Search

CN-122020656-A - Reverse analysis method and device

CN122020656ACN 122020656 ACN122020656 ACN 122020656ACN-122020656-A

Abstract

The application discloses a reverse analysis method and a reverse analysis device, which relate to the technical field of reverse analysis and mainly aim at providing a reverse analysis technology suitable for a hong Monte application package, wherein the main technical scheme comprises the steps of analyzing the hong Monte application package to be reversely analyzed to obtain a byte code file in the hong Monte application package; the method comprises the steps of carrying out static grammar analysis on a byte code file, identifying suspicious methods in an application layer, carrying out dynamic operation time analysis on the byte code file if the suspicious methods are identified, tracking calling logic links related to the suspicious methods in the application layer, determining cross-layer interactive links of the application layer and the original layer based on the cross-layer calling relation between the target methods and the original layer if the calling logic links indicate the target methods with the cross-layer calling relation with the original layer, and generating reverse analysis results of the hong Mongolian application package based on the suspicious methods, the calling logic links and the cross-layer interactive links.

Inventors

  • ZHENG WENXIN
  • LIU CONG
  • Huang bibo
  • YANG ZHIYUAN

Assignees

  • 奇安信科技集团股份有限公司

Dates

Publication Date
20260512
Application Date
20251225

Claims (12)

  1. 1. A method of reverse analysis, the method comprising: analyzing a hong application package to be reversely analyzed to obtain a byte code file in the hong application package; performing static grammar analysis on the byte code file, and identifying suspicious methods in an application layer; If the suspicious method is identified, carrying out dynamic runtime analysis on the byte code file, and tracking a calling logic link related to the suspicious method in an application layer; If the calling logic link indicates a target method with a cross-layer calling relation with a native layer, determining a cross-layer interaction link of an application layer and the native layer based on the cross-layer calling relation of the target method and the native layer; And generating a reverse analysis result of the hong application package based on the suspicious method, the calling logic link and the cross-layer interactive link.
  2. 2. The method of claim 1, wherein dynamically runtime analyzing the bytecode file, tracking call logic links in an application layer associated with the suspicious method, comprises: running the byte code file in a first sandbox isolation environment, and synchronously collecting register state data, wherein the register state data is used for indicating the jump behavior characteristics between context information called by a method in the byte code and a byte code instruction; Restoring branch logic of a byte code layer based on the jump behavior characteristic indicated by the register state data; And associating the branch logic with the context information of the suspicious method call indicated by the register state data, and obtaining a call logic link related to the suspicious method in an application layer.
  3. 3. The method of claim 1, wherein determining that the call logical link indicates a target method that has a cross-layer call relationship with a native layer comprises: if the method is marked by the original layer keyword in the declaration information, the corresponding method is determined to be a target method which is indicated by the calling logic link and has a cross-layer calling relation with the original layer; And/or determining a call stack corresponding to the call logic link, and if a cross-layer call jump node exists in the call stack and the cross-layer call jump node is associated with a method in the call logic link, determining the corresponding method as a target method which is indicated by the call logic link and has a cross-layer call relation with a native layer.
  4. 4. The method of claim 1, wherein the step of determining the cross-layer interaction link between the application layer and the native layer based on the cross-layer call relationship between the target method and the native layer further comprises the steps of: The method is respectively executed for each target method, the dynamic link library file is analyzed to determine a sign of a registration entry module associated with the target method call, a registered application module is analyzed based on the sign, an initialization function bound with the target method is determined in the application module, address jump in the execution process of the initialization function is tracked in a second sandbox isolation environment, other functions called by the initialization function in a native layer are restored to form a function call chain, and a cross-layer interaction link of an application layer and the native layer corresponding to the target method is determined based on the binding relation between the target method and the initialization function and the function call chain.
  5. 5. The method according to claim 4, wherein the method further comprises: And if the target function exists in the function call chain, adding a conclusion that the target method can cause sensitive data leakage to the reverse analysis result, wherein the parameters of the target function comprise at least part of sensitive data in the second sandbox isolation environment.
  6. 6. The method of claim 1, wherein performing static parsing of the bytecode file identifies suspicious methods in an application layer, comprising: Performing static grammar analysis on the byte code file, and extracting code element information in an application layer; matching the extracted code element information with a first information base, wherein the first information base comprises sample code element information which is known to cause the occurrence of sensitive behaviors of the hong Mongolian application; And if the first code element information successfully matched with the first information base exists, determining a method for associating the first code element information in an application layer as a suspicious method.
  7. 7. The method of claim 6, further comprising determining a method of associating second code element information in an application layer as a suspicious method if there is second code element information that does not successfully match the first information base and that does not successfully match a second information base, the second information base including sample code element information that is known not to cause a foggy application to produce sensitive behavior; And/or the number of the groups of groups, The method further includes adding the associated method as a suspicious method delta to the identified suspicious method if the identified suspicious method exists the associated method in the byte code file.
  8. 8. The method according to any one of claims 1-7, further comprising running the hong application package in a third sandboxed isolation environment deployed with sensitive data, if it is monitored that the hong application package invokes a method for acquiring the sensitive data during running and/or if it is monitored that the hong application package includes at least part of the sensitive data in network data generated during running, adding the method for acquiring the sensitive data in the bytecode file as a suspicious method increment to the identified suspicious method; And/or the number of the groups of groups, The method further comprises the steps of obtaining a resource identifier in a constant pool of the byte code file, determining a target byte code instruction referencing the resource identifier in the byte code, obtaining a resource corresponding to the resource identifier through the resource file if a target suspicious method associated with the target byte code instruction exists, and associating the resource with the target suspicious method in the reverse analysis result.
  9. 9. A reverse analysis device, the device comprising: The analysis module is used for analyzing the hong Monte application package to be reversely analyzed to obtain a byte code file in the hong Monte application package; The identification module is used for carrying out static grammar analysis on the byte code file and identifying suspicious methods in an application layer; the tracking module is used for carrying out dynamic runtime analysis on the byte code file if the suspicious method is identified, and tracking a calling logic link related to the suspicious method in an application layer; The determining module is used for determining a cross-layer interactive link of an application layer and a native layer based on the cross-layer calling relation of the target method and the native layer if the calling logic link indicates the target method with the cross-layer calling relation with the native layer; And the generation module is used for generating a reverse analysis result of the hong Mongolian application packet based on the suspicious method, the calling logic link and the cross-layer interactive link.
  10. 10. A computer-readable storage medium, characterized in that the storage medium comprises a stored program, wherein the program, when run, controls a device in which the storage medium is located to perform the reverse analysis method of any one of claims 1 to 8.
  11. 11. An electronic device comprising a memory for storing a program, and a processor coupled to the memory for executing the program to perform the reverse analysis method of any one of claims 1 to 8.
  12. 12. A computer program product, characterized in that it comprises a computer program/computer executable instructions for performing the inverse analysis method according to any one of claims 1 to 8.

