Application detection method, device and storage medium
By comparing the initial and loaded code information of the application, program error information can be quickly detected, solving the problem that the large amount of memory data affects the detection efficiency and achieving efficient fault detection.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- BEIJING ZITIAO NETWORK TECH CO LTD
- Filing Date
- 2023-12-15
- Publication Date
- 2026-06-23
AI Technical Summary
In existing technologies, memory data includes data from all modules of the application, resulting in a large amount of memory data, which affects the efficiency of application fault detection.
By comparing the initial code information and the loaded code information of the target application, inconsistent fixed-length loaded code information is added to a preset file (such as a minidmp file) to quickly detect program error information.
It reduces detection time and improves the efficiency of application fault detection.
Smart Images

Figure CN117667736B_ABST
Abstract
Description
Technical Field
[0001] This disclosure relates to the field of computer technology, and in particular to an application detection method, device, and storage medium. Background Technology
[0002] Currently, when an application crashes or freezes, a corresponding DMP (Data Migration Protocol) file needs to be reported to determine the cause of the failure. Many of these failures are not due to problems with the application itself, but rather to injected third-party modules that modify the application code using inline hooks. Therefore, when an application malfunctions, it is necessary to inspect for program error messages (e.g., inline hooks) within the application.
[0003] In related technologies, when an application malfunctions, its memory data is obtained; this memory data is then used to detect program error information (e.g., inline hooks). The memory data includes data from all modules corresponding to the application.
[0004] However, the inventors have found that the prior art has at least the following technical problems: because the memory data includes all module data corresponding to the application, the amount of memory data is large, so the time to detect the inline hooks of the application through the memory data is long, which affects the fault detection efficiency of the application. Summary of the Invention
[0005] This disclosure provides an application detection method, device, and storage medium that can quickly detect program error information in applications and improve the efficiency of application fault detection.
[0006] In a first aspect, embodiments of this disclosure provide an application detection method, including:
[0007] The method includes obtaining initial code information corresponding to the target application to be detected, wherein the initial code information includes multiple initial byte information arranged in order; and obtaining loaded code information corresponding to the target application, wherein the loaded code information includes multiple loaded byte information arranged in order.
[0008] The multiple sequentially arranged initial byte information and the multiple sequentially arranged loaded byte information are compared one by one, starting from the first byte information in the sequential arrangement;
[0009] If the initial byte information is consistent with the loaded byte information, then the next byte information of the loaded byte information is compared. If the initial byte information is inconsistent with the loaded byte information, then the loaded byte information and a preset number of loaded byte information after the loaded byte information are determined.
[0010] The loaded byte information and a preset number of loaded byte information following the loaded byte information are added to a preset file, and the next byte information following the preset number of loaded byte information is then compared.
[0011] In response to the completion of the comparison between the ordered initial byte information and the ordered loaded byte information, program error information in the target application is detected through the preset file.
[0012] Secondly, embodiments of this disclosure provide an application detection device, comprising:
[0013] The acquisition module is used to acquire initial code information corresponding to the target application to be detected, wherein the initial code information includes multiple initial byte information arranged in order, and to acquire loaded code information corresponding to the target application, wherein the loaded code information includes multiple loaded byte information arranged in order.
[0014] The comparison module is used to compare the multiple sequentially arranged initial byte information with the multiple sequentially arranged loaded byte information one by one, starting from the first byte information in the sequential arrangement;
[0015] The determination module is used to, if the initial byte information is consistent with the loaded byte information, continue to compare the next byte information of the loaded byte information; if the initial byte information is inconsistent with the loaded byte information, determine the loaded byte information and a preset number of loaded byte information after the loaded byte information.
[0016] An add module is used to add the loaded byte information and a preset number of loaded byte information after the loaded byte information to a preset file, and continue to compare the next byte information after the preset number of loaded byte information;
[0017] The detection module is used to detect program error information in the target application through the preset file after the comparison between the plurality of sequentially arranged initial byte information and the plurality of sequentially arranged loaded byte information ends.
[0018] Thirdly, embodiments of this disclosure provide an electronic device, including:
[0019] A processor, and a memory communicatively connected to the processor;
[0020] The memory stores computer-executed instructions;
[0021] The processor executes computer execution instructions stored in the memory to implement the application detection method as described in the first aspect above.
[0022] Fourthly, embodiments of this disclosure provide a computer-readable storage medium storing computer-executable instructions, which, when executed by a processor, implement the application detection method described in the first aspect above.
[0023] Fifthly, embodiments of this disclosure provide a computer program product, including a computer program that, when executed by a processor, implements the application detection method described in the first aspect above.
[0024] This embodiment provides an application detection method, device, and storage medium. The method includes: acquiring initial code information corresponding to a target application to be detected, wherein the initial code information includes multiple sequentially arranged initial byte information; and acquiring loaded code information corresponding to the target application, wherein the loaded code information includes multiple sequentially arranged loaded byte information; comparing the multiple sequentially arranged initial byte information with the multiple sequentially arranged loaded byte information one by one, starting from the first byte information in the sequential arrangement; if the initial byte information and the loaded byte information are consistent, then continuing to compare the next byte information of the loaded byte information; if the initial byte information and the loaded byte information are inconsistent, then determining the loaded byte information and a preset number of loaded byte information following the loaded byte information; adding the loaded byte information and the preset number of loaded byte information following the loaded byte information to a preset file, and continuing to compare the next byte information of the preset number of loaded byte information following the loaded byte information; in response to the end of the comparison between the multiple sequentially arranged initial byte information and the multiple sequentially arranged loaded byte information, detecting program error information in the target application through the preset file. In this embodiment, by comparing the initial code information and the loaded code information corresponding to the target application, a fixed-length (e.g., 5 bytes) of inconsistent loaded code information is added to a preset file (e.g., a minidmp file). The preset file stores the loaded code information that differs from the initial code information. Since the amount of data in the loaded code information that differs is small, it is convenient to quickly detect program error information in the target application, thus improving the fault detection efficiency of the application. Attached Figure Description
[0025] To more clearly illustrate the technical solutions in the embodiments of this disclosure or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are some embodiments of this disclosure. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.
[0026] Figure 1 This is a schematic diagram illustrating an application scenario of an application detection method provided in this embodiment of the disclosure;
[0027] Figure 2 A flowchart of an application detection method provided in this disclosure embodiment;
[0028] Figure 3 A schematic diagram illustrating an application detection method provided in an embodiment of this disclosure;
[0029] Figure 4 A schematic diagram illustrating another application detection method provided in this disclosure embodiment;
[0030] Figure 5 A structural block diagram of an application detection device provided in this disclosure embodiment;
[0031] Figure 6 This is a schematic diagram of the hardware structure of an electronic device provided in an embodiment of this disclosure. Detailed Implementation
[0032] To make the objectives, technical solutions, and advantages of the embodiments of this disclosure clearer, the technical solutions of the embodiments of this disclosure will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of this disclosure, and not all embodiments. Based on the embodiments of this disclosure, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of this disclosure.
