises: the device comprises a shell, a processor, a memory, a circuit board and a power circuit, wherein the circuit board is arranged in a space enclosed by the shell, and the processor and the memory are arranged on the circuit board; a power supply circuit for supplying power to each circuit or device of the electronic apparatus; the memory is used for storing executable program codes; the processor executes a program corresponding to the executable program code by reading the executable program code stored in the memory, for performing the method of any one of the above claims 1-4.
10. A computer readable storage medium, characterized in that the computer readable storage medium stores one or more programs which are executable by one or more processors to implement the method of any of the preceding claims 1-4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811539786.9A CN110866251A (en) | 2018-12-14 | 2018-12-14 | Extraction method and device of encrypted character string, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811539786.9A CN110866251A (en) | 2018-12-14 | 2018-12-14 | Extraction method and device of encrypted character string, electronic equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110866251A true CN110866251A (en) | 2020-03-06 |
Family
ID=69651629
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811539786.9A Pending CN110866251A (en) | 2018-12-14 | 2018-12-14 | Extraction method and device of encrypted character string, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110866251A (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20120240231A1 (en) * | 2011-03-16 | 2012-09-20 | Electronics And Telecommunications Research Institute | Apparatus and method for detecting malicious code, malicious code visualization device and malicious code determination device |
| CN102779257A (en) * | 2012-06-28 | 2012-11-14 | 奇智软件(北京)有限公司 | Security detection method and system of Android application program |
| CN103902911A (en) * | 2014-04-16 | 2014-07-02 | 南京大学 | Rogue program detection method based on program structural features |
| US20150052611A1 (en) * | 2012-03-21 | 2015-02-19 | Beijing Qihoo Technology Company Limited | Method and device for extracting characteristic code of apk virus |
| CN104868996A (en) * | 2014-02-25 | 2015-08-26 | 中兴通讯股份有限公司 | Data encryption and decryption method, device thereof, and terminal |
| CN106855926A (en) * | 2015-12-08 | 2017-06-16 | 武汉安天信息技术有限责任公司 | Malicious code detecting method, system and a kind of mobile terminal under Android system |
-
2018
- 2018-12-14 CN CN201811539786.9A patent/CN110866251A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20120240231A1 (en) * | 2011-03-16 | 2012-09-20 | Electronics And Telecommunications Research Institute | Apparatus and method for detecting malicious code, malicious code visualization device and malicious code determination device |
| US20150052611A1 (en) * | 2012-03-21 | 2015-02-19 | Beijing Qihoo Technology Company Limited | Method and device for extracting characteristic code of apk virus |
| CN102779257A (en) * | 2012-06-28 | 2012-11-14 | 奇智软件(北京)有限公司 | Security detection method and system of Android application program |
| CN104868996A (en) * | 2014-02-25 | 2015-08-26 | 中兴通讯股份有限公司 | Data encryption and decryption method, device thereof, and terminal |
| CN103902911A (en) * | 2014-04-16 | 2014-07-02 | 南京大学 | Rogue program detection method based on program structural features |
| CN106855926A (en) * | 2015-12-08 | 2017-06-16 | 武汉安天信息技术有限责任公司 | Malicious code detecting method, system and a kind of mobile terminal under Android system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP6227772B2 (en) | Method and apparatus for protecting a dynamic library | |
| US20090271867A1 (en) | Virtual machine to detect malicious code | |
| US10586026B2 (en) | Simple obfuscation of text data in binary files | |
| CN105068932B (en) | A kind of detection method of Android application programs shell adding | |
| KR102415971B1 (en) | Apparatus and Method for Recognizing Vicious Mobile App | |
| CN109388946B (en) | Malicious process detection method and device, electronic equipment and storage medium | |
| CN108628743B (en) | Application program testing method, device, equipment and storage medium | |
| JP7154365B2 (en) | Methods for securing software code | |
| CN107077540B (en) | Method and system for providing cloud-based application security services | |
| CN109255235B (en) | Mobile application third-party library isolation method based on user mode sandbox | |
| CN104484585A (en) | Application program installation package processing method and device, and mobile apparatus | |
| CN109271789B (en) | Malicious process detection method and device, electronic equipment and storage medium | |
| CN106709336A (en) | Method and apparatus for identifying malware | |
| CN115062309B (en) | Vulnerability mining method based on equipment firmware simulation in novel power system and storage medium | |
| CN111931185A (en) | Java anti-serialization vulnerability detection method and component | |
| CN112417461A (en) | Fuzzy test method and system for equipment firmware | |
| CN106548065B (en) | Application program installation detection method and device | |
| CN112231702A (en) | Application protection method, device, equipment and medium | |
| KR101557455B1 (en) | Application Code Analysis Apparatus and Method For Code Analysis Using The Same | |
| CN109145589B (en) | Application program acquisition method and device | |
| CN113220314A (en) | APP resource loading and APK generation method, device, equipment and medium | |
| CN112395603B (en) | Vulnerability attack identification method, device and computer equipment based on instruction execution sequence characteristics | |
| CN107341403A (en) | A kind of document conversion method and device | |
| CN108021790B (en) | File protection method and device, computing equipment and computer storage medium | |
| US11263313B2 (en) | Securing execution of a program |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: 150028 building 7, innovation and entrepreneurship square, science and technology innovation city, Harbin high tech Industrial Development Zone, Harbin, Heilongjiang Province (No. 838, Shikun Road) Applicant after: Antan Technology Group Co.,Ltd. Address before: 150028 building 7, innovation and entrepreneurship square, science and technology innovation city, Harbin high tech Industrial Development Zone, Harbin, Heilongjiang Province (No. 838, Shikun Road) Applicant before: Harbin Antian Science and Technology Group Co.,Ltd. |
|
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200306 |