Description

Reverse analysis method and device Technical Field The application relates to the technical field of reverse analysis, in particular to a reverse analysis method and device. Background With the wide application of the hong system (HarmonyOS) in the fields of consumer electronics, internet of things and the like, the security of the hong application package (Harmony Ability Package, HAP) is directly related to system stability and user rights. The reverse analysis technology is used as a supporting technology for identifying potential malicious behaviors and security vulnerabilities, and plays an irreplaceable role in application package security evaluation. However, the underlying architecture, file format and running mechanism of the hong application package are fundamentally different from those of the android application package, so that the existing mature android reverse analysis technology is difficult to directly adapt to the reverse analysis of the hong application package. Currently, the lack of applying the hong-Monte application package reverse analysis technology has become a main bottleneck for restricting the development of security assessment work. Therefore, a need exists for a reverse analysis technique that can accurately analyze the hong application package to provide reliable technical support for security assessment of the hong application package. Disclosure of Invention The application provides a reverse analysis method and a reverse analysis device, and mainly aims to provide a reverse analysis technology suitable for a hong application package so as to provide reliable technical support for safety evaluation of the hong application package. In order to achieve the above purpose, the present application mainly provides the following technical solutions: In a first aspect, the reverse analysis method provided by the embodiment at least includes analyzing a hong application package to be reversely analyzed to obtain a byte code file in the hong application package, performing static grammar analysis on the byte code file to identify suspicious methods in an application layer, performing dynamic operation time analysis on the byte code file if the suspicious methods are identified, tracking call logic links related to the suspicious methods in the application layer, determining a cross-layer interaction link of the application layer and the native layer based on the cross-layer call relationship of the target method and the native layer if the call logic links are determined to indicate a target method with a cross-layer call relationship with the native layer, and generating a reverse analysis result of the hong application package based on the suspicious methods, the call logic links and the cross-layer interaction link. In a second aspect, the present application provides a reverse analysis device, where the reverse analysis device provided in this embodiment may at least include: The analysis module is used for analyzing the hong Monte application package to be reversely analyzed to obtain a byte code file in the hong Monte application package; The identification module is used for carrying out static grammar analysis on the byte code file and identifying suspicious methods in an application layer; the tracking module is used for carrying out dynamic runtime analysis on the byte code file if the suspicious method is identified, and tracking a calling logic link related to the suspicious method in an application layer; The determining module is used for determining a cross-layer interactive link of an application layer and a native layer based on the cross-layer calling relation of the target method and the native layer if the calling logic link indicates the target method with the cross-layer calling relation with the native layer; And the generation module is used for generating a reverse analysis result of the hong Mongolian application packet based on the suspicious method, the calling logic link and the cross-layer interactive link. In a third aspect, the present application provides a computer readable storage medium comprising a stored program, wherein the program, when run, controls a device in which the storage medium is located to perform the reverse analysis method of the first aspect. In a fourth aspect, the application provides an electronic device comprising a memory for storing a program, and a processor coupled to the memory for running the program to perform the reverse analysis method of the first aspect. In a fifth aspect, the present application provides a computer program product comprising computer program/computer executable instructions for performing the reverse analysis method of the first aspect. According to the reverse analysis method and device provided by the application, under the condition that the hong Mongolian application package to be reversely analyzed is determined, the hong Mongolian application package is analyzed to obtain the byte code file