[0033] It should be noted that the user information (including but not limited to user device information, user personal information, etc.) and data (including but not limited to data used for analysis, data stored, data displayed, etc.) involved in this application are all information and data authorized by the user or fully authorized by all parties. Furthermore, the collection, use and processing of the relevant data must comply with relevant laws, regulations and standards, and corresponding operation entry points are provided for users to choose to authorize or refuse.
[0034] Currently, when an application crashes or freezes, the corresponding DMP file for that application needs to be reported to determine the cause of the failure. Many of these failures are not due to problems with the application itself, but rather to injected third-party modules that modify the application code using inline hooks. Therefore, when an application malfunctions, it's necessary to inspect for program error messages (e.g., inline hooks). An inline hook works by modifying parts of the original function's instructions, using a jump or other instruction to achieve the hook's purpose.
[0035] In related technologies, when an application malfunctions, its memory data is obtained; this memory data is then used to detect application errors (e.g., inline hooks). This memory data includes data from all modules corresponding to the application. However, because the memory data includes data from all modules, the data volume is large, resulting in a long detection time for inline hooks, thus affecting the efficiency of application fault detection.
[0036] Therefore, how to quickly detect inline hooks in applications to improve application fault detection efficiency is an urgent problem to be solved.
[0037] To address the aforementioned issues, this embodiment provides the following technical concept: First, obtain the initial code information and the loaded code information corresponding to the target application. Then, by comparing the initial code information and the loaded code information, add the inconsistent fixed-length (e.g., 5 bytes) loaded code information to a preset file (e.g., a minidmp file). The preset file stores the loaded code information that differs from the initial code information. The amount of data in the differing loaded code information is small, which facilitates rapid detection of program error information in the target application.
[0038] The specific steps are as follows: First, obtain the initial code information corresponding to the target application to be detected, which includes multiple sequentially arranged initial byte information; and obtain the loaded code information corresponding to the target application, which includes multiple sequentially arranged loaded byte information. Second, compare the multiple sequentially arranged initial byte information with the multiple sequentially arranged loaded byte information one by one, starting from the first byte information in the sequence. If the initial byte information and the loaded byte information are consistent, continue comparing the next byte information of the loaded byte information. If the initial byte information and the loaded byte information are inconsistent, determine the loaded byte information and a preset number of loaded byte information following it. Finally, add the loaded byte information and the preset number of loaded byte information following it to a preset file, and continue comparing the next byte information of the preset number of loaded byte information following it. In response to the end of the comparison between the multiple sequentially arranged initial byte information and the multiple sequentially arranged loaded byte information, the program error information in the target application is detected through the preset file. In this case, since the amount of data in the obtained preset file (such as a minidmp file) is small, it is easy to quickly detect program error information in the target application, thus improving the efficiency of application fault detection.
[0039] The application scenarios of the embodiments of this disclosure are explained below:
[0040] The application detection method provided in this disclosure can be applied to scenarios where application faults are detected. Figure 1 This diagram illustrates an application scenario for an application detection method provided in this embodiment. The terminal 101 and server 102 can be connected via wired or wireless means to transmit data between them. When an application crashes or freezes, the terminal 101 uses the application detection method provided in this embodiment to determine program error information (e.g., inline hooks) within the application and uploads a minidmp file containing the error information to the server 102. The server 102 uses the minidmp file to determine the cause of the application failure and then relays this cause back to the terminal 101.
[0041] The application detection method provided in this disclosure will be described in detail below using specific embodiments.
[0042] Figure 2 This is a flowchart illustrating an application detection method provided in an embodiment of this disclosure. The execution entity of this application detection method can be a terminal or a server. This application embodiment uses a terminal as an example for illustration. Figure 2 As shown, the method includes:
[0043] S201. Obtain the initial code information corresponding to the target application to be detected, wherein the initial code information includes multiple initial byte information arranged in order; and obtain the loaded code information corresponding to the target application, wherein the loaded code information includes multiple loaded byte information arranged in order.
[0044] In some embodiments, the code information corresponding to the target application includes at least one code section, and each code section includes multiple code pages. The multiple code pages include unmodified code pages and modified code pages.
[0045] Optionally, for each code section, instead of comparing all code pages in the entire section, only a few modified code pages within that section are identified. That is, the initial byte information of the modified target code pages is obtained and compared.
[0046] Accordingly, obtaining the initial code information corresponding to the target application to be detected, and obtaining the loaded code information corresponding to the target application, includes: obtaining the code information of the target application, wherein the code information includes at least one code section; for each code section, determining at least one target code page that has been modified from a plurality of code pages included in the code section; for each target code page, obtaining the initial code information corresponding to the target code page, and obtaining the loaded code information corresponding to the target code page; wherein the initial code information and the loaded code information are the code information corresponding to the same target code page.
[0047] The initial code information includes multiple sequentially arranged initial byte information. In this case, the sequential arrangement can be the order in which the multiple initial byte information is arranged within the target code page. The loaded code information includes multiple sequentially arranged loaded byte information. In this case, the sequential arrangement can be the order in which the multiple loaded byte information is arranged within the target code page.
[0048] For example, such as Figure 3 As shown, one code section corresponds to one address number. For example, the address number can be represented by VirtualAddress. Optionally, for each code section, determining at least one target code page to be modified from the multiple code pages included in the code section can include: sorting the multiple code sections in ascending order according to the address numbers corresponding to the code sections, and sequentially determining at least one target code page to be modified from the multiple code pages included in each code section.
[0049] In some embodiments, a preset function can be used to determine at least one target code page (i.e., a private page) to be modified from a plurality of code pages included in each code section.
[0050] It should be noted that after a program file (e.g., A.dll) is loaded into memory, it can be called module A.dll, and its memory address after loading is the module base address of module A.dll. This module base address corresponds to the beginning of the program file A.dll. The address encoding (VirtualAddress) of each code section refers to the offset length of that code section in memory relative to the module base address.
[0051] Assume the program file A.dll includes code section 1, code section 2, and code section 3. The virtual addresses of code section 1, code section 2, and code section 3 are 2000, 1000, and 3000, respectively. The lengths of code section 1, code section 2, and code section 3 are 200 bytes, 100 bytes, and 300 bytes, respectively. If not sorted by virtual address, the processing order of the three code sections would be: code section 1, code section 2, and code section 3. Thus, after searching the relocation table for all relocation entries in code section 1, restoring the relocation entries in code section 1, and performing the comparison task for code section 1, the search position in the relocation table will have deviated. If we then process code section 2, since code section 2 (VirtualAddress=1000) is before code section 1 (VirtualAddress=2000), we need to reset the query position of the relocation table to the beginning of the table before we can find all the relocation items in code section 2. This results in a "backtracking" process, which affects the efficiency of the comparison.
[0052] In this step, since multiple code sections are sorted in ascending order by their corresponding address numbers, and at least one target code page to be modified is determined from the multiple code pages included in each code section, the relocation entries of each code section can be queried sequentially by address number, without having to reset the query position of the relocation table to the beginning of the table, thus improving the efficiency of comparison.
[0053] In this embodiment of the disclosure, since the modified target code pages are identified first, it is only necessary to compare the modified target code pages. Since the number of modified target code pages is usually very small, the amount of data in the obtained target file can be greatly reduced, thereby improving the detection efficiency of program error information in the target application.
[0054] In other embodiments, the target application includes multiple program files, each program file's code information including at least one code section. For example, the program files may be DLL files. In this case, for each program file in the target application, it is necessary to determine the modified target code page from the code sections included in that program file.
[0055] like Figure 4 As shown, the terminal includes multiple parallel detection threads for comparing program files. When there are many program files, a greedy algorithm can be used to prioritize processing larger program files. Accordingly, the code information of the target application is obtained, including: determining the file size parameter of each program file; selecting at least one target program file from the multiple program files in descending order of file size parameter, and obtaining the code information of at least one target program file.
[0056] Optionally, see [link to relevant documentation] Figure 4 It can use multiple parallel detection threads to select program files for detection in descending order of file size.
[0057] The number of at least one target program file is the same as the number of idle detection threads among the multiple detection threads. For example, the target application includes six program files: A.dll, B.dll, C.dll, D.dll, E.dll, and F.dll. The file sizes are 1kb, 2kb, 3kb, 4kb, 5kb, and 6kb, respectively. The file sizes, from largest to smallest, are: F.dll, E.dll, D.dll, C.dll, B.dll, and A.dll. Assume the CPU has four cores, and four detection threads are running in parallel to perform the comparison task.
[0058] The first allocation is as follows: Four detection threads are idle and can select four target program files from multiple program files: F.dll, E.dll, D.dll, and C.dll. Thread t1 processes F.dll, thread t2 processes E.dll, thread t3 processes D.dll, and thread t4 processes C.dll. Assuming the four threads have the same processing efficiency, when thread t4 finishes comparing C.dll first, thread t3 has 1KB remaining, thread t2 has 2KB remaining, and thread t1 has 3KB remaining. At this point, thread t4 is idle. The second allocation: From the remaining program files (i.e., B.dll and A.dll), the largest target program file, B.dll, is selected and assigned to thread t4. At this point, all four threads are working. Therefore, processing the program files sequentially in descending order of file size reduces CPU idle time.
[0059] In this embodiment of the disclosure, by using a greedy algorithm to prioritize the processing of larger program files, the load balance among the detection threads can be ensured, avoiding excessive CPU idle time, thereby improving the detection efficiency of program error information.
[0060] Furthermore, when the code section is large, it can lead to code section allocation failure. This application also proposes dividing the code section into multiple code blocks and detecting each code block separately, thereby reducing the probability of code section allocation failure. Accordingly, determining at least one target code page to be modified from the multiple code pages included in the code section includes: dividing the code section into multiple code blocks, wherein the code block includes multiple code pages; and determining at least one target code page to be modified from the multiple code pages included in the code block.
[0061] For example, such as Figure 3 As shown, this step may include: dividing the code section into multiple code blocks, sorting the code blocks by their addresses in ascending order, and sequentially determining at least one target code page to be modified from the multiple code pages included in the code block.
[0062] It should be noted that in this step, the initial code information of the target application (e.g., process A) can be obtained through the detection process (e.g., detection process B), and the loaded code information of the target application (e.g., process A) can be obtained across processes through the detection process (e.g., detection process B). The process of obtaining the loaded code information involves copying and saving the loaded code information to a corresponding copy, without modifying the loaded code information of the target application.
[0063] S202. Compare the multiple sequentially arranged initial byte information with the multiple sequentially arranged loaded byte information one by one, starting from the first byte information in the sequential arrangement.
[0064] In the embodiments disclosed herein, such as Figure 4 As shown, multiple parallel detection threads can be used to compare the initial code information and loaded code information corresponding to each program file, starting from the first byte in the sequential arrangement. Here, because the comparison is performed by multiple parallel detection threads, the comparison efficiency is improved, thereby shortening the time to obtain the preset file.
[0065] Optionally, the target application includes multiple program files, and each program file's code information includes at least one code section, where each code section includes multiple code pages. The initial code information and the loaded code information correspond to the same target code page. During the loading of the code information, a large amount of normally modified code information exists. This application can recover this normally modified code information first by using relocation information, and then compare it.
[0066] Accordingly, this step may include the following sub-steps (a) to (c):
[0067] (a) For each target code page, obtain the relocation information corresponding to the target code page.
[0068] Optionally, each program file corresponds to a relocation table, which includes relocation information corresponding to multiple code page identifiers. Accordingly, for each target code page, obtaining the relocation information corresponding to the target code page includes: for each target code page, based on the code page identifier corresponding to the target code page, obtaining the relocation information corresponding to the target code page from the relocation information corresponding to each of the multiple code page identifiers. Here, the code page identifier can be a code page address. One code page corresponds to one code page address.
[0069] In some embodiments, the relocation information may be a relocation table, which stores the relocation pages corresponding to each of the multiple code pages. For example, the relocation table consists of multiple 4kb relocation pages arranged sequentially.
[0070] Table 1 Relocation Table
[0071]
[0072] As shown in Table 1, the relocation information for each relocation page includes: VirtualAddress (code page address), relocation page size, relocation item (e.g., 0011), and the page offset of the relocation item (e.g., 011101110111). The 0000 000000000000 at the end is used for alignment.
[0073] (b) Based on the relocation information, restore the loaded code information corresponding to the target code page to the loaded code information before relocation, wherein the loaded code information before relocation includes multiple loaded bytes information arranged in order before relocation.
[0074] Optionally, the relocation information includes multiple relocation items and the page offset corresponding to each relocation item. Accordingly, this step is as follows: for each relocation item, based on the page offset corresponding to that relocation item, the loaded code information corresponding to that relocation item is restored to the loaded code information before relocation, resulting in multiple sequentially arranged loaded byte information before relocation. The sequential arrangement can be based on the code page address from smallest to largest. For example, such as... Figure 3 As shown, this step is to restore all relocation items in this code section.
[0075] It's important to note that if a relocation entry (4 bytes long) spans exactly two code pages—that is, the left side of the relocation entry (e.g., the first byte) falls on page A, and the right side (e.g., bytes 2-4) falls on page B—then both page A and page B will contain some incomplete relocation entries. In this boundary case, all complete relocation entries and incomplete ones need to be restored together.
[0076] (c) Compare the multiple sequentially arranged initial byte information with the multiple sequentially arranged loaded byte information before relocation, starting from the first byte information in the sequential arrangement.
[0077] In this embodiment of the disclosure, after restoring all relocation items in the modified target code page to the corresponding content in the original program file, and then comparing them with the code page in the original program file, the relocation items are normal modification items that are identical to the original program file after restoration. This reduces inconsistent byte information, lowers the data volume of the preset file (e.g., minidmp), and facilitates the rapid detection of program error information in the target application through the preset file.
[0078] S203. If the initial byte information is consistent with the loaded byte information, then continue to compare the next byte information of the loaded byte information. If the initial byte information is inconsistent with the loaded byte information, then determine the loaded byte information and the preset number of loaded byte information after the loaded byte information.
[0079] For example, such as Figure 3 As shown, for the modified target code page (i.e., the private page), the code block corresponding to the target code page is compared byte by byte to find the difference information.
[0080] Optionally, the program error information includes inline hooks, and the preset number can be determined by the number of bytes in the inline hooks. Accordingly, before determining the loaded byte information and the preset number of loaded byte information following the loaded byte information, the process further includes: obtaining the first byte number corresponding to the multiple byte information included in the inline hooks; determining that the second byte number corresponding to the loaded byte information and the preset number of loaded byte information following the loaded byte information is the same as the first byte number; wherein the numerical range of the first byte number is: greater than or equal to 3 and less than or equal to 6.
[0081] For example, an inline hook consists of 5 bytes. The loaded byte information, plus a preset number of loaded bytes following it, also consists of 5 bytes. For example, for each modified code location, the entire 5 bytes starting at the modification's address are saved to a preset file.
[0082] For example, an inline hook can be a 5-byte `jmp` instruction. It's important to note that if only the differing bytes are saved, it might be impossible to determine which third-party module the inline hook jumps to. For instance, the first 5 bytes are normally `8bff558bec`. If these 5 bytes are changed to `e9ff568ced`, and only the bytes `e9`, `56`, `8c`, and `ed` are saved (as shown in the image), the debugger will display `e9? ? 568ced`, making it impossible to determine which third-party module the code jumped to. Therefore, all 5 bytes must be saved.
[0083] In this embodiment of the disclosure, since the number of bytes in the inline hook is used to determine the preset number of loaded bytes, it is easy to determine which third-party module the inline hook jumps to, and then the program error information in the target application can be completely eliminated by modifying the third-party module.
[0084] S204. Add the loaded byte information and a preset number of loaded byte information after the loaded byte information to the preset file, and continue to compare the next byte information after the preset number of loaded byte information.
[0085] Optionally, the loaded byte information and the preset number of loaded bytes following it are described in 5-byte segments. Accordingly, this step specifically includes: for each code section, searching for differences starting from the beginning. After finding each difference, the first 5 bytes of content at that difference address are saved to a preset file, and then the next difference is searched from those 5 bytes. The preset file can be a minidmp file.
[0086] For example, starting from the beginning, if a difference is found in the 3rd byte, the 3rd, 4th, 5th, 6th, and 7th bytes are saved to a preset file. Then, the comparison continues from the 8th byte. If a difference is found in the 21st byte, the 21st, 22nd, 23rd, 24th, and 25th bytes are saved to the preset file. Then, the next difference is found from the 26th byte. This process is repeated until the comparison between multiple sequentially arranged initial byte information and multiple sequentially arranged loaded byte information is completed.
[0087] S205, In response to the end of the comparison between multiple sequentially arranged initial byte information and multiple sequentially arranged loaded byte information, program error information in the target application is detected through a preset file.
[0088] In this embodiment of the disclosure, the preset file stores loaded code information of a fixed length (e.g., 5 bytes) that differs from the initial code information. Accordingly, this step is: traversing the fixed-length loaded code information in the preset file, and detecting program error information in the target application using the fixed-length loaded code information.
[0089] This disclosure provides an application detection method, comprising: acquiring initial code information corresponding to a target application to be detected, wherein the initial code information includes multiple sequentially arranged initial byte information; and acquiring loaded code information corresponding to the target application, wherein the loaded code information includes multiple sequentially arranged loaded byte information; comparing the multiple sequentially arranged initial byte information with the multiple sequentially arranged loaded byte information one by one, starting from the first byte information in the sequential arrangement; if the initial byte information and the loaded byte information are consistent, then continuing to compare the next byte information; if the initial byte information and the loaded byte information are inconsistent, then determining the loaded byte information and a preset number of loaded byte information following the loaded byte information; adding the loaded byte information and the preset number of loaded byte information following the loaded byte information to a preset file, and continuing to compare the next byte information of the preset number of loaded byte information; in response to the end of the comparison between the multiple sequentially arranged initial byte information and the multiple sequentially arranged loaded byte information, detecting program error information in the target application through the preset file. In this case, by comparing the initial code information and the loaded code information corresponding to the target application, a fixed-length (e.g., 5 bytes) of inconsistent loaded code information is added to a preset file (e.g., a minidmp file). The preset file stores the loaded code information that differs from the initial code information. Since the amount of data in the differing loaded code information is small, it is convenient to quickly detect program error information in the target application, thus improving the application's fault detection efficiency.
[0090] It should be noted that, in order to further improve the efficiency of detecting program error information in the target application, the initial code information corresponding to the application can be loaded into the file cache in advance when the application is in an idle state.
[0091] Accordingly, before obtaining the initial code information corresponding to the target application to be detected, the method further includes: in response to the application being in an idle state, loading the initial code information corresponding to the application into a file cache, wherein the file cache includes the initial code information corresponding to each of multiple program identifiers; accordingly, obtaining the initial code information corresponding to the target application includes: in response to any application malfunctioning, determining the application as the target application to be detected, and obtaining the initial code information corresponding to the target application from the file cache according to the program identifier corresponding to the target application.
[0092] In this embodiment of the disclosure, since the initial code information corresponding to the application is loaded into the file cache in advance, the initial code information corresponding to the target application can be obtained quickly, which further improves the efficiency of detecting program error information in the target application.
[0093] Figure 5 This is a structural block diagram of an application detection device provided in an embodiment of this disclosure. See also... Figure 5 The device includes: an acquisition module 501, a comparison module 502, a determination module 503, an addition module 504, and a detection module 505;
[0094] The acquisition module 501 is used to acquire initial code information corresponding to the target application to be detected, wherein the initial code information includes multiple initial byte information arranged in order, and to acquire loaded code information corresponding to the target application, wherein the loaded code information includes multiple loaded byte information arranged in order.
[0095] The comparison module 502 is used to compare the plurality of sequentially arranged initial byte information with the plurality of sequentially arranged loaded byte information one by one, starting from the first byte information in the sequential arrangement;
[0096] The determining module 503 is used to, if the initial byte information is consistent with the loaded byte information, continue to compare the next byte information of the loaded byte information; if the initial byte information is inconsistent with the loaded byte information, determine the loaded byte information and a preset number of loaded byte information after the loaded byte information.
[0097] Add module 504, used to add the loaded byte information and a preset number of loaded byte information after the loaded byte information to a preset file, and continue to compare the next byte information after the preset number of loaded byte information;
[0098] The detection module 505 is used to detect program error information in the target application through the preset file in response to the end of the comparison between the plurality of sequentially arranged initial byte information and the plurality of sequentially arranged loaded byte information.
[0099] According to one or more embodiments of this disclosure, the acquisition module 501 acquires initial code information corresponding to a target application to be detected, and acquires loaded code information corresponding to the target application, comprising: acquiring code information of the target application, wherein the code information includes at least one code section; for each code section, determining at least one target code page to be modified from a plurality of code pages included in the code section; for each target code page, acquiring initial code information corresponding to the target code page, and acquiring loaded code information corresponding to the target code page; wherein the initial code information and the loaded code information are code information corresponding to the same target code page.
[0100] According to one or more embodiments of this disclosure, the target application includes multiple program files; correspondingly, the acquisition module 501 acquires the code information of the target application, including: determining the file size parameter of each program file; sequentially selecting at least one target program file from the multiple program files in descending order of the file size parameter, and acquiring the code information of the at least one target program file.
[0101] According to one or more embodiments of this disclosure, the acquisition module 501 determines at least one target code page to be modified from a plurality of code pages included in the code section, comprising: dividing the code section into a plurality of code blocks, wherein the code block includes a plurality of code pages; and determining at least one target code page to be modified from the plurality of code pages included in the code block.
[0102] According to one or more embodiments of this disclosure, the target application includes multiple program files, each program file's code information includes at least one code section, wherein the code section includes multiple code pages, and the initial code information and the loaded code information are code information corresponding to the same target code page; correspondingly, the comparison module 502 compares the multiple sequentially arranged initial byte information with the multiple sequentially arranged loaded byte information one by one, starting from the first byte information in the sequential arrangement, including: for each target code page, obtaining relocation information corresponding to the target code page; according to the relocation information, restoring the loaded code information corresponding to the target code page to the loaded code information before relocation, wherein the loaded code information before relocation includes multiple sequentially arranged loaded byte information before relocation; comparing the multiple sequentially arranged initial byte information with the multiple sequentially arranged loaded byte information before relocation, starting from the first byte information in the sequential arrangement.
[0103] According to one or more embodiments of this disclosure, one program file corresponds to one relocation table, the relocation table including relocation information corresponding to each of multiple code page identifiers; accordingly, the comparison module 502, for each target code page, obtains the relocation information corresponding to the target code page, including: for each target code page, according to the code page identifier corresponding to the target code page, obtaining the relocation information corresponding to the target code page from the relocation information corresponding to each of the multiple code page identifiers.
[0104] According to one or more embodiments of this disclosure, the apparatus further includes: a loading module, configured to load code information corresponding to the application into a file cache in response to the application being in an idle state, wherein the file cache includes initial code information corresponding to a plurality of program identifiers respectively; correspondingly, the acquisition module 501 acquires the initial code information corresponding to the target application to be detected, including: in response to any application malfunctioning, determining the application as the target application to be detected, and acquiring the initial code information corresponding to the target application from the file cache according to the program identifier corresponding to the target application.
[0105] According to one or more embodiments of this disclosure, the program error information includes an inline hook; the determining module 503 is further configured to obtain the number of first bytes corresponding to the multiple byte information included in the inline hook; determine that the number of second bytes corresponding to the loaded byte information and a preset number of loaded byte information after the loaded byte information is the same as the number of first bytes; wherein, the numerical range of the number of first bytes is: greater than or equal to 3 and less than or equal to 6.
[0106] The acquisition module 501, comparison module 502, determination module 503, addition module 504, and detection module 505 are connected sequentially. The application detection device provided in this embodiment can execute the technical solution of the above method embodiment, and its implementation principle and technical effects are similar; therefore, they will not be described again here.
[0107] Figure 6 This is a schematic diagram of the hardware structure of an electronic device provided in an embodiment of this disclosure. (Reference) Figure 6 The electronic device 600 can be a terminal device or a server. The terminal device can include, but is not limited to, mobile terminals such as mobile phones, laptops, digital radio receivers, personal digital assistants (PDAs), portable Android devices (PADs), portable media players (PMPs), and in-vehicle terminals (such as in-vehicle navigation terminals), as well as fixed terminals such as digital TVs and desktop computers. Figure 6 The electronic device shown is merely an example and should not be construed as limiting the functionality and scope of the embodiments disclosed herein.
[0108] like Figure 6 As shown, electronic device 600 may include a processing unit (e.g., a central processing unit, a graphics processing unit, etc.) 601, which can perform various appropriate actions and processes according to a program stored in read-only memory (ROM) 602 or a program loaded from storage device 608 into random access memory (RAM) 603. RAM 603 also stores various programs and data required for the operation of electronic device 600. The processing unit 601, ROM 602, and RAM 603 are interconnected via bus 604. Input / output (I / O) interface 605 is also connected to bus 604.
[0109] Typically, the following devices can be connected to I / O interface 605: input devices 606 including, for example, touchscreens, touchpads, keyboards, mice, cameras, microphones, accelerometers, gyroscopes, etc.; output devices 607 including, for example, liquid crystal displays (LCDs), speakers, vibrators, etc.; storage devices 608 including, for example, magnetic tapes, hard disks, etc.; and communication devices 609. Communication device 609 allows electronic device 600 to communicate wirelessly or wiredly with other devices to exchange data. Although Figure 6An electronic device 600 with various devices is shown; however, it should be understood that it is not required to implement or possess all of the devices shown. More or fewer devices may be implemented or possessed alternatively.
[0110] In particular, according to embodiments of this disclosure, the processes described above with reference to the flowcharts can be implemented as computer software programs. For example, embodiments of this disclosure include a computer program product comprising a computer program carried on a computer-readable medium, the computer program containing program code for performing the methods shown in the flowcharts. In such embodiments, the computer program can be downloaded and installed from a network via a communication device 609, or installed from a storage device 608, or installed from a ROM 602. When the computer program is executed by the processing device 601, it performs the functions defined in the methods of embodiments of this disclosure.
[0111] It should be noted that the computer-readable medium described in this disclosure can be a computer-readable signal medium or a computer-readable storage medium, or any combination thereof. A computer-readable storage medium can be, for example,—but not limited to—an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination thereof. More specific examples of a computer-readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer disk, a hard disk, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), optical storage device, magnetic storage device, or any suitable combination thereof. In this disclosure, a computer-readable storage medium can be any tangible medium containing or storing a program that can be used by or in connection with an instruction execution system, apparatus, or device. In this disclosure, a computer-readable signal medium can include a data signal propagated in baseband or as part of a carrier wave, carrying computer-readable program code. Such propagated data signals can take various forms, including but not limited to electromagnetic signals, optical signals, or any suitable combination thereof. A computer-readable signal medium can be any computer-readable medium other than a computer-readable storage medium, which can send, propagate, or transmit a program for use by or in connection with an instruction execution system, apparatus, or device. The program code contained on the computer-readable medium can be transmitted using any suitable medium, including but not limited to: wires, optical fibers, RF (radio frequency), etc., or any suitable combination thereof.
[0112] The aforementioned computer-readable medium may be included in the aforementioned electronic device; or it may exist independently and not assembled into the electronic device.
[0113] The aforementioned computer-readable medium carries one or more programs, which, when executed by the electronic device, cause the electronic device to perform the methods shown in the above embodiments.
[0114] Computer program code for performing the operations of this disclosure can be written in one or more programming languages or a combination thereof, including object-oriented programming languages such as Java, Smalltalk, and C++, and conventional procedural programming languages such as the "C" language or similar programming languages. The program code can be executed entirely on the user's computer, partially on the user's computer, as a standalone software package, partially on the user's computer and partially on a remote computer, or entirely on a remote computer or server. In cases involving remote computers, the remote computer can be connected to the user's computer via any type of network—including a Local Area Network (LAN) or a Wide Area Network (WAN)—or can be connected to an external computer (e.g., via the Internet using an Internet service provider).
[0115] The flowcharts and block diagrams in the accompanying drawings illustrate the architecture, functionality, and operation of possible implementations of systems, methods, and computer program products according to various embodiments of this disclosure. In this regard, each block in a flowchart or block diagram may represent a module, segment, or portion of code containing one or more executable instructions for implementing a specified logical function. It should also be noted that in some alternative implementations, the functions indicated in the blocks may occur in a different order than those indicated in the drawings. For example, two consecutively indicated blocks may actually be executed substantially in parallel, and they may sometimes be executed in reverse order, depending on the functions involved. It should also be noted that each block in the block diagrams and / or flowcharts, and combinations of blocks in the block diagrams and / or flowcharts, can be implemented using a dedicated hardware-based system that performs the specified function or operation, or using a combination of dedicated hardware and computer instructions.
[0116] The units described in the embodiments of this disclosure can be implemented in software or in hardware. The name of a unit does not necessarily limit the unit itself; for example, the first acquisition unit can also be described as "a unit that acquires at least two Internet Protocol addresses".
[0117] The functions described above in this document can be performed, at least in part, by one or more hardware logic components. For example, exemplary types of hardware logic components that can be used, without limitation, include: Field Programmable Gate Arrays (FPGAs), Application-Specific Integrated Circuits (ASICs), Application Standard Products (ASSPs), System-on-Chip (SoCs), Complex Programmable Logic Devices (CPLDs), and so on.
[0118] In the context of this disclosure, a machine-readable medium can be a tangible medium that may contain or store a program for use by or in conjunction with an instruction execution system, apparatus, or device. A machine-readable medium can be a machine-readable signal medium or a machine-readable storage medium. A machine-readable medium can be, but is not limited to, electronic, magnetic, optical, electromagnetic, infrared, or semiconductor systems, apparatus, or devices, or any suitable combination of the foregoing. More specific examples of machine-readable storage media include electrical connections based on one or more wires, portable computer disks, hard disks, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), optical storage devices, magnetic storage devices, or any suitable combination of the foregoing.
[0119] In a first aspect, according to one or more embodiments of this disclosure, an application detection method is provided, comprising:
[0120] The method includes obtaining initial code information corresponding to the target application to be detected, wherein the initial code information includes multiple initial byte information arranged in order; and obtaining loaded code information corresponding to the target application, wherein the loaded code information includes multiple loaded byte information arranged in order.
[0121] The multiple sequentially arranged initial byte information and the multiple sequentially arranged loaded byte information are compared one by one, starting from the first byte information in the sequential arrangement;
[0122] If the initial byte information is consistent with the loaded byte information, then the next byte information of the loaded byte information is compared. If the initial byte information is inconsistent with the loaded byte information, then the loaded byte information and a preset number of loaded byte information after the loaded byte information are determined.
[0123] The loaded byte information and a preset number of loaded byte information following the loaded byte information are added to a preset file, and the next byte information following the preset number of loaded byte information is then compared.
[0124] In response to the completion of the comparison between the ordered initial byte information and the ordered loaded byte information, program error information in the target application is detected through the preset file.
[0125] According to one or more embodiments of this disclosure, obtaining initial code information corresponding to a target application to be detected, and obtaining loaded code information corresponding to the target application, includes: obtaining code information of the target application, wherein the code information includes at least one code section; for each code section, determining at least one modified target code page from a plurality of code pages included in the code section; for each target code page, obtaining initial code information corresponding to the target code page, and obtaining loaded code information corresponding to the target code page; wherein the initial code information and the loaded code information are code information corresponding to the same target code page.
[0126] According to one or more embodiments of this disclosure, the target application includes multiple program files; correspondingly, obtaining the code information of the target application includes: determining a file size parameter for each program file; sequentially selecting at least one target program file from the multiple program files in descending order of the file size parameter, and obtaining the code information of the at least one target program file.
[0127] According to one or more embodiments of this disclosure, determining at least one target code page to be modified from a plurality of code pages included in the code section includes: dividing the code section into a plurality of code blocks, wherein the code block includes a plurality of code pages; and determining at least one target code page to be modified from the plurality of code pages included in the code block.
[0128] According to one or more embodiments of this disclosure, the target application includes multiple program files, each program file's code information includes at least one code section, wherein the code section includes multiple code pages, and the initial code information and the loaded code information are code information corresponding to the same target code page; correspondingly, the step of comparing the multiple sequentially arranged initial byte information with the multiple sequentially arranged loaded byte information one by one starting from the first byte information in the sequential arrangement includes: for each target code page, obtaining relocation information corresponding to the target code page; according to the relocation information, restoring the loaded code information corresponding to the target code page to the loaded code information before relocation, wherein the loaded code information before relocation includes multiple sequentially arranged loaded byte information before relocation; comparing the multiple sequentially arranged initial byte information with the multiple sequentially arranged loaded byte information before relocation one by one starting from the first byte information in the sequential arrangement.
[0129] According to one or more embodiments of this disclosure, one program file corresponds to one relocation table, the relocation table including relocation information corresponding to each of a plurality of code page identifiers; accordingly, obtaining the relocation information corresponding to each target code page includes: for each target code page, obtaining the relocation information corresponding to the target code page from the relocation information corresponding to each of the plurality of code page identifiers, based on the code page identifier corresponding to the target code page.
[0130] According to one or more embodiments of this disclosure, before obtaining the initial code information corresponding to the target application to be detected, the method further includes: in response to the application being in an idle state, loading the code information corresponding to the application into a file cache, wherein the file cache includes initial code information corresponding to multiple program identifiers respectively; correspondingly, obtaining the initial code information corresponding to the target application to be detected includes: in response to any application malfunctioning, determining the application as the target application to be detected, and obtaining the initial code information corresponding to the target application from the file cache according to the program identifier corresponding to the target application.
[0131] According to one or more embodiments of this disclosure, the program error information includes an inline hook; before determining the loaded byte information and a preset number of loaded byte information following the loaded byte information, the method further includes: obtaining a first byte count corresponding to the plurality of byte information included in the inline hook; determining that a second byte count corresponding to the loaded byte information and the preset number of loaded byte information following the loaded byte information is the same as the first byte count; wherein the numerical range of the first byte count is: greater than or equal to 3 and less than or equal to 6.
[0132] Secondly, according to one or more embodiments of this disclosure, an application detection device is provided, comprising:
[0133] The acquisition module is used to acquire initial code information corresponding to the target application to be detected, wherein the initial code information includes multiple initial byte information arranged in order, and to acquire loaded code information corresponding to the target application, wherein the loaded code information includes multiple loaded byte information arranged in order.
[0134] The comparison module is used to compare the multiple sequentially arranged initial byte information with the multiple sequentially arranged loaded byte information one by one, starting from the first byte information in the sequential arrangement;
[0135] The determination module is used to, if the initial byte information is consistent with the loaded byte information, continue to compare the next byte information of the loaded byte information; if the initial byte information is inconsistent with the loaded byte information, determine the loaded byte information and a preset number of loaded byte information after the loaded byte information.
[0136] An add module is used to add the loaded byte information and a preset number of loaded byte information after the loaded byte information to a preset file, and continue to compare the next byte information after the preset number of loaded byte information;
[0137] The detection module is used to detect program error information in the target application through the preset file after the comparison between the plurality of sequentially arranged initial byte information and the plurality of sequentially arranged loaded byte information ends.
[0138] According to one or more embodiments of this disclosure, the acquisition module acquires initial code information corresponding to a target application to be detected, and acquires loaded code information corresponding to the target application, comprising: acquiring code information of the target application, wherein the code information includes at least one code section; for each code section, determining at least one modified target code page from a plurality of code pages included in the code section; for each target code page, acquiring initial code information corresponding to the target code page, and acquiring loaded code information corresponding to the target code page; wherein the initial code information and the loaded code information are code information corresponding to the same target code page.
[0139] According to one or more embodiments of this disclosure, the target application includes multiple program files; correspondingly, the acquisition module acquires the code information of the target application, including: determining the file size parameter of each program file; sequentially selecting at least one target program file from the multiple program files in descending order of the file size parameter, and acquiring the code information of the at least one target program file.
[0140] According to one or more embodiments of this disclosure, the acquisition module determines at least one target code page to be modified from a plurality of code pages included in the code section, comprising: dividing the code section into a plurality of code blocks, wherein the code block includes a plurality of code pages; and determining at least one target code page to be modified from the plurality of code pages included in the code block.
[0141] According to one or more embodiments of this disclosure, the target application includes multiple program files, each program file's code information includes at least one code section, wherein the code section includes multiple code pages, and the initial code information and the loaded code information are code information corresponding to the same target code page; correspondingly, the comparison module compares the multiple sequentially arranged initial byte information with the multiple sequentially arranged loaded byte information one by one, starting from the first byte information in the sequential arrangement, including: for each target code page, obtaining relocation information corresponding to the target code page; according to the relocation information, restoring the loaded code information corresponding to the target code page to the loaded code information before relocation, wherein the loaded code information before relocation includes multiple sequentially arranged loaded byte information before relocation; comparing the multiple sequentially arranged initial byte information with the multiple sequentially arranged loaded byte information before relocation, starting from the first byte information in the sequential arrangement.
[0142] According to one or more embodiments of this disclosure, one program file corresponds to one relocation table, the relocation table including relocation information corresponding to each of multiple code page identifiers; correspondingly, the comparison module, for each target code page, obtains the relocation information corresponding to the target code page, including: for each target code page, obtaining the relocation information corresponding to the target code page from the relocation information corresponding to each of the multiple code page identifiers, based on the code page identifier corresponding to the target code page.
[0143] According to one or more embodiments of this disclosure, the apparatus further includes: a loading module, configured to load code information corresponding to the application into a file cache in response to the application being in an idle state, wherein the file cache includes initial code information corresponding to a plurality of program identifiers respectively; correspondingly, the acquisition module acquires the initial code information corresponding to the target application to be detected, including: in response to any application malfunctioning, determining the application as the target application to be detected, and acquiring the initial code information corresponding to the target application from the file cache according to the program identifier corresponding to the target application.
[0144] According to one or more embodiments of this disclosure, the program error information includes an inline hook; the determining module is further configured to obtain the number of first bytes corresponding to the multiple byte information included in the inline hook; determine that the number of second bytes corresponding to the loaded byte information and a preset number of loaded byte information after the loaded byte information is the same as the number of first bytes; wherein the numerical range of the number of first bytes is: greater than or equal to 3 and less than or equal to 6.
[0145] Thirdly, according to one or more embodiments of the present disclosure, an electronic device is provided, including: a processor, and a memory communicatively connected to the processor;
[0146] The memory stores computer-executed instructions;
[0147] The processor executes computer execution instructions stored in the memory to implement the application detection method described in the first aspect and various possible designs of the first aspect.
[0148] Fourthly, according to one or more embodiments of the present disclosure, a computer-readable storage medium is provided, wherein computer-executable instructions are stored therein, and when a processor executes the computer-executable instructions, the application detection method described in the first aspect and various possible designs of the first aspect is implemented.
[0149] Fifthly, embodiments of this disclosure provide a computer program product, including a computer program that, when executed by a processor, implements the application detection method described in the first aspect and various possible designs of the first aspect.
[0150] The above description is merely a preferred embodiment of this disclosure and an explanation of the technical principles employed. Those skilled in the art should understand that the scope of this disclosure is not limited to technical solutions formed by specific combinations of the above-described technical features, but should also cover other technical solutions formed by arbitrary combinations of the above-described technical features or their equivalents without departing from the above-described concept. For example, technical solutions formed by substituting the above features with (but not limited to) technical features disclosed in this disclosure that have similar functions.
[0151] Furthermore, while the operations are described in a specific order, this should not be construed as requiring these operations to be performed in the specific order shown or in a sequential order. In certain environments, multitasking and parallel processing may be advantageous. Similarly, while several specific implementation details are included in the above discussion, these should not be construed as limiting the scope of this disclosure. Certain features described in the context of individual embodiments may also be implemented in combination in a single embodiment. Conversely, various features described in the context of a single embodiment may also be implemented individually or in any suitable sub-combination in multiple embodiments.
[0152] Although the subject matter has been described using language specific to structural features and / or methodological logic, it should be understood that the subject matter defined in the appended claims is not necessarily limited to the specific features or actions described above. Rather, the specific features and actions described above are merely illustrative examples of implementing the claims.
Claims
1. An application detection method, characterized in that, include: The method includes obtaining initial code information corresponding to the target application to be detected, wherein the initial code information includes multiple initial byte information arranged in order; and obtaining loaded code information corresponding to the target application, wherein the loaded code information includes multiple loaded byte information arranged in order. The multiple sequentially arranged initial byte information and the multiple sequentially arranged loaded byte information are compared one by one, starting from the first byte information in the sequential arrangement; If the initial byte information is consistent with the loaded byte information, then the next byte information of the loaded byte information is compared. If the initial byte information is inconsistent with the loaded byte information, then the loaded byte information and a preset number of loaded byte information after the loaded byte information are determined. The loaded byte information and a preset number of loaded byte information following the loaded byte information are added to a preset file, and the next byte information following the preset number of loaded byte information is then compared. In response to the completion of the comparison between the ordered initial byte information and the ordered loaded byte information, program error information in the target application is detected through the preset file.
2. The method according to claim 1, characterized in that, This includes obtaining the initial code information corresponding to the target application to be detected, and obtaining the loaded code information corresponding to the target application, including: Obtain the code information of the target application, wherein the code information includes at least one code section; For each code section, at least one target code page to be modified is determined from the plurality of code pages included in the code section; For each target code page, obtain the initial code information corresponding to the target code page, and obtain the loaded code information corresponding to the target code page; wherein the initial code information and the loaded code information are the code information corresponding to the same target code page.
3. The method according to claim 2, characterized in that, The target application includes multiple program files; Accordingly, obtaining the code information of the target application includes: Determine the file size parameter for each program file; In descending order of file size, select at least one target program file from the plurality of program files and obtain the code information of the at least one target program file.
4. The method according to claim 2, characterized in that, Determining at least one target code page to be modified from a plurality of code pages included in the code section includes: The code section is divided into multiple code blocks, wherein each code block includes multiple code pages; Identify at least one target code page that has been modified from among the multiple code pages included in the code block.
5. The method according to claim 1 or 2, characterized in that, The target application includes multiple program files, and the code information of each program file includes at least one code section, wherein the code section includes multiple code pages, and the initial code information and the loaded code information are code information corresponding to the same target code page; Accordingly, the step of comparing the plurality of sequentially arranged initial byte information with the plurality of sequentially arranged loaded byte information, starting from the first byte information in the sequential arrangement, includes: For each target code page, obtain the relocation information corresponding to the target code page; Based on the relocation information, the loaded code information corresponding to the target code page is restored to the loaded code information before relocation, wherein the loaded code information before relocation includes multiple loaded byte information arranged in order before relocation; The multiple sequentially arranged initial byte information is compared one by one with the multiple sequentially arranged loaded byte information before relocation, starting from the first byte information in the sequential arrangement.
6. The method according to claim 5, characterized in that, One program file corresponds to one relocation table, and the relocation table includes multiple code page identifiers, each with its own corresponding relocation information; Accordingly, obtaining the relocation information corresponding to each target code page includes: For each target code page, based on the code page identifier corresponding to the target code page, the relocation information corresponding to the target code page is obtained from the relocation information corresponding to each of the plurality of code page identifiers.
7. The method according to claim 1, characterized in that, Before obtaining the initial code information corresponding to the target application to be detected, the method further includes: In response to the application being in an idle state, the code information corresponding to the application is loaded into a file cache, wherein the file cache includes initial code information corresponding to multiple program identifiers; Accordingly, obtaining the initial code information corresponding to the target application to be detected includes: In response to a failure in any application, the application is identified as the target application to be detected, and the initial code information corresponding to the target application is obtained from the file cache based on the program identifier corresponding to the target application.
8. The method according to claim 1, characterized in that, The program error messages include inline hooks; Accordingly, before determining the loaded byte information and the preset number of loaded bytes information following the loaded byte information, the method further includes: Obtain the number of first bytes corresponding to the multiple bytes of information included in the inline hook; The number of second bytes corresponding to the loaded byte information and the preset number of loaded byte information after the loaded byte information are determined to be the same as the number of first bytes; The numerical range of the first byte is: greater than or equal to 3 and less than or equal to 6.
9. An electronic device, characterized in that, include: A processor, and a memory communicatively connected to the processor; The memory stores computer-executed instructions; The processor executes computer execution instructions stored in the memory to implement the application detection method as described in any one of claims 1 to 7.
10. A computer-readable storage medium, characterized in that, The computer-readable storage medium stores computer-executable instructions, which, when executed by a processor, implement the application detection method as described in any one of claims 1 to 7.